Cyber professional shortfall hits 3.4 million

The global cyber security skills shortage shows no signs of abating, with the estimated shortfall of security professionals growing by 700,000 or 26% in the past 12 months from 2.7 million to 3.4 million, according to the latest annual sector assessment by certification body and professional association (ISC)².

In its 2022 Cybersecurity workforce study, (ISC)² found that even though there are now 4.7 million active security professionals worldwide – up 460,000 on 2021 – skyrocketing demand for their labour among organisations spooked by the increasingly active threat environment means training and accreditation schemes are struggling to fill the pipeline.

In the UK specifically, (ISC)² assessed that there are about 339,000 cyber professionals, up 13% year on year, but there is a shortfall of 56,811 workers, up over 70% year on year.

“As a result of geopolitical tensions and macroeconomic instability, alongside high-profile data breaches and growing physical security challenges, there is a greater focus on cyber security and increasing demand for professionals within the field,” said Clar Rosso, CEO of (ISC)².

“The study shows us that retaining and attracting strong talent is more important than ever. Professionals are saying loud and clear that corporate culture, experience, training and education investment and mentorship are paramount to keeping your team motivated, engaged and effective.”

Almost three-quarters of respondents in the (ISC)² study said their organisation did not have enough cyber security employees and more than half of those experiencing workforce shortages felt the staff deficit put them at increased risk of an incident. Concerns including a lack of time for proper cyber risk assessment or management, increased oversights in processes and procedures, a lag in patching critical systems, a lack of time and resource for appropriate training, and system misconfigurations.

Respondents who indicated their organisation had a shortage of security staff tended to cite difficulty in finding qualified talent, heightened attrition and turnover among existing security staff, lack of hiring budget and lack of opportunities for growth or promotion. A significant number also said their employer didn’t pay competitive wages.

(ISC)² suggested the path forward seemed to be not through external recruitment initiatives, but through training internal talent, rotating job responsibilities, mentorship programmes, or encouraging employees outside the IT or cyber function to join the field.

It said its findings showed that organisations that went down this path tended to be less likely to experience staff shortages.

For those within the industry, the annual study found that job satisfaction tended to be high, with 75% saying they were either somewhat or very satisfied with their job and passionate about their work. Respondents tended to be less satisfied with their specific teams, departments and overall organisations, but where they did report issues, these tended to stem from workplace culture, rather than the nature of cyber security work itself.

Where cyber professionals did move on, they tended to either cite growth opportunities, such as increased pay, promotion or career growth, or a negative workplace culture, burn-out or poor work-life balance.

Security pros also tended to be overwhelmingly positive about remote working, which has been widely adopted within the sector during the pandemic. Less than a quarter of security pros worked from home before Covid-19, but 55% do now, and more than half of those would consider quitting if they were no longer allowed to do so.

Among other things, security pros tended to rate themselves as more productive when allowed to work remotely, although those in managerial roles tended to disagree with this. They also cited being able to work remotely as helpful in avoiding burn-out.

The (ISC)² study also looked at issues around an apparent generational divide that seems to be emerging in the sector, with cyber pros aged under 30 found to be much more likely to consider issues such as diversity, equity and inclusion (DEI), emotional health, and having more of a voice within the organisation to be more of a priority.

Younger security staffers tended to worry about what they perceived as a cultural gap, with longer-serving colleagues and the profession in general accused of creating a culture of gatekeeping – for example, artificial barriers such as demands for education or certification – that hinder their advancement.

The divide was most noticeable when it came to DEI within the security sector – something else the survey looked into – and this is most likely down to both generational culture changes and demographic change.

For example, women now account for 30% of cyber pros aged under 30, but just 14% of those aged over 60, while people from a black, Asian or minority ethnic (BAME) background made up 49% of cyber pros aged under 30, but just 19% of those aged over 60.

The survey also found that the industry still has an inclusivity problem, with significant numbers of women and BAME cyber pros saying they felt discriminated against at work, while many others said they didn’t feel able to be their authentic selves in the workplace, particularly when it came to neurodiversity, disability or sexual or gender identity.

(ISC)² said it found organisations that paid more attention to DEI, and implemented DEI training and programmes, were also less likely to experience a shortage of security staff – 19%, compared to 34% that did not.