The cybersecurity discipline is faced with a chaotic moment: Companies are suffering from a shortage of cybersecurity workers and tighter security budgets. That combo means that cybersecurity specialists tend to be overworked and stressed.
The two forces have led to widely different environments for frontline cybersecurity workers. While there are 1.5 million cybersecurity professionals working in North America, a shortfall exists of 522,000 workers, according to the 2023 ISC2 Cybersecurity Workforce Study, published Oct. 31. Yet, because of economic uncertainty, companies are not prioritizing filling needed cybersecurity roles, with 47% of companies implementing a hiring freeze, budget cuts, or layoffs.
The workforce gap has led to more pressure on cybersecurity professionals. Security teams that have had layoffs, or just expect layoffs, have a much lower level of job satisfaction compared to those who have not had, nor expect to have, layoffs, the report stated.
The result is that cybersecurity staff sees more work, businesses are more likely to delay buying cybersecurity products, and security teams are less able to prepare for future threats, says Jon France, CISO for ISC2, a training and certification organization.
“The economic conditions globally are not helping, so while there is a defined need there — for skills and access to skills — the ability to recruit them economically is not there,” he says. “We’re seeing the macroeconomic environment putting pressure on budgets.”
Cybersecurity professionals’ concerns over job security, in the midst of a continued workforce shortage, is a departure from earlier this year, when a survey of 1,000 non-technical business leaders found that only 10% planned to reduce cybersecurity staffing. In the latest ISC2 workforce report, more than a fifth of respondents (22%) claimed that their cybersecurity group had suffered layoffs in the past 12 months.
Searching for solutions to budget-constrained cybersecurity requires CISOs to consider the skill shortage in their approach to everything, says Jon Oltsik, distinguished analyst for the Enterprise Strategy Group, a consultancy that published its own cyber workforce study, in partnership with the Information Systems Security Association (ISSA), earlier this year.
“You can’t hire your way out of the skills shortage, which impacts both staff size and advanced skills,” he says. “Some actions they can take include more process automation, buying more intelligent solutions — think AI and advanced analytics — and offloading some tasks or processes to managed services providers — all of these should be part of an enterprise security strategy.”
The Growing Gap
Information security certification associations have raised the issue of a shortage of cybersecurity workers for years. In 2021, for example, ISC2 put the gap at 2.7 million. Today, the gap stands at 4 million cybersecurity workers needed, according to the workforce report. Currently, about 1.3 million people work in cybersecurity in the US, nearly 1.5 million in North America, and 5.5 million worldwide, according to ISC2.
Companies tend to look for workers with the cybersecurity knowledge that they think they need, but public and private organizations need to get more workers into the pipeline at the entry level and then commit to developing their skills through training to solve the skills gap in the long term, says ISC2’s France.
“If all you’re going to look for is a unicorn — they are a very rare beast, and you’re going to struggle,” he says. “You’re better off looking for a slightly more junior person, and then have a commitment to train and develop their skillset. [Companies] need to try and change their appetite.”
It’s not just hiring — retaining workers is a challenge for many companies. Half of cybersecurity specialists predict that it is somewhat to very likely that they leave their job this year, according to ESG’s Oltsik.
“Most go elsewhere and find a job that pays them more and has a better cybersecurity culture,” he says. “They tend to stay if they receive adequate compensation, work at an organization with strong cybersecurity, have career development and training opportunities, and work with a skilled team.”
Layoffs, Cutbacks, and Budget Cuts
Even with hiring and retention issues, the cybersecurity industry is not a stable employment landscape, according to the report. About half of companies (47%) have experienced some form of budget cutbacks impacting cybersecurity. A third of cybersecurity teams (32%) have had a hiring freeze, 30% face budget cuts, a quarter (26%) will have to give up promotions or raises, and 22% are facing layoffs, according to the 2023 study.
The industries seeing the most layoffs include entertainment and media (33%), construction (31%), and security software and hardware makers (31%).
Given the tension between budgetary concerns and significant need, filling employment gaps will likely require reaching out to nontraditional populations, going beyond training IT workers to move into security to instead focus on people with the right critical thinking skills and a learning mindset, says ISC2’s France.
“We need to open doors and get rid of some of those myths that you need a college degree for cybersecurity,” he says. “Previously, we tend to have looked at a very narrow group, either by demographic or by experience, and we should look in nontraditional places and at nontraditional people — they bring an awful lot to the table.”