How the skills shortage is threatening cyber security
By Jamal Elmellas, COO, Focus-on-Security
Finding sufficient talent has been a real problem in the cybersecurity sector for many years but, with demand growing on average 14 percent each year, the sector is fast approaching crisis point. The shortages are now becoming so acute that there’s a real risk they could jeopardise the ability to maintain adequate cyber defences in a situation that is only expected to get worse.
The sector requires 17,500 new entrants per annum yet, according to the DCMS ‘Understanding the Cyber Security Recruitment Pool’ report, only 7,500 are entering the profession. Of these, just over half are graduates (4,000) with the remainder made up of those that have upskilled, changed career or come through apprenticeships, revealing an annual shortfall of 10,000 and growing.
It’s a problem further exacerbated by a brain drain in the form of the Great Resignation, which has seen an exodus of workers following the pandemic. Stress and burnout are common complaints due to issues such as alert fatigue, with the Voice of the SOC Analyst report revealing that 71 percent feel stressed and 60 percent intend to resign over the course of the next year. That’s on top of those 4-7,000 who usually leave the profession to retire naturally.
Under resourced, over exposed
What this means in real terms is that there will be less hands at the pumps and a dearth of expertise, leaving organisations under-resourced and over exposed. Consequently, when an incident does occur, it’s likely that it will prove harder to mitigate. In fact, a report from the World Economic Forum found that the majority said they would “find it challenging to respond to a cybersecurity incident owing to the shortage of skills within their team”.
There’s already evidence that this lack of people power is eroding cyber defences. The Cybersecurity Skills Gap Global Research Report found 80 percent of the organisations it surveyed worldwide had suffered one or more breaches that could be attributed to a lack of cybersecurity skills and 67 percent agreed that the shortage of qualified cybersecurity candidates was creating additional risk.
The report also looked at where those skills shortages were and found cloud security and security operations (ie SOC management, threat protection, endpoint security) and network security were the areas hardest to recruit for, suggesting these may well be the hardest hit. Interestingly, these are also the areas where we’ve seen the greatest automation over recent years, so could this provide an answer? Automation has the power to make a real and tangible difference in cybersecurity and in the SOC Analyst survey, 66 percent said between 50-100 percent of their workload could be automated and would welcome this particularly of repetitive manual tasks such as threat monitoring, triaging and reporting.
Robots to the rescue
Automation is also leading the charge in other areas, buoyed by the cloud. We’re seeing continuous monitoring solutions emerge, for example, in the form of Cloud Security Posture Management (CSPM) and also Continuous Automated Red Teaming (CART) for security testing and compliance. But the expectation is these tools will free up professionals and help them to specialise further, so that they’ll supplement manual resource rather than replace it, doing little to solve the skills crisis.
The reality is that there really is no substitute for human intuition and oversight when it comes to security, so as a sector we now need to think long and hard about how we will continue to ensure we have sufficient resources within the marketplace. Fighting over the same pool of talent from conventional routes such as universities is not sustainable and nor can we continue to favour technical skills and experience over tenacity and a willingness to learn.
It would seem we’re now at a tipping point in this regard, with the ISACA ‘State of the Cybersecurity Workforce’ survey revealing that, while experience, credentials and hands-on training were top factors in recruitment, other skills, from communication to critical thinking and problem solving, are now also being considered.
That said, a worrying trend is the expansive job remit. This is seeing many look for a ‘cyber unicorn’ who can deliver on multiple fronts leading to unrealistic job descriptions. For example, there have been reports of job adverts for CISOs requesting penetration testing experience. Consequently, some job posts are going unfilled for over six months not only due to the skills shortage but due to these unrealistic expectations.
Recruitment and retention
A far more effective strategy is to refine the recruitment drive according to the market, seek to adapt the employment package to meet candidate needs, and to prioritise staff retention. We’ve already covered the changing skillsets and the need to think beyond certifications and experience, but what are candidates looking for and how can we improve retention?
Funnily enough, the answer to both those questions is the same because, salary aside, the top reason for changing jobs given by candidates is career progression. It’s a topic seldom dealt with at interview and often neglected during employment reviews, as evidenced in the ISSA survey that found 82% were dissatisfied because there was insufficient capacity within their role to develop their skills.
It’s also one of the areas the security sector really struggles with, which is why the Cyber Pathways initiative, currently being thrashed out by the UK Cyber Security Council, is to be welcomed. The framework aims to align particular skillsets with job roles to provide employees with clear career objectives but it will also allow organisations to create career development programs and make it much easier to progress through the ranks. The pathways are currently being developed following a consultation earlier this year but expectations are these will be in place by 2025.
In the meantime, employers will need to adopt a more expansive approach and to widen their remit so that they can harness raw talent. It’s worth remembering that many of the industry veterans we have today started out in other sectors. They’re self-starters who often taught themselves and were able to climb the ladder due to their zeal and determination. It’s that willingness to learn and natural aptitude that employers need to once again tap into to both fill the skills gap and protect their defences.
About the Author
Jamal Elmellas is Chief Operating Officer for Focus-on-Security, the cyber security recruitment agency, where he oversees selection and recruitment services. He previously founded and was CTO of a successful security consultancy where he delivered secure ICT services for government and private sector organisations. Jamal has almost 20 years’ experience in the field and is an ex CLAS consultant, Cisco and Checkpoint certified practitioner. Jamal can be reached at and at the company website