Getty Images
Cybersecurity Workforce Must Grow 65% to Protect Critical Assets
The current cybersecurity workforce shortage may leave organizations open to more vulnerabilities and cyberattacks, (ISC)² suggests.
The cybersecurity workforce gap narrowed for the second consecutive year, but the global workforce still must grow by 65 percent in order to effectively defend critical assets and data, according to analysis from (ISC)².
(ISC)² collected survey data from over 4,500 cybersecurity professionals. Only 4 percent of respondents reported working in healthcare, which validates previous findings of inadequate IT staffing within the sector.
Lasting Consequences of a Cybersecurity Workforce Shortage
The cybersecurity workforce gap, which (ISC)² defines as the number of additional professionals that organizations need to adequately defend their critical assets, decreased from 2.12 million last year to 2.72 million this year. The study also revealed that in 2021, over three-quarters of respondents reported being satisfied or extremely satisfied with their jobs.
While this improvement in numbers and job satisfaction shows promise, increasing the workforce by 65 percent is not an easy task. As current cybersecurity professionals continue to work in the middle of the workforce shortage, negative consequences may emerge.
A workforce shortage can result in employee burnout, as exhibited by the current nationwide clinician shortage. For IT teams, the shortage could mean that employees are stretched too thin and may miss key vulnerabilities and suspicious network activity as a result.
Cyberattacks on the healthcare sectors are ramping up, which naturally requires a more robust IT security team. A report conducted by CyberMDX and Philips found that hospitals in particular are struggling with a cybersecurity talent shortage. Respondents reported struggling to fill jobs within 100 days of posting new roles.
Without proper staffing to account for common vulnerabilities, healthcare organizations may face risks to patient safety and costly recovery costs in the event of a cyberattack.
(ISC)² survey respondents reported misconfigured systems, not enough time to focus on risk management and assessment, slower patching of critical systems, and oversights in processes and procedures as a consequence of being short-staffed. Respondents also reported high rates of rushed deployments and the inability to remain aware of all active threats.
Lack of Diversity in the Cybersecurity Workforce Limits Potential
The report indicated that the global cybersecurity community is well-educated, technically grounded, and strongly compensated.
However, the field is about three-quarters male and Caucasian, which reveals significant missed opportunities for bright minds to join the field and contribute diverse perspectives.
A few government agencies and private sector organizations are actively trying to combat the lack of diversity in the cybersecurity workforce.
The Cybersecurity and Infrastructure Security Agency (CISA) recently awarded $2 million to two organizations to develop cyber workforce training programs in underserved communities in rural and urban areas.
The three-year pilot program, led by NPower and CyberWarrior, will focus on developing a comprehensive retention strategy and delivering accessible entry-level cybersecurity training while providing opportunities to underserved communities.
President Biden, along with a coalition of private companies, recently announced numerous national cybersecurity initiatives aimed at increasing the availability of cybersecurity training and education.
IBM pledged to train 150,000 people in cybersecurity skills over the next three years and partner with more than 20 Historically Black Colleges & Universities to establish Cybersecurity Leadership Centers. Girls Who Code announced that it will establish a micro-credentialing program for historically excluded groups in technology. In addition, Code.org said it will teach cybersecurity concepts to three million students over the next three years.
It is crucial that organizations acknowledge the lack of diversity in the cybersecurity workforce and work to improve it.
How Organizations Can Narrow the Gap
The study suggested that organizations begin by embracing diversity, equity, and inclusion (DEI).
“DEI is a catalyst for positive change,” the study asserted.
“Organizations that take a hard look at their own skills gap, reconsider the qualities that make a successful cybersecurity professional, focus on their people before technology and remove geographical barriers through remote work will tap into a broader pool of talent that opens up new possibilities. Cybersecurity professionals are not only aware of how DEI can contribute to solving the skills gap, but they expect their employers to act.”
Organizations should also consider prioritizing investments in existing staff before investing in technology to improve their security posture. By focusing on recruitment, development, and retention, organizations can build a cohesive team of competent cybersecurity professionals.
Survey respondents reported investing in training, providing more flexible working conditions, investing in DEI programs, and addressing pay gaps in order to address the workforce gap.
Organizations may also consider investing in automation technologies, cloud service providers, and involving cybersecurity staff earlier in product design and development to alleviate the challenges of the ongoing workforce shortage.