Wanted: another 3mn cyber professionals

Governments and companies are still struggling to find cyber security staff after more than a decade in which demand has outstripped supply, and sent wages spiralling higher.

In 2022, the global shortage of cyber security professionals stood at 3.4mn, compared with a total cyber workforce of 4.7mn, according to research by ISC2, an association for cyber security professionals. The gap was particularly wide in the aerospace, government, education, insurance and transportation sectors, it found. To fill all the current vacancies, the workforce must grow by about 70 per cent, says ISC2 chief executive, Clar Rosso.

And the biggest skills shortages were in soft skills — communicating and dealing with other people — and cloud computing, according to separate global research by Isaca, another IT security association.

This inability to acquire and retain cyber security workers is already creating vulnerabilities in the private and public sectors. More than half of the respondents to ISC2 who reported workforce shortages said that staff deficits put their organisations at “moderate” or “extreme” risk of cyber attack.

In response to the heightened threat, fresh recruitment initiatives have been launched. ISC2 is offering an “entry level” certification in cyber security — part of a wider plan by the US government to partner with organisations and fill hundreds of thousands of vacancies. At the same time, smaller schemes — through institutions such as Toronto Metropolitan University — are retraining “mid-career” workers in cyber security and helping them find jobs in the industry.

However, despite these efforts to boost supply, competition to hire cyber security workers is still fierce — keeping salaries high. In 2022, average global salaries for cyber security professionals ranged between about $128,000 and $150,000, according to Statista, a research and data provider.

In this buoyant market, job candidates can dictate their employment terms. “[They] can choose where they work, and when they work, and how they work,” says Karoli Hindriks, chief executive of Jobbatical, an AI-powered platform that helps tech workers relocate.

But Michael Armer, chief information security officer at RingCentral, a California-based supplier of cloud-based communication products, says retention is more important than recruitment. For this reason, the company has developed a training programme for cyber security staff “almost like a mini MBA”, building skills in boardroom communication, risk assessment and calculating returns on investment.

“If you think about what keeps people in the same team it’s not just about compensation,” Armer says. “It’s also personal growth.”

Another way to plug gaps in cyber security skills is to recruit workers from outside the IT and cyber security industries.

Leonardo, one of Europe’s biggest defence companies, has hired former members of the military for its cyber security consultancy unit. “They have blown us away in how quickly they pick things up and also . . . their transferable skills,” says Dean Fortt, head of cyber in Leonardo’s UK human resources division.

The Italian company partners with WithYouWithMe, a data platform that helps organisations recruit technology workers from under-represented groups in society or within their existing workforce. The platform assesses candidates’ personality and skills, trains them and matches them with employers.

These skills need not be cyber specific. Anthony Young, co-chief executive of Bridewell, a UK cyber security services provider, finds some companies want applicants to have a lot of specialist certifications, which they probably do not need. “They are trying to get this unicorn,” he says. “Finding someone who does it all . . . is very difficult, if not impossible.”

Broad skills, such as business acumen and calmness under pressure, can be just as important in cyber security roles as technical skills, which candidates can be taught.

However, despite signs that the pool of candidates for cyber security roles is widening, there is room for improvement. Tia Hopkins, a cyber security executive and founder of Empow(H)er Cybersecurity — an organisation that helps women of colour into cyber security roles — says some organisations are only paying lip service to increasing the diversity of their cyber security hires.

She feels this is a mistake. “The adversary [cyber security criminals] is diverse and, if we’re going to keep up, we need diversity of thought, diversity of skills, diversity of background,” Hopkins says.