Managers and executives don’t have to look much further than their own organizations to understand the IT security talent pool has dried up.
According to EMSI Burning Glass, there were 77,523 cybersecurity postings in February — up 31% from December 2021 and up 74% year over year.
As the elevated threat level increases, organizations are looking for more talent to shore up defenses. The challenge surrounding this hunt for security professionals is that there are considerably more job openings that need filling than there are qualified candidates to fill them. Cyberseek, an interactive cybersecurity research talent portal, shared that, on average, 68 candidates apply for every 100 openings.
Aside from a shortage in applicants, the “Great Resignation” has also impacted this space. Current cybersecurity professionals are reevaluating their roles, compensation, and work-life balance to determine if other options in the market might be worth a look. Between organizations rushing to the cloud and the fallout of sending entire workforces to remote work with little to no preparation, cybersecurity professionals across the board are burnt out, left struggling to hold security postures with inadequate tools, and concerned that their organizations are ripe for a breach — especially amid the continued threat escalation with Russia.
Forbes has reported the skills gap continues to widen. With the continued scarcity of talent, organizations are expected to struggle to retain and attract security professionals until there’s a predicted 3.5 million vacancies by 2025. These vacancies range from CISSPs to entry-level data analysts that continue to be in high demand. Although big tech companies, like Microsoft, Google, and IBM, are working with community colleges to train students, the gap is not closing fast enough.
The White House is even partnering with code.org to inspire students in K-12 to take up an interest in the field to be the next generation of cybercrime fighters. What’s not in this mix is how to invest in cybersecurity professional development through investments in tuition reimbursement, loan forgiveness, and company-assisted support. To stay up to date, current security professionals must invest thousands of dollars out of pocket for additional training and continuing education units (CEUs) to maintain cybersecurity certifications. For example, an organization provides employees with $500.00 of tuition assistance per year. That type of assistance partially covers a single course.
In most cases, cybersecurity professionals take seven to 15 industry courses a year to stay relevant in technology and maintain current certifications. This often takes place outside of work hours and shifts the burden of the cost associated with training to the individual. This practice must change in order for professionals to train at the scale required by the needs of the current threat climate.
Ramifications of talent shortage
The ramifications of this talent shortage are significant. Current security teams are overworked, lack work-life balance, and are stressed out by attempting to protect understaffed organizations. This, combined with the increased demands due to the elevated threat landscape, is stretching teams to the breaking point. At some point, pay and benefits do not equal the stress and the pure number of hours required.
ThreatConnect reports in a recent survey that 41% of organizations do not have a formalized process to evaluate risk. Without a clear understanding of risk, how do professionals execute on securing environments? This contributes to the already difficult task of defending a layered defense strategy.
The Bureau of Labor Statistics predicts that the demand for the number of cybersecurity roles will grow 33% over the next eight years. With retention issues and labor shortages, organizations will revisit compensation, training reimbursement, and work-life balances or continue to experience challenges filling open positions and predictable turnover of key cybersecurity staff. McAfee conducted a survey with over 500 cybersecurity professionals, and 89% responded they would leave their current employer for better incentives.
If you are an employer, you need to ask yourself, can your organization afford to turn over your current cybersecurity talent? Is the organization providing an environment that retains existing employees and attracts new talent? Do not wait for the resignations of key employees to start figuring this out.