The cybersecurity skills gap has been well documented in recent years, but despite increased awareness of the scale of the problem, the growing demand for cybersecurity skills has meant the size of the challenge has certainly not diminished. For instance, a recent report from the UK government’s Department for Digital, Culture, Media and Sport found that over half of businesses have a basic skills gap.
“That is, the people in charge of cyber security in those businesses lack the confidence to carry out the kinds of basic tasks laid out in the government-endorsed Cyber Essentials scheme, and are not getting support from external cyber security providers,” the authors explain.
That includes fairly straightforward tasks, such as configuring a firewall effectively, storing personal data securely, and detecting and removing malware. What’s more, just a third of businesses were found to have more advanced skills associated with tasks such as forensic analysis and penetration testing.
Perhaps most concerningly, the report reveals that the figures for basic cybersecurity skills haven’t changed in the 4 years in which the government has been collecting data. Indeed, if anything, the authors argue that the number of businesses without appropriate incident management skills has risen in recent years.
“The qualitative evidence continues to suggest, in line with previous years, that management boards (outside the cyber sector) lack an understanding of cyber security,” the authors explain. “In particular, the interviews highlight a potential knowledge deficit among c-suite decision-makers tasked with overseeing cyber security.”
Lack of skills
Similar findings emerged from the global Cybersecurity Workforce Study conducted by (ISC)², which found that the global cybersecurity workforce needs to grow by around 65% in order to ensure that organizations have adequate protection against the growing array of cyberattacks they face.
The researchers surveyed nearly 5,000 cyber professionals from around the world to try and better understand the breadth and depth of cyber talent available to organizations, and especially the supply of talent in comparison to the demand for it.
“For 2021, our study estimates there are 4.19 million cybersecurity professionals worldwide, which is an increase of more than 700,000 compared to last year,” the authors explain. “By contrast, the Cybersecurity Workforce Gap is the number of additional professionals that organizations need to adequately defend their critical assets. For the second consecutive year, the [gap] has decreased, down to 2.72 million compared to 3.12 million last year.”
In other words, the researchers believe that for organizations to be able to effectively defend their critical assets, the size of the global cybersecurity workforce will need to grow by around 65%. Somewhat pleasingly, many of those already working in the sector seem to be satisfied with their lot, with around 77% saying they were happy with their jobs. This is an increase of around 10% on the same figure in 2019. This has perhaps contributed to the 30% increase in the number of cyber professionals seen in the US during 2021, but despite this, it’s not enough.
Plugging the gap
So how are firms responding to this? The UK report reveals that around three-quarters of cyber firms are currently providing training for staff in cyber roles, but this plummets to just 1 in 5 doing so in organizations outside of the cyber sector. What’s more, of those 20% or so that are providing training to staff, just 12% say that the needs of staff have been met.
The authors also report a relatively low level of training towards key cybersecurity certifications, such as Certified Information Systems Security Professional (CISSP), Cisco Certified Network Professional, and Cisco Certified Network Associate certifications. Organizations cite a lack of time to actually attend cybersecurity training, especially as doing so takes away from time that could be spent earning their organizations income.
Awareness of cybersecurity training pathways is also an issue in non-cyber firms, with a lack of continued professional development cultures and routines also common among the digital teams in such firms. Couple this with an often low-quality of cybersecurity training in the external training market and there is a clear lack of appropriate training and development going on.
Some employers responded to this by conducting self-guided training, mentoring, work shadowing, and other methods for sharing knowledge internally, but perhaps pertinently, it is still incredibly rare for non-cyber organizations to provide cybersecurity training for non-IT staff. Indeed, just 11% reported having done so in the last year. Even in larger organizations that might reasonably be thought of as being more at risk (and with higher budgets), the figure was below 50%. This helped to create a dangerous impression among staff that cybersecurity training is not something they need.
“Every cyber professional knows the cyber skills shortage will continue to get worse before it gets better,” Josh Kam, Principal at BCG Platinion, says. “There are now both short, and long-term actions for organizations to consider to bridge the cyber skills gap.”