In this interview with Help Net Security, Jon France, CISO at ISC2, talks about expanding the cybersecurity talent pool. He outlines the challenges organizations face, including budget constraints and limited entry-level opportunities. He also points out the urgent need to upskill current employees and adopt inclusive hiring practices to address the growing skills gap in the industry.
The ISC2 report indicates that cybersecurity talent growth may be becoming more stable. What are the main reasons for this slowdown and how does it impact organizations?
A first look at the 2024 ISC2 Cybersecurity Talent Survey reveals slowing cybersecurity talent growth, primarily due to economic uncertainty. This has led to a lack of opportunities for new talent to enter the workforce and limited opportunities to address existing skills gaps. As a result, the global active cyber talent pool is estimated to have grown by just 0.1% over the past year, remaining relatively flat at approximately 5.5 million professionals. This contrasts with the 8.7% growth reported in 2023.
While economic cost-cutting has helped existing roles in cybersecurity remain relevant to a greater extent than other fields, limited workforce growth has virtually halted the creation of new job opportunities. While the trends vary by region, the big picture is clear: the demand for cybersecurity professionals far outstrips the current supply.
This slow growth in the workforce has significant implications for organizations. According to our research, 90% face a cybersecurity skills shortage, and 67% report a shortage of cybersecurity professionals. This gap is estimated to reach an all-time high in 2024, with an additional 4.8 million professionals needed worldwide, a 19% increase from the previous year.
The talent shortage is putting a huge strain on cybersecurity teams, leaving them short of resources at a time when organizations are highly vulnerable to costly cyber incidents. With fewer experts available to keep them secure, the risk of disruption, financial loss, and reputational damage is increasing. This year, 74% of experts reported that the current threat landscape is the most severe in the past five years. As pressure on experts increases, organizations must prioritize providing more entry-level opportunities for new talent and investing in upskilling current employees to meet evolving security challenges.
What are the main challenges companies face when recruiting cybersecurity talent? Are there any particular barriers, such as compensation expectations, a shortage of experienced candidates, or competition from other sectors?
One of the main challenges companies face when recruiting cybersecurity talent is budget constraints. For the first time, “lack of budget” surpassed “lack of qualified talent” as the top cause of talent shortages. Despite an increasing demand for skilled professionals, economic pressures are limiting organizations’ ability to invest in their cybersecurity teams. As a result, 38% of organizations are experiencing a hiring freeze (up 6% from 2023). This reflects a broader trend of economic factors impacting talent development across the industry. Layoffs, budget cuts and stalled promotions are all impacting existing cybersecurity professionals.
In Europe, the top three causes of the skills shortage are difficulty finding candidates with the right skills (33%), limited budgets (29%), and IT departments adopting new technologies without the expertise (29%). This points to a shortage of skilled candidates, but there’s also a disconnect between what hiring managers are looking for and what experts believe is in demand. For example, experts rate AI and cloud computing skills highly, but hiring managers rate them much lower.
To overcome this mismatch, organizations need to develop clear, realistic job descriptions that articulate the skills required of candidates and the skills the job will provide. Improving communication between hiring managers and cybersecurity professionals is essential to align expectations and reduce barriers to entry, especially around requirements for excessive years of experience or specific industry certifications.
How important is upskilling and reskilling your current workforce in addressing the cybersecurity skills gap? What initiatives and programs have been effective in this area?
Upskilling and reskilling current employees is essential to close the skills gap and keep organizations safe amid an evolving threat environment. When organizations are unable to fill critical cybersecurity roles, they face increased workloads and become vulnerable to incidents and financial risks. Developing the talent of existing employees not only helps fill these gaps, but also mitigates the impacts of unfilled roles, including increased strain on teams and burnout.
More than half (58%) of cybersecurity professionals globally believe that a skills shortage poses a significant risk to their organization, with 64% saying that the skills gap is a bigger challenge than a talent shortage. The most significant gaps identified are in skills for AI (34%), cloud security (30%), zero trust (27%), digital forensics (25%) and application security (24%). Organizations need to focus on these areas by upskilling and reskilling their current employees to these in-demand skill sets, which will be key to addressing the broader skills gap.
Continuing professional development through certifications and education programs is essential for cybersecurity professionals to remain competitive and relevant. By prioritizing upskilling efforts, organizations can not only address immediate security concerns, but also future-proof their teams in an increasingly complex digital environment.
How can organizations effectively attract and retain more diverse talent in the cybersecurity field? What are some success stories you have seen so far?
To attract and retain diverse cybersecurity talent, organizations must focus on inclusive hiring practices and invest in skills development. One key strategy is to move away from pre-qualification requirements to offering on-the-job training, especially for entry-level positions. This approach not only benefits small and medium-sized businesses with limited budgets, but also allows companies to customize training to their unique needs. Programs such as ISC2’s One Million Certified in Cybersecurity aim to expand the talent pool by providing free training and certification to entry-level professionals, allowing more people from diverse backgrounds to enter the field.
Successful organizations also address the gap between recruiter expectations and what candidates are looking for. Clear, realistic job descriptions help attract a wider range of candidates by focusing on the skills that can be developed in the role, rather than asking for extensive technical experience. This helps companies access a wider talent pool, including underrepresented groups, by emphasizing potential over existing experience and qualifications.
Additionally, fostering an inclusive workplace culture is also important. Companies that are successful in recruiting and retaining diverse talent invest in diversity, equity, and inclusion (DEI) initiatives, setting measurable diversity goals, and expanding recruiting efforts beyond traditional job portals. Mentorship programs and leadership DEI efforts help underrepresented groups feel valued, promoting talent retention and long-term career growth in the cybersecurity field.
Given current trends and initiatives, where do you see the cybersecurity skills gap headed over the next 5 to 10 years?
After two years of cuts in investment in recruiting and professional development, organizations now face severe skills shortages and understaffing of their cybersecurity teams – challenges that increase risk and further strain existing resources.
Looking to the future, I am cautiously optimistic. Over the next 5 to 10 years, I expect the skills gap will begin to close as more organizations realize the critical importance of continued investment in workforce development. Cybersecurity is no longer a “nice to have” – it has become a business imperative. With global volatility and emerging technologies such as AI creating increasingly complex threats, organizations must prioritize cybersecurity as a core part of their strategy.
Organizations should also focus on expanding entry-level opportunities, upskilling current employees, and building a more diverse talent pipeline to close the widening skills gap. As more companies commit to developing their cybersecurity talent and cross-department collaboration leads to more cybersecurity careers, a more diverse talent pool is likely to result. Investing in the next generation of cyber professionals will ensure employees are equipped to meet evolving challenges and keep critical assets safe.
To get your free eBook, fill out the form:
