A recent data analysis from CyberSeek confirmed what many cybersecurity experts know all too well: the job market is on fire.
U.S. employers posted approximately 715,000 cybersecurity jobs in the 12-month period ending April 2022. Demand for cybersecurity jobs increased 43% over this period 12 months, compared to 18% for the rest of the labor market.
“The growth rate is one of the fastest we’ve ever seen,” said Will Markow, vice president of applied research, talent for Lightcast, one of three industry partners behind CyberSeek. “In the first four months of 2022, each month broke the previous month’s record for the most jobs tracked.”
The high demand comes at a cost, however. Cybersecurity jobs take 21% longer to fill than other IT positions, and cybersecurity salaries have grown up to 10% more than IT salaries, Markow said. Only two states — Maine and Wyoming — are not reporting a talent shortage.
And for 100 posted jobs, there are only 66 workers to fill them.
“That means we’re entering the cybersecurity battlefield with a third of our military sidelined,” he said.
Too many companies looking for unicorns
Many companies cite a lack of talent for their inability to fill cybersecurity roles – but a big part of the problem may be that hiring managers are looking for more than they can find.
The Last of ISACA State of Cyber Security Report reported that more than 60% of organizations have cybersecurity vacancies and understaffed teams.
The top skills gap, cited by more than half of cybersecurity professionals surveyed, relates to soft skills such as problem solving, critical thinking, and communication. However, the primary factor used to determine if a candidate is qualified is prior hands-on cybersecurity experience, followed by credentials.
“There are nearly a million jobs open – but no one is willing to hire juniors,” said Jenai Marinkovic, member of ISACA’s Emerging Trends Task Force and virtual CISO/CTO at Tiro Security.
On a philosophical level, this makes sense. In an ever-expanding cyber threat landscape and with increased scrutiny of cybersecurity practices among government entities as well as customers, few companies are willing to entrust someone with only a few months of experience with the responsibility of protecting valuable digital assets, Markow said.
However, this often leads to Jon France, CISO of (ISC)2described as “job description abuse”.
An entry-level role, for example, will require a Certified Information Systems Security Professional certification – which requires five years of industry experience and a passing score on the CISSP exam.
“There’s fierce competition for the unicorn that’s at a higher level, but since it’s such a tough market, you need to balance your recruiting between newbies and those who are more experienced,” France said.
More entry-level certification and training
High-flying skills are unrealistic. To begin with, the recent (ISC)2 Cybersecurity Hiring Guide found that approximately 62% of cybersecurity professionals in the United States had less than four years of experience.
Additionally, more than 137,000 cybersecurity job postings in the United States over the past 12 months have applied for CISSP certification, Markow said, citing data from Cyberseek. But fewer than 95,000 workers have obtained certification.
“It really benefits employers to think carefully about the skill sets and credentials they’re asking for,” Markow said. “We need to widen the opening of employment to attract workers from more diverse backgrounds of experience and education. Employers want someone with at least a bachelor’s degree on the job, but we can’t wait four years for the next wave of workers.
It’s the same for Marinkovic: “We see a decrease in the number of people asking for diplomas, but it is difficult to get rid of this bias. Cybersecurity tends to be monolithic in its way of thinking.
One approach to meeting this need is entry-level certification. (ISC)2 is steering such a program, which targets students as well as those looking to enter cybersecurity from another industry.
“We need to look at other sectors and attract people interested in changing careers,” France said. “Being new to cybersecurity doesn’t necessarily mean being young.”
Marinkovic, through her work as executive director of CRM for Smart Ecosystems (GRCIE), has developed 6-month courses to prepare women, minorities, and others from underserved communities for entry-level cybersecurity positions.
The training emphasizes both hard skills – particularly risk assessments and regulatory frameworks – as well as soft skills such as communication and conflict resolution.
Internal moves can mitigate the impact of the talent shortage
On-the-job training is both essential and undervalued. The (ISC)2 A survey found that around two-thirds of companies think it takes cybersecurity staff members nine months to work independently.
For many leadership positions, that’s too much time. “Sometimes you just have to bring bodies in, and it’s a trial by fire,” Marinkovic said. “If it takes at least six months for someone to be ready to do the job, and if you’re already underwater and under-skilled, having to onboard someone when you’re already working 100 hours a week is going to impact your efficiency.”
To shorten the learning curve for new cybersecurity professionals, Markow observed a trend for companies to seek internal candidates with transferable skills. This way, they only need “last mile” training to transition into a cybersecurity role.
As a bonus, they already know the company’s tech stack and corporate culture.
“It’s a very effective way for organizations to expand the talent pool,” he said. “It helps retain employees by giving them more mobility, and it’s an effective way to increase the diversity of the candidate pool.”
Additionally, Markow has seen companies “distribute” cybersecurity tasks, for example by encouraging IT project managers and software engineers to proactively integrate security into the software development cycle.
“When security is integrated into these day-to-day tasks, it makes the whole organization more secure – and it creates more of these skill-adjacent cybersecurity worker pools,” he said.