The cybersecurity skills gap has been well documented in recent years, but despite increased awareness of the scale of the problem, the growing demand for cybersecurity skills means the size of the challenge has certainly not diminished. For example, a recent report from the UK Government’s Department for Digital, Culture, Media and Sport found that more than half of businesses have a basic skills gap.
“That is, the people in charge of cybersecurity in these companies lack the confidence to perform the basic types of tasks defined in the government-approved Cyber Essentials program, and do not receive the support from external cybersecurity vendors,” the authors said. Explain.
This includes fairly simple tasks, such as setting up a firewall effectively, storing personal data securely, and detecting and removing malware. Additionally, only a third of companies have more advanced skills associated with tasks such as forensic analysis and penetration testing.
Perhaps most worryingly, the report finds that the numbers for basic cybersecurity skills have not changed in the 4 years the government has been collecting data. Indeed, the authors claim that the number of companies lacking appropriate incident management skills has increased in recent years.
“Qualitative evidence continues to suggest, consistent with previous years, that corporate boards (outside of the cyber industry) lack understanding of cybersecurity,” the authors explain. “In particular, the interviews highlight a potential knowledge gap among C-suite decision makers tasked with overseeing cybersecurity.”
Lack of skills
Similar findings emerged from the Global Cybersecurity Workforce Study conducted by (ISC)², which found that the global cybersecurity workforce needs to grow by around 65% to ensure that organizations have adequate protection against the growing range of cyberattacks they face.
Researchers surveyed nearly 5,000 cyber professionals around the world to try to better understand the breadth and depth of cyber talent available to organizations, and in particular the supply of talent versus demand.
“For 2021, our study estimates there are 4.19 million cybersecurity professionals worldwide, an increase of over 700,000 from last year,” the authors explain. “In contrast, the Cybersecurity Workforce Gap is the number of additional professionals that organizations need to adequately defend their critical assets. For the second consecutive year, the [gap] declined to 2.72 million from 3.12 million last year.
In other words, the researchers estimate that for organizations to be able to effectively defend their critical assets, the size of the global cybersecurity workforce will need to increase by approximately 65%. Fortunately enough, many of those already working in the sector seem happy with their lot, with around 77% saying they are satisfied with their jobs. This is an increase of about 10% from the same figure in 2019. This may have contributed to the 30% increase in the number of cyber professionals seen in the United States in 2021, but despite this, it’s not sufficient.
Fill the gap
So how are companies reacting to this? The UK report finds that around three-quarters of cyber businesses currently train their staff in cyber roles, but that figure drops to just 1 in 5 doing so in organizations outside the cyber sector. Additionally, of the roughly 20% who provide training to staff, only 12% say staff needs have been met.
The authors also report a relatively low level of training in key cybersecurity certifications, such as the Certified Information Systems Security Professional (CISSP), Cisco Certified Network Professional, and Cisco Certified Network Associate certifications. Organizations cite a lack of time to attend cybersecurity training, especially since it takes away time that could be spent earning income for their organization.
Awareness of cybersecurity training paths is also an issue in non-cyber companies, with a lack of continuous professional development cultures and routines also common among digital teams in these companies. Add to this the often poor quality cybersecurity training in the external training market and there is a clear lack of proper training and development.
Some employers have responded to this by conducting self-guided training, mentoring, job shadowing and other internal knowledge sharing methods, but perhaps relevantly, it is still incredibly rare for organizations not cybernetics offer cybersecurity training to non-IT personnel. Indeed, only 11% said they had done so in the past year. Even in larger organizations that could reasonably be considered to be more at risk (and with higher budgets), the figure was less than 50%. This has helped create a dangerous impression among staff that cybersecurity training is not something they need.
“Every cyber professional knows that the cyber skills shortage will only get worse before it gets better,” says Josh Kam, Director of BCG Platinion. “There are now short-term and long-term actions that organizations need to consider to close the skills gap.”