Receive free Cyber Security updates
We’ll send you a myFT Daily Digest email rounding up the latest Cyber Security news every morning.
As a growing number of hackers target companies, organisations and industries with debilitating attacks, more skilled cyber security workers are urgently needed to combat the threat.
ISC2, the world’s largest association of cyber professionals, estimates that the cyber security workforce in 2022 stood at about 4.7mn people globally. But a further 3.4mn roles remain unfilled. “The gap is massive,” says Clar Rosso, ISC2’s chief executive.
This shortfall is felt more acutely in countries such as India where digitisation is rapid. But even in the US, only 69 per cent of cyber roles are filled, according to Cyberseek, a website that provides data about the cyber security job market.
Beyond a talent shortfall, existing workers are underskilled. A UK government report this year found that 50 per cent of UK businesses — some 739,000 in total — have a basic cyber skills gap, meaning that those in charge of cyber security lack the confidence to carry out the technical measures that protect against the most common digital attacks.
Previously, it was thought that a company’s IT team could take care of all cyber security concerns. But “over time, it became clear that this needed specialised attention”, Rosso says, adding that, after some high-profile ransomware attacks over the past couple of years, “business executives are now paying attention”.
According to Rosso, there are particular areas where the demand for skills is growing. These include cloud security, as companies have increasingly moved to cloud environments since the pandemic catalysed the growth of remote and hybrid working. Another is automation, at a time of rapid developments in artificial intelligence and machine learning technologies, which can provide sophisticated tools for both hackers and defenders.
Roy Zur, chief executive of cyber security and digital skills provider ThriveDX, says that in some ways the skills shortage is a “self-inflicted problem” as companies seek applicants with a strict minimum level of experience. “You cannot solve the problem by circling only the existing people,” he says. “Companies need to change their mindset and understand that to solve this, they need to open the gates.”
One issue in particular is a lack of specialised and accelerated training schemes, despite strong demand from employers. According to cyber security provider Fortinet’s 2023 report on the sector’s skills gap, 90 per cent of cyber leaders seek technology-focused certification when hiring staff.
Zur says that university and college degrees are not an effective way to generate cyber talent, as they take too long and are often broad — in computer science or engineering, for example. Instead, he points to the success of Israel’s 8200 cyber warfare unit, which trains school-leavers in six to eight months. “You need more companies from the private sector to get into this space and educate people,” he says.
Similarly, Rosso argues that junior staffers should quickly be able to take on the bulk of basic cyber work — as long as they receive the right training. As a result, she advises businesses to “hire for the non-technical, mindset skills” — to recruit problem solvers, and analytical and critical thinkers — and then “train for the technical skills”.
ISC2 has created a new certification called Certified in Cyber Security, which aims to train applicants in the fundamentals of cyber security, such as incident response and network security. In its first year, more than 250,000 individuals have enrolled, a total ISC2 aims to increase to 1mn over time.
Meanwhile, governments are also beginning to take action. In the US, for example, the Biden administration in July launched its National Cyber Workforce and Education Strategy, designed to increase the number of suitably skilled workers by making cyber education and training more accessible and affordable.
In the UK, the government has introduced an “Upskill in Cyber” programme — a partnership with cyber security training company SANS Institute — which it says has reported a record number of applications.
Rosso says there should be more public-private partnerships and cross-industry collaboration, and also highlights the need to meet “longer-term” goals, such as “raising cyber literacy of schoolchildren, and C-suite and board of directors”.
But organisations must also cast their net more widely for talent, according to Claire Trachet, chief financial officer of cyber security platform YesWeHack, who says there is “a lack of diversity in the cyber security field, which exacerbates the skills gap by limiting the pool of talent”.
Trachet also notes that it is not just the shortage of skilled new recruits that needs addressing. “With the ever-changing landscape, the need to consistently upskill employees is essential for cyber security,” she says, urging companies to facilitate access to training so that staff can stay ahead of evolving threats. “Businesses should establish a culture where workers are constantly learning.”