Cybersecurity Skills Gap: More Important Than Ever
The Economic, Skills, and AI Challenges of the Global Cybersecurity Workforce
On October 31, 2023, ISC2 released 2023's workforce study where 14,865 industry professionals from around the globe were surveyed on a variety of topics relating specifically to the cybersecurity field.
The complete report is not too long, only 84 pages, but it is a document packed with a lot of information that is highly beneficial to those who are currently trying to break into the cybersecurity industry.
ISC2's findings focus not only on the volatility of the job market but also on what organizations currently need in terms of skills, and what they believe the biggest challenges will be in the coming years. The organization found that "...92% report having skill gaps in their organization -- the most common being cloud computing security, AI/ML and Zero Trust implementation..." (page 5).
Many respondents answered that their organization's security team has one or more skill gaps. Cloud computing security, AI/ML, and Zero Trust implementation are the top 3, respectively, with cloud computing security leading the list at 35%. Figure 16 enumerates the top 10 skills, the remainder of those are Penetration Testing, Application Security, Digital Forensics and Incident Response, Risk Assessment, Analysis and Management, Security Engineering, Threat Intelligence Analysis, and Malware research/analysis.
With this report, readers are given precise instructions, for lack of a better word, for how to tailor their learning journey when trying to land a position as a cybersecurity professional. One question asked by ISC2, "If you were to design your ideal cybersecurity candidate, which of these things would you prefer?" (page 57) gave very illuminating answers. 70% of respondents stated they prefer entry-level cybersecurity experience to 30% answered they want entry-level degrees (e.g., bachelor's degrees in a related field or basic certification). 63% prefer mid-level (non-cyber) experience compared to 37% that said they prefer entry-level cybersecurity experience (1 to 3 years). Senior-level security experience is more valuable, according to 86% than an advanced doctoral degree. "Certifications are more valuable than independent experience" according to 54% of participants, and 66% stated certifications are more valuable than an entry-level degree. In this case "independent experience" means hackathons, CTF, etc.
What surprised me the most from these numbers, is that many professionals would prefer somebody who has work experience, even if that experience is not necessarily in cyber. Further down the document, hiring managers who participated in the survey do clarify that a person with technical skills is highly desirable and sought after, which makes sense considering Pentesting and Application Security are in the top 5 of the skills gap listed earlier in the report. Another surprise is that given the choice between a candidate who has a Bachelor's degree, and industry certifications, many would choose the person with certifications.
I highly recommend reading the full analysis to understand the bigger picture of the cybersecurity landscape in 2023 and beyond.
My key takeaways are the following. If you are somebody who is currently pursuing a bachelor's degree in Cybersecurity, or Information Systems/Technology, supplement your learning with certifications. Whether they are vendor-neutral, or not, having those will make you stand out in the eyes of hiring managers. Skills/experience of course trumps all, so if you are a current student in university, take advantage of the many internship opportunities offered by companies. Some industries to look into are healthcare, military, energy/power, government and manufacturing. These are the top 5 industries, according to ISC2's report, where the threat landscape is the most challenging it's been in the past 5 years.
What about those who are not students? If you are a working professional in a non-cyber role, ask your current company about possible cross-training with the security department or maybe offering reimbursement for any certifications or outside upskilling training you decide to pursue.
With this report, ISC2 has given professionals a realistic view of the landscape of cybersecurity, clear steps we can take to make ourselves invaluable assets to organizations, and how to stay current with the trends of cybersecurity in many different industries.