Despite the total cybersecurity workforce reaching an all time high of 4.7 million people, there is a global personnel gap of 3.4 million, according to a 2022 study by (ISC)2. With over 60% of corporate data stored in the cloud, a statistic that will continue to climb, addressing this gap will be critical in the coming years. New threats are emerging, such as AI, and many remain, like the breach of file transfer software MOVEit. As Russian cybersecurity and anti-virus vendor Kaspersky found in a June study, small and medium-sized businesses are too vulnerable to exploits, backdoors, and social engineering schemes.
Overcoming the cybersecurity workforce shortage is also important to company satisfaction. A 2022 study of chief information security officers by Heidrick & Struggles reported they are experiencing high levels of burnout (53%) and occupational stress (60%). What’s more, an inadequate workforce strains companies’ abilities to meet compliance guidelines on storing consumer data. This all results in productivity loss and stunted growth.
Experts disagree on the root causes of the issue. Those who point to a talent deficit often note the absence of thorough cybersecurity education in U.S. K-12 schools, which is corroborated by an Education Week survey from 2020. This, they say, fails to equip students with the knowledge to pursue future careers in cybersecurity and technology. Yet findings from the ISC(2) study challenge these assertions, noting the talent problem was relatively minor. The most serious problems reported by the 11,000 professionals surveyed were insufficient training and not offering opportunities for staff to grow.
Irrespective of the debate, enhanced cybersecurity learning opportunities are increasingly popular solutions. The University of Pittsburgh hosted a week-long workshop in mid-June for high school teachers made possible by the National Security Agency and National Science Foundation. Teachers learned key cybersecurity concepts, and were provided lectures and lab activities to bring back to students.
Also consider Google’s recent $20 million commitment to establish cybersecurity clinics at 20 U.S. higher education institutions in collaboration with the Consortium of Cybersecurity Clinics. The new clinics will offer students practical experience in providing free security support to hospitals, schools, and energy networks, among others. Google volunteers will also mentor the students to hone their skills. The consortium’s goal is to “launch a university, college, or community-based clinic in all 50 states by 2030,” according to their website. As of now, they’ve set up 12 clinics throughout 8 states, modeled after the long-established law and medical clinics, which provide essential services to local communities free of charge.
In a related approach, the U.K. government launched a 14 week free online training course, known as the Upskill in Cyber programme, developed to teach cybersecurity amateurs basic skills to begin new careers. It was just reported that a record 3,600 people applied. The programme was made possible by a collaboration with the SANS Institute, and was funded by the U.K.’s National Cyber Strategy. Additional U.K. government initiatives have included nine more cyber bootcamps and the CyberFirst bursary scheme, which offers financial support and apprenticeship opportunities to undergraduate students looking to have a career in cybersecurity.
The U.K.’s efforts resulted in approximately 5,800 new jobs in the cyber sector, according to the recent report on the Upskill in Cyber programme. However, a government report from May found that about 21,600 new jobs are needed to meet demand and counteract and that 51% of all U.K. businesses have a basic cyber skills gap. These shortcomings unlock pathways for private companies to complement government efforts in bolstering the cyber workforce and closing skills gaps. Where educational programs target a small subset of the population, these companies have a broader appeal.
One such example is CW Labs, a cybersecurity training startup which just unveiled its new headquarters in Cambridge, U.K. A few weeks ago, it announced it secured a seed-stage funding deal with an angel investor for an undisclosed amount to advance R&D and expand globally. The company also named Sumit Siddharth, the founder and director of IT security firm SecOps, as a new director. CW Labs offers several on-demand courses and practical labs, with 13 cyber certifications in cloud security, red teaming, evasion & exploitation, purple teaming, and ethical hacking. Users receive badges upon mastering key skills and completing learning modules.
Similarly, ThriveDX, another cybersecurity training company, rolled out their Cyber Academy to quickly train individuals for employment at its partner, CyberProof, a security services company. Companies looking for a free training solution can access Clark, which houses a selection of cybersecurity video modules, labs, and slides. The online platform, launched in 2018, also caters to novices and educators looking to advance their skills. It features materials from the National Security Agency, with courses such as Malware Analysis and Network Defense.
Other discussions have sought to address the demographics of cybersecurity workers. Passage, a Canadian immigration assistance company, secured $40 million in seed funding to address Canada’s skilled worker shortage, including cybersecurity workers. Meanwhile, Eric Swallwell, a Democratic congressman from California, advocated for more diversity in the cybersecurity workforce at a House Homeland Security Subcommittee on Cybersecurity and Infrastructure Protection hearing on June 22.
“We simply will not be able to close the gap between employer demand and the available talent pool if we do not do more to bring women, people of color, immigrants and other underrepresented groups into the cyber talent pipeline,” he said. Just 24% of the total global workforce are women, though. Tara Wisniewski, executive vice president for advocacy, global markets and member engagement at (ISC)2, also spoke in favor of diversity when testifying during the hearing, claiming it improves workplace dynamics and overall productivity.
During the hearing, the expectations gap theory arose. The idea is that hiring managers may hire workers with extensive experience thinking it is the best decision. However, hiring candidates on skills, not credentials alone, may prove to be more effective. Thus, increasing diversity also means opening up “accessible and inclusive pathways” to the cybersecurity profession, as noted by Microsoft in a recent blog regarding this issue.
Having a global cybersecurity workforce shortage during the age of profound threats poses a significant risk to digital infrastructure and national security. Recent initiatives have been successful at adding more jobs, but not at a fast enough rate to close the gap. Moving forward, government institutions and private enterprises will continue to develop new solutions and partnerships to solidify educational foundations, offer more practical learning opportunities, and champion diversity in the workplace.