Cybersecurity Talent Shortage Intensifies Despite Training Efforts

The U.S. cybersecurity talent shortage has nearly doubled since 2013 and is growing three times as fast as the shortage for other IT roles.

That’s according to a new report from Burning Glass Technologies. Despite a significant increase in the number of cybersecurity postsecondary programs and graduates since 2013, the pool of available talent for job openings has hardly budged since 2015.

Matthew Sigelman, Burning Glass‘ CEO, tells us MSSPs are often early adopters of emerging security skills, frameworks and technologies, including many projected to grow the fastest — such as cloud security, IoT security and the NIST Cybersecurity Framework.

Burning Glass’ Matthew Sigelman

“Emerging skills such as these are often the rarest and hardest to fill, so MSSPs may be the only viable option for clients who can’t bring these skills in-house until they are more widely developed across the cybersecurity workforce,” he said. “It’s also worth noting that the demand for cybersecurity skills extends well beyond cybersecurity roles; in fact, nearly six in 10 jobs demanding cybersecurity skills are what we call cyber-enabled, meaning cybersecurity is only one part of a broader IT role. That means organizations that do specialize in security have an important role to play, not only in providing security, but also in cross-pollinating their expertise into the broader world of tech talent, training other workers to protect their workplace from cyberthreats.”

Cybersecurity jobs account for 13% of all IT jobs. On average, however, cybersecurity jobs take 20% longer to fill than other IT jobs. The tight hiring market is driving up salaries as the average advertised salary for a cybersecurity job is $93,540, 16% more than the average for all IT jobs.

Public cloud security and IoT are projected to be the fastest-growing skills in cybersecurity over the next five years.

“One important tactic would be to focus more on building talent rather than buying it,” Sigelman said. “Focusing on training up cyber-enabled workers and arming them with some of the hard-to-find credentials could pay big dividends. There’s a big advantage to developing workers whom you already know, and who know your clients, rather than always trying to recruit talent from outside. It’s an essential strategy to expand the talent pipeline.”

The industry increasingly is turning to automation in cybersecurity. Demand for automation skills in cybersecurity roles has risen 255% since 2013 and demand for risk management is up 133%.

“MSSPs may also offer services that automate lower-level tasks – such as those performed by junior security operations center (SOC) analysts – which can reduce the burden on existing workers and may be cheaper for clients than building automation tools themselves,” Sigelman said. “Other tactics include integrating cybersecurity training services into client offerings – which can yield additional revenue streams too – or loaning out cybersecurity experts to local training providers. Training the next generation of cybersecurity workers is uniquely challenging because cybersecurity experts have little financial incentive to trade a six-figure job for a college classroom, so reducing this friction will make it easier to build the cybersecurity workforce, which in turn will help MSSPs find their next generation of new recruits.”

In the meantime, more positions are left unfilled, teams are stretched and some things are left undone, Sigelman said.

“Employers are looking to automation to close some of the gap, but ultimately you need human beings on the virtual parapet, guarding against threats that change quickly,” he said. “If there aren’t enough watchers, some threats aren’t going to be spotted until it is too late.”

The cybersecurity talent shortage has impacted nearly three in four organizations, according to a global study of cybersecurity professionals by the Information Systems Security Association (ISSA) and Enterprise Strategy Group (ESG). Nearly half of respondents in that study have experienced at least one security incident during the past two years with serious ramifications, including lost productivity, disruption of business processes and systems, and breaches of confidential data.