Cyber Employment 2024: Sky-High Expectations Fail Businesses & Job Seekers

Well-publicized estimates of a massive shortfall in cybersecurity workers have resulted in high expectations among job seekers in the field, but the reality often falls flat, because of a mismatch between companies' requirements and job seekers' skill sets.

It raises the question: Is the so-called cyber-worker shortage a real phenomenon that will dog companies in 2024?

On one hand, companies report facing difficulties in hiring knowledgeable cybersecurity professionals, with enough workers to satisfy only 72% of the demand, according to data provided by labor analyst firm Lightcast — a shortfall of nearly a half-million workers. But job seekers say that companies have unreasonable education, experience, and salary expectations. For example, the vast majority of job postings — about 85% — call for at least a bachelor's degree in computer science, cybersecurity, or other technical discipline, when historically only about 60% to 70% of cybersecurity workers have a college degree.

The result is that cybersecurity job seekers with the right education, technical skills, credentials, and professional network — what Lightcast calls "mercenaries" — have little problem getting hired, but the lion's share of hopefuls are finding less success, says Will Markow, vice president of applied research for the labor-data firm.

"There's an expectations gap that I think is leading to a lot of the confusion around whether or not there really is a talent shortage in cybersecurity," he says. "We often see, for example, that employers are requesting cybersecurity workers with a minimum of three- to five-years of prior work experience for jobs that probably could be performed by an entry-level worker."

The situation has left job seekers lashing out at companies, citing additional concerns to boot, like overly long interview processes and a lack of commitment to training. In a series of articles on Medium, for example, Ben Rothke, a New York-based information security manager, took umbrage with claims that there are millions of open cybersecurity jobs in need of filling, with no workers to join the workforce.

Technical responsibilities, such as operating and provisioning security infrastructure, are most in demand. Source: Cyberseek.org

There's also the question of salaries for the lucky few who do fit corporate requirements.

"People I know who are looking to find a position are struggling, and these are people with experience," he tells Dark Reading. "There is a shortage because good, highly technical people are hard to find, but there is also the issue that a lot of companies don't want to pay for people; they are just not paying, and I'd say that's the cause of probably half of the hiring issues."

One example: Many cybersecurity certifications require a minimum of five years of prior work experience — a CISSP certification, for example — but about 20% of cybersecurity job postings requiring such certifications are for entry-level, lower-paid jobs needing less than two years of experience, according to Lightcast's Markow.

What's a Shortage Anyway?

The mismatch between employers and job seekers has resulted in cybersecurity experts questioning the data. 

While a shortage is defined as "a lack of supply to fulfill demand," both of those quantities are very cloudy in the field of cybersecurity. For companies — the demand side of the equation — cybersecurity needs could be filled with a full-time employee, a third-party service, or potentially a product. And as discussed, the supply of available workers depends on worker skills and company requirements.

For those reasons, gauging the current cybersecurity workforce situation in the United States is difficult. There are currently about 1.2 million cybersecurity workers in the United States and about 570,000 cybersecurity-related jobs posted in the last year, according to Cyberseek, a information site collaboration between Lightcast, certification organization CompTIA, and the National Institute of Standards and Technology's National Institute for Cybersecurity Education (NICE). Lightcast de-duplicates jobs across multiple boards and tries to weed out job openings that are never filled. 

Cybersecurity certification providers ISC2 has similar numbers, estimating that there are 1.5 million cybersecurity workers in North America, with a shortfall of 522,000 workers, which results in 74% of demand being met.

However, with roughly 165 million workers in the US, according to the US Bureau of Labor Statistics, that means that about one in every 140 workers is responsible for cybersecurity as some part of their job description — a number that sounds high. In reality, only about 20% to 40% of those 1.2 million workers is a core cybersecurity worker — one that would have a title related to cybersecurity, says Lightcast's Markow.

"So those are folks like infosec analysts, cybersecurity architects and engineers, and CISOs," he says. "But then there's also what we call the cybersecurity-enabled workforce, and this usually encompasses a broader set of IT roles — and, in some cases, non-IT roles as well — who don't have cybersecurity as the core responsibility of their jobs."

Looking for Diamonds in the Rough

To expand their supply, companies should relax their requirements and look for workers who want to learn, rather than those who already have specific skills or credentials, says Lee Kushner, a former technical and cybersecurity recruiter of more than two decades. Hard technical skills — such as coding, architecture, infrastructure, specific technologies, and understanding how to secure them — remain in short supply.

"When it comes down to people with average skills, people who do not have very strong technical backgrounds, people who can talk about security, but not really do anything — we have tons of those people, and nobody really wants to hire them," he says. "People who really understand cloud security, product security; people that are really strong in how security works with engineering teams — that's really what's lacking."

A major issue is that training opportunities are in short supply, and companies do not want to necessarily invest in workers to give them the right skills. In addition, companies are often seeking unicorn cybersecurity skill sets, such as someone who is fluent in cloud security but also has a knowledge of the company's core business (retail, let's say), along with multiple certifications, a decade of experience, and the ability to be a "people person."

In 2024, Expect Demand to Decline — Maybe

Because the measure of cybersecurity job openings and demand are lagging behind the situation on the ground, recent tightening of budgets has meant that the job market is worse today than a year ago. 

High interest and inflation have taken a bite out of budgets, and companies are now starting to think more about cutting into their cybersecurity departments, even though some threats — such as ransomware — appear to be on the rise. A year ago, when fears of a recessions still dominated, only 10% of executives predicted cutting their cybersecurity workforce. Today, recession fears may be abating, but nearly half of executives expect to cut security workers, says Clar Rosso, CEO of certification organization ISC2.

"What's the root cause? The easy answer would be that bottom line pressures were far more steep than the executives we surveyed earlier in the year imagined," he says. "The crunchier cause might be that regardless of what leaders say, we still have work to do to help them understand the strategic value that cybersecurity plays in their businesses, and what is at risk when they cut cybersecurity resources."

Yet, while cybersecurity often is something that companies attempt to do without, the real world will always remind them that they need it, Lightcast's Markow says.

"There continue to be rising geopolitical tensions and uncertainties across the globe, and what we've seen historically is that when there are increases in geopolitical tensions, there are increases in demand for cybersecurity workers as a result of increased threats across the globe," he says.

Between the greater likelihood of a soft economic landing in 2024, and the ever-increasing threat landscape, demand for cybersecurity workers could continue to be strong in 2024, he adds.