The demand for cybersecurity professionals continues to outpace available supply. Although more than 700,000 professionals joined the field in 2021, the cybersecurity workforce gap stands at 2.72 million worldwide, according to the (ISC)² 2021 Cybersecurity Workforce Study.
Cybersecurity staffing shortages have real-life consequences, including more breaches and data theft. However, the real impact is more nuanced — and more fundamental to cyber defense for organizations and nations. To more fully understand the impact of staffing shortages on practicing cybersecurity professionals and their organizations, we expanded our research.
Breaking Down the Cybersecurity Workforce Gap
According to the (ISC)2 study, 67% of cybersecurity professionals report a cybersecurity workforce shortage at their organization, which translates to increased cyber risk. Sixty percent of these professionals believe their organization is at extreme or moderate risk of a cyberattack. Certainly, every organization has some degree of risk, but risk is amplified in organizations with inadequately staffed teams that may not have the tools or resources to protect the organization.
While the cybersecurity workforce gap shrank this year, it remains a looming challenge. Breaking the gap down into functional areas and by role helps determine where new entrants and career changers can make a significant difference. To better understand where the gaps are, we used the NICE Framework, which describes seven high-level groupings of common cybersecurity job functions, more than 30 distinct areas of specialization, and more than 50 detailed work roles.
All areas of cybersecurity are affected by the workforce gap; however, the following are the top three functional areas where cybersecurity professionals believe workforce needs are dire: securely provision (48%), analyze (47%), and protect and defend (47%).
Impact of the Cybersecurity Workforce Gap on Cybersecurity Professionals
The study confirmed that there are tangible negative consequences when cybersecurity staff is stretched thin. When asked what issues could have been prevented if their organizations hadn't been short-staffed, cybersecurity professionals' top responses were:
- Misconfigured systems (32%)
- Not enough time for risk assessment and management (30%)
- Slow to patch critical systems (29%)
- Oversights in process and procedure (28%)
- Rushed deployments (27%)
Many of these issues happen to be the root causes of reported data breaches and ransomware attacks. But what all of this boils down to — with current levels of resources — is that there simply are not enough people or hours in the day to effectively defend against our adversaries.
This is not the fault of practicing cybersecurity professionals. Many organizations throw money at the problem by buying more technology, but if the cybersecurity team is understaffed or isn’t effectively trained on how to use the technology, it’s difficult to negate cyberattacks.
Addressing the Gap at Your Organization: People and Technology
To reverse their organization’s workforce shortage, leaders must prioritize people over technology by working with their cybersecurity teams to identify workforce needs; invest in hiring more individuals and compensating them well; implement technology that matches the organization’s needs; and train cybersecurity staff on how to use those tools. According to the Cybersecurity Workforce Study, the top people investments organizations plan to make in the next year focus on training (36%), flexible working conditions (33%), certifications (31%), and diversity, equity, and inclusion initiatives (29%).
Cybersecurity professionals agree that people-first approaches, complemented by process and technologies, are the best pathways to narrowing the workforce gap. The top three recommended areas of focus are developing existing staff (42%), hiring new staff (31%), and developing future staff (23%). Only 17% of professionals identified artificial intelligence/machine learning and automation in cybersecurity operations as having the largest potential impact, signaling that technology investments alone are not substitutes for more people.
To be clear, technology is critical. There is a symbiotic relationship between people and technology: More staff enables the organization to effectively and efficiently use more technology. Thus, investments in people do not limit planned investments in technology. To support their cybersecurity teams, organizations in the next year plan to invest in cloud service providers (38%), intelligence and automation for manual cybersecurity tasks (37%), and intelligence and automation for existing processes (37%).
Headlines this past year have made cybersecurity activity a regular topic of conversation in the boardroom. In fact, according to the (ISC)² study Ransomware in the C-Suite, 67% of US executives and 72% of UK executives communicate with their cybersecurity teams more frequently after the slew of recent cyberattacks. Now that everyone is paying attention, the time for action is now.
Following another year of big breach headlines, the top ransomware concerns cited among US and UK executives are exposure to regulatory sanctions (38%), loss of data or intellectual property (34%), followed equally (31% each) by concerns about loss of confidence among employees, loss of business due to systems outage, uncertainty that data could still be compromised even after paying a ransom, and reputational harm. Although 71% of executives are confident in their organizations’ preparedness to handle a ransomware attack, executives express a strong willingness to invest in technology and staff to improve defenses. This willingness suggests that now is an opportune time for cybersecurity leaders to proactively address their organizational readiness with the executive team and discuss investments in people, technology, and processes.