A recent data analysis from CyberSeek confirmed what many in cybersecurity know all too well: The job market is on fire.
U.S. employers posted roughly 715,000 cybersecurity roles in the 12-month period ending in April 2022. Demand for cybersecurity jobs increased 43% over that 12-month period, compared to 18% for the rest of the job market.
“The growth rate is some of the fastest that we have ever seen,” said Will Markow, VP of applied research, talent for Lightcast, one of the three industry partners behind CyberSeek. “In the first four months of 2022, each month broke the previous month’s record for the most jobs tracked.”
High demand has come at a cost, though. Cybersecurity jobs are taking 21% longer to fill than other IT roles, and cybersecurity salaries have crept up to 10% more than IT salaries, Markow said. Only two states – Maine and Wyoming – aren’t reporting a talent shortage.
And for every 100 jobs being posted, there are only 66 workers to fill them.
“That means we’re entering the cybersecurity battlefield with one-third of our army on the sidelines,” he said.
Too many companies looking for unicorns
Many companies cite a talent gap for their inability to fill cybersecurity roles – but a big part of the problem may be that hiring managers are looking for more than they can find.
ISACA’s latest State of Cybersecurity report indicated that more than 60% of companies have unfilled cybersecurity positions and understaffed teams.
The top skills gap, cited by more than half of cybersecurity professionals surveyed, is soft skills such as problem solving, critical thinking, and communication. The top factor used to determine whether a candidate is qualified, though, is prior hands-on cybersecurity experience, followed by credentials.
“There are almost 1 million open jobs – but no one is willing to hire junior people,” said Jenai Marinkovic, a member of the ISACA Emerging Trends Working Group and virtual CISO/CTO with Tiro Security.
At a philosophical level, it makes sense. In an ever-expanding cyberthreat landscape, and with increased scrutiny of cybersecurity practices among government entities as well as customers, few companies are willing to put someone with just a few months of experience in charge of protecting valuable digital assets, Markow said.
However, it often leads to what Jon France, CISO of (ISC)2, describes as “job description abuse.”
An entry-level role, for example, will require Certified Information Systems Security Professional certification – which requires five years of industry experience and a passing grade on the CISSP exam.
“There’s fierce competition for the unicorn who’s at a senior level, but because that’s such a tough market, you need to balance your hiring across entry-level and those who are more experienced,” France said.
More entry-level certification and training
The high-flying skills are unrealistic. For starters, the recent (ISC)2 Cybersecurity Hiring Guide found that about 62% of cybersecurity professionals in the United States have less than four years of experience.
In addition, more than 137,000 cybersecurity job postings in the U.S. over the last 12 months asked for CISSP certification, Markow said, citing Cyberseek data. But less than 95,000 workers have obtained certification.
“It really benefits employers to think carefully about the skill sets and credentials they request,” Markow said. “We need to widen the hiring aperture to bring in workers from more diverse experiential and educational backgrounds. Employers want someone with at least a bachelor’s degree to enter the position, but we can’t wait four years for the next crop of workers.”
It's the same for Marinkovic: “We are seeing a decrease in the number of people who demand degrees, but it’s hard to let go of that bias. Cybersecurity tends to be monolithic in its way of thinking.”
One approach to meeting this need is entry-level certification. (ISC)2 is piloting such a program, which targets students as well as those looking to enter cybersecurity from another industry.
“We have to look at other sectors and attract people interested in changing careers,” France said. “Being new to cybersecurity doesn’t necessarily mean being young.”
Marinkovic, through her work as the executive director of GRC for Intelligent Ecosystems (GRCIE), has developed 6-month courses to prepare women, minorities, and other individuals from underserved communities for entry-level cybersecurity roles.
Training emphasizes both technical skills – particularly risk assessments and regulatory frameworks – along with soft skills such as communication and conflict resolution.
Internal moves can mitigate the impact of the talent gap
On-the-job training is both critical and undervalued. The (ISC)2 survey found that roughly two-thirds of companies think it takes nine months for cybersecurity staffers to work independently.
For many in management positions, that’s too much time. “Sometimes, you just have to get bodies in, and it’s a trial by fire,” Marinkovic said. “If it takes at least six months for someone to be ready to do the job, and if you’re already underwater and under skilled, having to bring someone on board when you’re already working 100 hours a week is going to impact your effectiveness.”
To shorten the learning curve for new cybersecurity professionals, Markow has seen a trend of companies looking at internal candidates who have transferable skills. That way, they only need “last-mile” training to make the move to a cybersecurity role.
As a bonus, they already know the company’s technology stack and its corporate culture.
“This is a highly effective way for organizations to expand the talent pipeline,” he said. “It aids employee retention by giving people more mobility, and it’s an effective way to increase the diversity of the applicant pool.”
In addition, Markow has seen companies “parcel out” cybersecurity tasks – for example, by encouraging IT project managers and software engineers to proactively build security into the software development cycle.
“When security is embedded into these day-to-day tasks, it makes the whole organization more secure – and it builds more of those pools of skill-adjacent cybersecurity workers,” he said.