Blog Post
May 29, 2024 | Cybersecurity education
Overcoming the cybersecurity talent shortage in 2025
By Field Effect
With digitization solidifying itself as the norm for businesses of all sizes, cybersecurity has never been more critical. Every business must defend against ever-evolving, increasingly sophisticated cyber threats actively seeking out an unknowing employee or a technical vulnerability.
Trained security professionals can help you guard sensitive data, protect your infrastructure, and maintain data privacy for your customers, employees, and business operations. Yet, despite their importance, cybersecurity experts can be challenging to come by, particularly for startups, small companies, and even larger ones.
The prevalent cybersecurity skills gap
The cybersecurity skills gap refers to the constantly widening wedge between the demand for cybersecurity professionals and the true supply of qualified personnel.
The gap emerged for many reasons, such as rapid technological advancements that greatly outpaced traditional education and training. In a matter of years, businesses added laptops, tablets, smartphones, cloud-based apps, and more to their daily operations—all of which need securing.
The situation is further complicated because of the varying nature of cybersecurity roles and positions. Those can range anywhere from network traffic analysis and penetration testing to security management and risk assessment, requiring a broad set of skills.
Rapid technological advancements were also happening on the malicious side of things, as cybercriminals became more sophisticated through automation, innovation, and collaboration.
This cybersecurity talent shortage has far-reaching consequences that extend beyond the vendors and suppliers in the industry. It has also presented challenges for small and medium businesses (SMBs), and the managed service providers (MSPs) who secure them, who often struggle to find the cybersecurity personnel they need.
The impact on smaller businesses
The cybersecurity skills gap impacts smaller businesses differently than larger enterprises. With limited access to either on-site or outsourced qualified cybersecurity personnel, these organizations may struggle to maintain a reliable security posture that withstands an attack or breach. This vulnerability, accelerated by the rise in the severity and intensity of cyberattacks, can lead to costly data breaches, reputational damage, and operational disruptions.
As for MSPs, the situation is challenging as well. They’re often the carriers of numerous other companies’ data, files, and information, making MSPs big targets for attacks.
Understanding the cybersecurity skills gap
Before we can dive into how to solve the talent shortage, we need to understand the gap's root causes.
Demand outpaced supply
The lack of qualified professionals is largely due to how quickly the cybersecurity industry and cyber threats evolved. Almost overnight, companies realized they needed a dedicated cybersecurity professional—or an entire team—on staff. The number of existing experts, cybersecurity students, and fresh graduates didn’t keep pace.
The Fortune 500 effect
Being a cybersecurity professional can be incredibly challenging and stressful. This is capitalized upon by what’s known as the Fortune 500 effect, in which larger companies with vast resources can attract and retain top cybersecurity talent.
This leaves smaller businesses competing for a much smaller talent pool.
The impact of diversity
According to the World Economic Forum, the lack of diversity in the STEM fields in general, and cybersecurity in particular, is a key contributing factor to the skills gap.
With women and minorities underrepresented in the industry, many employers are left blinded to a portion of the talent pool that’s just as capable of fortifying their security. Not to mention, people from varying backgrounds can bring diverse perspectives to problem-solving, which is a key skill for cybersecurity professionals.
The current scenario of the skills gap
Looking at official statistics, surveys, and research on the cybersecurity skills gap nationwide, it becomes easier to understand the scope of the problem. According to CyberSeek, there are 663,434 job openings for cybersecurity professionals in the U.S. Meanwhile, there are just over 1.1 million professionals in the workforce. This suggests that businesses are operating with around two-thirds of the needed skills.
This is particularly evident in the worry expressed by business leaders in critical sectors. In the banking and capital market, only 14% of leaders reported having the cybersecurity talent they need onboard. For the public sector, the response is at 15%, the energy and utility sector at 20%, and the insurance and asset management reported a 25% confidence rate. These numbers are all according to the 2023 World Economic Forum Cybersecurity Outlook.
When treated as a global issue, the shortage of cybersecurity professionals is estimated to be around 3.4 million empty positions in companies and organizations, according to the 2022 (ISC)2 Cybersecurity Workforce Study.
The effects of a limited talent pool
Gartner predicts that by 2025, the lack of cybersecurity professionals will be responsible for more than 50% of significant cybersecurity incidents. Also, the scarcity of skilled technical professionals places an additional burden on the workforce.
Existing employees are expected to carry more responsibilities, leading to burnout and decreased productivity and effectiveness. The shortage could hinder innovation and progress, not only within the cybersecurity industry but outside of it as well.
Addressing the cybersecurity skills gap
To bridge the cybersecurity skills gap, organizations need to take a proactive approach. Of course, different factors may affect different companies based on their industry, location, and size. After all, those based in urban hot spots typically have greater access to trained professionals compared to companies based out of more rural areas or smaller towns.
Similarly, industries at a higher risk of attack and under more stringent regulations, such as the banking and financial industries, may face difficulty attracting cybersecurity professionals without high salaries and generous benefits.
This, however, can be done by investing in education and training programs that focus on developing the necessary skills and expertise for the future. Organizations may also partner with nearby universities, colleges, and other educational institutions to create internship programs that enable the next generation of cybersecurity professionals to take their first steps into the industry.
However, there are still ways to address the issue now.
Turning IT professionals into cybersecurity experts
One approach to overcoming the cybersecurity skills gap is to up-skill and re-skill existing personnel. IT experts in particular already possess the necessary foundational knowledge to work in cybersecurity. What's more, they're already well-versed in your company’s infrastructure and layout, unlike new hires who’d need time for onboarding and getting up to speed.
Organizations can use a variety of training resources and online platforms to upskill and reskill. Cyber Range is Field Effect’s simulation-based training platform that provides a safe environment for IT professionals to learn and practice cybersecurity skills, accelerating their transformation into cybersecurity experts.
Even after turning your IT staff into cybersecurity professionals, it’s important to maintain and further their education so they can keep up with the latest developments and advances in the security industry. Many organizations will use Cyber Range for continuous training, to ensure their teams stay on top of the latest cyber threats and security best practices.
Rethinking job expectations and requirements
One of the biggest issues with hiring tech professionals is that there’s still a strong emphasis on certifications and official credentials. While those can be a critical indicator of a candidate’s level and expertise, they're not the be-all-end-all.
The (ISC)2 2021 Cybersecurity Workforce Study found that it’s becoming uncommon for younger professionals to start in the IT and tech sectors. Of Gen X and Boomers, 53% and 55% respectively who are now working in cybersecurity started in IT. Compared to Gen Z and Millennials, the numbers drop to around 38%. Also, when it comes to self-learning and non-traditional accreditation, 20% of women and 14% of men in cybersecurity are self-taught.
That’s why it’s important to shift the focus of certifications and credentials to a candidate’s practical skills, experience, and soft skills, all of which can indicate their ability to perform better in real-world scenarios.
In fact, practical skills and experiences gained through hands-on work and projects are critical in the cybersecurity field. It's crucial for organizations to recognize and value these practical skills when hiring.
Fostering a culture of cybersecurity
Organizations should also go beyond focusing on their IT and security personnel by fostering a culture of security among the entire workforce. An informed and knowledgeable workforce is your company’s first line of defense against potential breaches. After all, threat actors will commonly target employees as the first step in their attack.
According to the 2020 Psychology of Human Error study by Stanford University Professor Jeff Hancock, human error contributed to around 88% of successful cyberattacks. Considering this statistic, one focus should be training non-technical employees to recognize and guard against common cyber threats, such as phishing scams. These attacks involve manipulative tactics that exploit the individuals' unfamiliarity with cyber criminals and their tricks.
Implementing comprehensive cybersecurity education programs for all your staff members can help bridge this gap. Regular training sessions can also provide employees with up-to-date information on current threats and teach them how to spot the signs of an attack. For example, training can teach or remind employees to identify suspicious email addresses, double-check URLs before clicking on them, and recognize the hallmarks of a phishing email.
Include non-security employees in regular phishing simulation exercises. This allows you to safely gauge their reaction to real-world scenarios that may threaten the security of company data.
Creating a cybersecurity culture also means promoting safe practices such as using strong, unique passwords for all accounts, enabling multi-factor authentication where possible, and ensuring that devices used for work are configured securely and updated quickly. Regular reminders about these practices can help embed them into employees' daily routines.
Leaning on sophisticated technology and automation
Technology can also alleviate the impacts of the cybersecurity talent shortage. With the help of advanced analytics and functionality, you can monitor for, detect, and actively respond to malicious behavior automatically, freeing up your existing staff’s time. Intelligent technology plays a key role in offloading some more tedious or mundane cybersecurity tasks, such as sorting through heaps of logs.
Download the eBook to learn how to choose a cybersecurity solution that fits your needs.
“AI tools might alleviate the shortage of skilled workers by automating routine tasks and augmenting human capabilities. This has already been happening … To cope, organizations are turning to AI to automate the detection and response to cyber threats, freeing up cybersecurity professionals to focus on innovation,” writes John Schwarz, a member of the Forbes Technology Council.
When combined with a small team of cybersecurity professionals, instead of outright replacing them, AI tools can help alleviate some of the pressure caused by the lack of working hands, reduce the workload on your staff, and increase the efficiency and effectiveness of your security operations.
Collaborating with a partner
Partnering is another viable strategy for organizations to address the cybersecurity skills gap. As helpful as technology can be, it still needs people to run it. For those with a small (or non-existent) cybersecurity team, you can gain access to the skills and expertise you need by partnering with a third-party provider.
The right partner will have the necessary cybersecurity skills and resources, providing you with access to expert security services, such as threat detection and response.
There are many potential partners and platforms to consider for outsourcing cybersecurity tasks, each with strengths and specializations. It's crucial to choose a partner that aligns with your organization's needs and goals.
Some cybersecurity solutions come fully managed by a security operations center (SOC) as part of the service. Field Effect MDR, for example, does this. Delivered as an all-in-one package, Field Effect MDR makes it easy for your team to overcome the shortage as you have both sophisticated technology and a fully staffed team of experts working hard to keep you secure from even the most advanced cyber threats.
When selecting a partner or platform for outsourcing cybersecurity tasks, consider cost, scalability, reliability, and customer support. Additionally, verify that your chosen partner is compliant with relevant regulations and standards. By doing so, you can ensure that their data is secure and their operations remain aligned with industry best practices.
Overcoming the talent shortage in 2024
Despite the challenges posed by the cybersecurity skills gap, there are ways that can help you take your organization's security to the next level. The critical talent shortage has sparked a renewed focus on improving cybersecurity education and training, encouraging innovative solutions, and fostering collaborations across the industry.
Take advantage of the skills you already have on hand. Focus on evolving your employees’ skill sets and getting them up to speed with the latest cybersecurity information. With a simulation-based training platform like Cyber Range, you can ensure your IT and security staff are getting the hands-on experience they need to succeed in cybersecurity.
At Field Effect, we understand that not every business can (or should) build a fully staffed cybersecurity team. That’s why we built Field Effect MDR—the world’s most holistic cybersecurity solution that comes fully managed by our highly skilled analysts, who are committed to helping your organization navigate the complex cybersecurity landscape. Find out more about our MDR solution, Field Effect MDR, and how it can fit into your cybersecurity strategy.