Multibillion-dollar cybersecurity training market fails to fix the supply-demand imbalance
The cybersecurity skills gap issue may be further from being solved than expected despite the large amount of money being invested around the world to train professionals, according to a report by the Information Systems Audit and Control Association (ISACA). While the volume of training has increased the number of entry-level professionals, organizations are looking for experienced cybersecurity personnel, the international IT governance professional association says.
"Continued hyper-focus on the perceived worker shortage to fill unverifiable open cybersecurity positions is problematic, for it not only fails to address duplicate job postings but also the perspectives of aspiring cybersecurity professionals who spent significant time and money completing pathway programs and yet remain unable to secure employment in the cybersecurity field," ISACA states in its State of Cybersecurity 2023, Global Update on Workforce Efforts, Resources and Cyberoperations report.
"Failure to resolve this critical issue will magnify the existing problem of students and career changers being unable to obtain employment due to lack of experience, despite any knowledge, skills or credentials they have acquired," found the report.
The annual ISACA report was conducted during the second quarter of 2023. More than 2,100 professionals around the world answered the online survey sent to those with ISACA Certified Information Security Manager (CISM) certification or who have registered job titles in the information security field.
The cyber workforce continues to age
While the largest percentage of respondents (34%) remained among those aged between 35 and 44, the average age of the workforce continued to increase, albeit slowly -- respondents in the 45 to 54 and 55 to 64 age ranges increased by two percentage points (32%) and three percentage points (19%), respectively, compared with 2022.
There has long been a discussion in IT circles around companies hiring and training recent graduates only to lose these now-skilled professionals to higher-paying jobs elsewhere. "Cybersecurity companies and departments largely do accept that training and upskilling is necessary to help combat the shortage of cyber staff," Jo Stewart-Rattray, CISO and ISACA ambassador, Oceania, tells CISO.
"But it's a double-edged sword. While the intention is there, the under-staffing epidemic leaves us little capacity in terms of time to invest in training and upskilling -- even though this is the ultimate solution."
It goes without saying that if a company finds the right professional with the right skills and can afford to hire that professional, it will. "In some ways, we are our own worst enemy," Stewart-Rattray says.
Cybersecurity teams are 'at capacity'
"The spike in cyberattacks that we have experienced globally has led to increased security vigilance by companies of all sizes. This is placing unprecedented demand on CISOs, who are being called upon to review and upgrade security and work with either legal teams or privacy teams to strengthen privacy programs, let alone handling data breaches themselves. We are at capacity," Stewart-Rattray says.
The long-term resolution to the problem relies on cybersecurity professionals and those hiring must look to simplify job descriptions and requirements expected of cyber graduates and those professionals transitioning from other sectors, she suggests.
"Rather, job descriptions should focus on the important skills, sometimes referred to as soft skills, that we are lacking in our industry, which opens up a wider pool of potential talent." Stewart-Rattray also said that the risk of losing a trained professional is not something she sees as a problem from her perspective.
"The deterrent is time. I believe there are many benefits we can offer to help retain employees such as flexible working arrangements, as the return to office mandate is not being well-received across our industry sector. In addition, paying for certification and training programs, and covering industry memberships is important."
The report found that 65% of the respondents paid employee certification fees. But the remaining 35% suggests that quite a few professionals have to pay out of pocket for their certifications and updates -- which aren't always cheap -- which becomes an additional stressor for some employees.
Retention of cybersecurity professionals is on the rise
The good news is that retention increased, with a 6% drop in the number of respondents reporting retention issues compared to the previous year. But this improvement is more likely tied to economic uncertainty rather than work conditions having improved.
The main reasons for employees departing included recruitment by other companies (58%). The second highest response, poor financial incentives (e.g., salaries or bonuses), is likely the main driver, ISACA found. Those seeking better financial compensation increased by 6% from last year to 54%.
While work stress levels dropped by two percentage points from 2022, it remains a contributing factor at 43%, ranking fourth on the list. Other notable reasons included limited remote work possibilities (increased by four percentage points from 2022) and poor work culture/environment, both potentially driven by return-to-work mandates.
"Uncertainty of any kind appears to be driving fewer job changes, and while vacancies persist, the survey results indicate that enterprises appear to be tightening budgets and compensation aids ahead of a potential recession," read the report.
The state of cybersecurity across regions
In Europe, about 52% of organizations said they experienced more attacks than the year before, while in Oceania that reached 56%, both higher than the global average of 48%.
The report found that companies were underreporting cyberattacks, with 78% in both European and Oceania regions. Only 3% of European organizations said they accurately report cybercrime even if not required to do so.
Things get worse for Oceania when it comes to confidence in cybersecurity teams' ability to detect and respond to cyber threats, with only 36% being confident. The global average is 42%.
While the percentage of employers requiring a university degree for entry-level cybersecurity positions remains at 52%, differences across geographical regions are notable -- Europe and Africa saw decreases, Asia and North America remained unchanged, and Latin America and Oceania reported 9% and 10% increases respectively in this requirement.
Source: https://www.csoonline.com/article/654055/multibillion-dollar-cybersecurity-training-market-fails-to-fix-the-supply-demand-imbalance.html
