Cybersecurity talent shortages: the roots and the solutions

We explore the root causes of the talent crisis in the cybersecurity industry and look for possible solutions.

The main reasons for the cybercriminal talent shortage, how to address the problem going forward, and what to do about it in the here and now.

Skills shortages in the cybersecurity industry are hardly a new phenomenon; however, in recent years it has become painfully acute. The trigger was the coronavirus pandemic, which provoked rapid digitalization of most everything in the world, and an equally rapid increase in the number of cyberattacks. This led to demand for cybersecurity professionals seriously outstripping supply.

ISC2, a leading cybersecurity expert-certification company, publishes its Cybersecurity Workforce Study every year. According to its latest report, the number of cybersecurity specialists in the world increased by 8.7% between 2022 and 2023. Sounds great. The problem is, however, that the talent shortage also grew – by 12.6% over the same period. When the report went to press, the global staffing shortage in the cybersecurity industry stood at a whopping four million employees. So what’s going on?

Cybersecurity in higher education

To get an answer to this question, we conducted a massive survey of more than a thousand cybersecurity professionals from 29 countries. We interviewed employees across the board – from entry-level technicians to directors and SOC heads.

Some interesting facts came to light as a result. Most interestingly, not all experts in the field had studied cybersecurity at college or university. The figures vary by region, but on average no more than half had done a dedicated course. What’s more, the majority of respondents spoke of a lack of specialized cybersecurity courses in higher education on the whole.

Availability of cybersecurity courses at degree level

Respondents rated the availability of specialized cybersecurity courses in higher education institutions as poor. Source

As for whether higher education is a must for a career in cybersecurity, respondents’ views were decidedly mixed: only half consider a degree to be either very or extremely useful; a quarter have a neutral opinion; and another quarter believe a degree to be totally useless.

The main problem with formal cybersecurity education is that it forever lags behind real-world developments. Tools, technologies and threats are evolving so rapidly that knowledge acquired on a course becomes largely obsolete by graduation day.

The surveyed cybersecurity specialists also noted that higher education often neither provides sufficient hands-on training, nor helps develop the skills needed to build a career in the field. So young professionals are often sorely unprepared for what awaits them in the real world.

Consequences for business

The lack of hands-on experience means that many aspiring professionals make poor decisions, which can have major knock-on effects for employers. As nearly half of the respondents (46%) noted, it took them more than a year to get settled in their first job.

At the same time, more than half (51%) admitted making serious mistakes in their first few years on the job. These were the top five mistakes mentioned:

  • Not installing updates and patches in good time (43%)
  • Using weak, easy-to-guess passwords (42%)
  • Not backing up important data in good time (40%)
  • Using outdated security measures (29%)
  • Falling for phishing (29%)
Mistakes in the first year at work

More than half of infosec professionals admit making serious mistakes in their first years in the job. Source

Often, infosec experts have far higher privileges for and access to many systems not available to regular employees. Therefore, such mistakes can have catastrophic consequences for companies – ranging from critical infrastructure compromise and ransomware infection to industrial espionage and data leakage.

Patching the talent shortage

Of course, the problem of cybersecurity staffing shortages is too big for a quick-fix solution. Only with a long-term and comprehensive approach will it be possible to fill the deficit of qualified specialists.

Our focus at Kaspersky is on two priorities. The first is the need to establish more effective cooperation between business and academic education. To ensure that graduates meet employers’ requirements, higher education institutions need to be helped to adapt their programs to real-world developments to make them more flexible.

To that end, we’ve long been working closely with numerous educational organizations. In particular, through our Kaspersky Academy Alliance partner program, colleges and universities have access to world-class know-how, lectures, trainings and technologies, and can integrate industry expertise into curricula in line with the latest trends.

The second priority we see is that business needs to give infosec employees – especially entry-level specialists – the opportunity to fill any gaps in theoretical knowledge and, more importantly, practical skills needed to do the job. With the rapidly evolving techscape and threatscape, professionals need to constantly upskill to stay on top.

Available to both organizations and individuals, our Kaspersky Academy corporate education program and our Kaspersky Expert Training online courses can greatly help with your professional training needs. Within these programs, we offer courses and trainings based on decades of experience of leading experts spanning all cybersecurity fields.

Mitigation

Lastly, a few tips that won’t directly fix the talent shortage worldwide, but will make it less acute within your organization:

Tips

How to travel safely

Going on vacation? We’ve compiled a traveler’s guide to help you have an enjoyable safe time and completely get away from the routine.