Let’s take a closer look into some of the current skillset challenges we face in the current state as cybersecurity leaders. We will cover multiple different data points along with some of the ways the industry is looking to address the challenges. With these challenges, it is important you are doing everything you can to retain your employees and provide a work environment they want to continue to work in.
Common Cybersecurity Roles
Over the years, many roles that never existed before are appearing within the cybersecurity world, and new skillsets are always needed. The following are some of the more common cybersecurity roles that you can expect to see within a cybersecurity program:
CISO/CSO
IT Cybersecurity Manager/Director
Cybersecurity Program/Project Manager
Cybersecurity Analyst/Architect/Engineer/Administrator
Cybersecurity Software/Application Developer/Engineer
Cryptographer/Cryptologist
Cybersecurity Consultant/Specialist
Network Cybersecurity Analyst/Architect/Engineer/Administrator
Cloud Cybersecurity Analyst/Architect/Engineer/Administrator
Penetration Tester
Cybersecurity Auditor
Governance Manager
Obsolete, Persistent, and Emerging Roles in Cybersecurity
To expand on the roles mentioned above, it is important to understand the evolution of cybersecurity roles to ensure your cybersecurity program remains relevant and up to date. You must continue to assess the current state and ensure your current employees are evolving into newer, more relevant roles. At the same time, when you hire new resources, you need to assess whether they are suitable to support new emerging technologies and threats or not. The following table provides an example of some of the obsolete roles along with those that are currently persistent, with examples of more modern emerging roles that may be needed within your organization to meet today’s challenges.
Figure 1.7: Obsolete, persistent, and emerging roles in cybersecurity
High-Level Cybersecurity Organization Structure
As an example, the following shows how the hierarchy in a typical cybersecurity organization may look through an organization chart. Every organization is different, but this will provide you with a basis of what to expect:
Figure 1.8: Example organization structure
We will be covering the organization structure in more detail in Chapter 2, Setting the Foundations.
Shortage of Cybersecurity Expertise
One major challenge we currently face in the cybersecurity industry is a shortage of the needed expertise within the field. To put things into greater perspective, the IBM Cost of a Data Breach Report referenced previously noted that organizations with higher levels of security skills shortages observed an average of $5.36 million in costs from each breach. As you can imagine, only 5 years ago, cybersecurity wasn’t necessarily something every organization envisioned as requiring a dedicated team. Fast forward to today, and every organization is frantically looking to build (if they don’t already have one) or onboard a Managed Security Service Provider (MSSP ) to meet the demand of the ongoing threats we are continuously dealing with on a day-to-day basis. For some, this is a requirement, while others are reacting from an already experienced cybersecurity incident, and others still are observing the increased risk and growing number of breaches that continue to make headlines.
Regardless of the reason, there is a need to fill millions of open roles in which the majority are skillsets that need some form of expertise to be successful. Acquiring these skillsets doesn’t happen overnight, forcing us to re-think the way we hire cybersecurity professionals.
ICS2 2023 Cybersecurity Workforce Study
An ICS2 2023 Cybersecurity Workforce Study that surveyed 14,865 global users revealed:
The global cybersecurity workforce continues to grow, by 8.7% in this year’s report.
The gap in cybersecurity professionals needed also continues to grow with a year-over-year increase of 12.6%.
It is estimated that the global cybersecurity workforce is approximately 5.4 (4.7 in 2022) million.
There is a 4 (3.4 in 2022) million worldwide worker gap within cybersecurity.
Layoffs are not uncommon within cybersecurity with 22% reporting they experienced a layoff.
The current threat landscape is viewed as the most challenging within the previous 5 years according to 75% of respondents.
There is a slight drop in job satisfaction among the cybersecurity professionals with a 70% representation (4% drop from last year).
Cloud computing skills are the most common gap and the hardest to find among qualified employees.
AI and ML are among the top five skills in demand for the first time.
It was reported that 39% of respondents know someone who has, or have themselves, been approached by a threat actor for malicious intent.
Source: https://www.isc2.org/research
As you can see from the data provided by ICS2 , we have a huge challenge ahead of us to fill the current gap within the cybersecurity industry. This gap isn’t going to be addressed overnight, and in reality will take years. But the good news is that this has been acknowledged at the highest levels and there are many great initiatives in place to help reduce this gap.
National Cyber Workforce and Education Strategy (NCWES)
The following strategy released by the Biden-Harris Administration known as the NCWES aims to help address the skills gap shortage through partnering with educators, organizations, and government entities: https://www.whitehouse.gov/briefing-room/statements-releases/2023/07/31/fact-sheet-biden-%E2%81%A0harris-administration-announces-national-cyber-workforce-and-education-strategy-unleashing-americas-cyber-talent/ .
One example of these great initiatives and one listed on the NCWES is from ISC2, who has pledged for 1 million individuals to receive the Certified in Cybersecurity certification for free (as of May 2024), which includes both training and the certification exam. This is an incredible initiative and one that I share with others as part of mentoring and those looking to break into the cybersecurity field: https://www.isc2.org/landing/1mcc .
In addition to this initiative and the support from many educators, organizations, and government entities is an incredible community of cybersecurity professionals who continue to bring awareness and help educate others to break into the cybersecurity field. There are many forums where collaboration occurs through local and national events, conferences, local chapters, educational institutions, and social platforms like LinkedIn.
Addressing the Talent Gap with Outsourcing
As per the statistics above, there may be several cybersecurity openings within your team. If this is the case, you may want to look at some immediate options to outsource some work until you can appropriately staff your team. As we are all aware, onboarding doesn’t happen overnight. With an outsourced approach, you can work to bring in temporary resources as needed to fill the gap as you look for permanent hires. We cover resource management in more detail in Chapter 4, Solidifying Your Strategy .
Retaining Top Performers
Another important topic is the ability to hold on to your resources, more specifically your top performers. In recent years we have seen what has been categorized as The Great Resignation , where millions of workers have been quitting each month at record numbers in the United States to look for better opportunities, create a better work-life balance, and for other various reasons. Because of this, you need to ensure you take care of your employees, especially your top performers, and create a work environment that supports their needs.
Any good leader knows that losing a good employee can be extremely impactful and the cost of replacing a good worker versus providing additional compensation (as an example) can be substantial. One quote that has always stuck with me is one from Steve Jobs, and I can personally attest to this statement:
”A small team of A+ players can run circles around a giant team of B and C players.”
It is important to ensure that your cybersecurity program includes a diverse workforce. The ICS2 2023 Cybersecurity Workforce Study referenced above also includes a section on Diversity, Equity, and Inclusion (DEI ), which shows diversity within cybersecurity is moving in the right direction, which is great. Although, more progress is still needed, as women in the under-30 group only represent 26% of the cybersecurity workforce.
Methods of Staying Current
As you look to retain your top performers and provide a work environment where employees want to stay, make sure you are encouraging them to stay up to date, but at the same time provide them a platform and the necessary time to self-educate. For example, the following table provides some methods with which you can allow your employees to update their skills and remain current.
Method
Description
Priority
Why
Cybersecurity Certifications
Study and become certified in industry-recognized certifications. Some of the more common certifications come from ISC2, ISACA, CompTIA, EC-Council, and GIAC.
High
To help with applying for new positions, with promotions, to generally elevate your career, and remain up to date.
Attending Conferences
Participating in cybersecurity conferences to learn about the latest trends, threats, and solutions. Attend industry-specific cybersecurity conferences (e.g., Black Hat, DEF CON, RSA, etc.)
High
Direct exposure to the latest threats, solutions, and networking with experts.
Research and Analyst Companies
Subscribing to research reports and analysis from firms like Gartner, Forrester, or IDC.
High
Market trends, technology evaluations, and strategic recommendations.
Regular Meetings with Suppliers
Engaging with strategic suppliers to understand new technologies and solutions they offer.
High
Insight into product roadmaps, innovative technologies, and potential collaborations.
User Groups/Forums
Joining cybersecurity user groups and forums to discuss challenges, share insights, and learn.
Medium
To learn from others in the industry, collaborate with like-minded professionals, and grow your personal network.
Business Social Media Channels
Following cybersecurity thought leaders and industry updates on platforms like LinkedIn. Checking dedicated cybersecurity news sites (The Hacker News, Krebs on Security, etc.).
Medium
Breaking news, vulnerability disclosures, and threat analysis. Quick updates, but requires careful filtering of information.
Online Courses and Webinars
Enrolling in cybersecurity courses and attending webinars to acquire new skills and knowledge.
Medium
Validate knowledge, increase credibility, and stay aligned with best practices.
Reading Industry Publications
Keeping up with cybersecurity news, articles, magazines, journals and publications from reputable sources.
Medium
In-depth articles, analysis, and case studies.
It is important we don’t overlook the importance of providing time for employees to remain up to date. We often get so busy with projects and operational items that time doesn’t allow for these activities. As a leader, you must make time. A very relevant quote I like to reference by Sir Richard Branson is as follows:
”Train people well enough so they can leave. Treat them well enough so they don’t have to.”
Challenges in the Hiring Process
Switching topics, I continue to observe a lot of feedback and challenges being publicized with the hiring process as it relates to cybersecurity. One area worth mentioning is that of new cybersecurity professionals trying to land their first role encountering unrealistic requirements on many of the entry-level job descriptions, for example, a resume that states entry level but requires 10+ years’ experience. You may laugh but they are out there. Another is an issue that not only haunts the cybersecurity industry but is an ongoing issue in general with the overall hiring process being very long, with unrealistic never-ending interviews, and overall being very legacy and frustrating.
Innovative Hiring Practices
As leaders, we have the ability to break down barriers and influence change in this area as we partner closely with our HR leaders. Filling cybersecurity positions doesn’t necessarily mean hiring those with current experience. There is an abundance of roles that can be filled by those looking to enter the field who are very smart and hungry to learn. You need to think outside the box to meet your hiring needs, especially by looking within your own organization to those who are familiar with the business, want to learn, and can get the job done. Keep the job descriptions simple and don’t list unrealistic requirements. I’m also a believer that you don’t need to make a degree a requirement when hiring, as some of the best workers I’ve had on my teams don’t even have a bachelor’s degree. For the general hiring process challenges, you may not be able to change the overall application process, but you can change your responsiveness to your applicants, speed up the hiring process, and promote a more agile approach in your hiring to create more efficiency.
Changing the Negative Perception of Cybersecurity
One final item we need to tackle is that of a negative perception by some of the cybersecurity industry. I’ve heard it firsthand where great talent is considering entering the cybersecurity industry but they decide not to because of the perception that there is a requirement to work non-stop and the stress can be extremely challenging. This is true in some respects, as shown with data in the upcoming section, Prioritizing Well-Being . I have also observed this firsthand within the security operations and incident response functions, where there are ongoing fires while dealing with never-ending security incidents. As leaders, we are the only ones who can change this perception to create a more welcoming environment and one that doesn’t involve the ongoing demands that are causing long hours and high stress. It is our responsibility to influence change and we need to start now to better protect our team’s well-being.
On another note, it is important to make others aware that there are many other functions within cybersecurity that have much less demand, which we will cover throughout the book.
Encouraging Collaboration and Mentorship
As you can see, we have a challenging road ahead of us and one that won’t be solved in the short term. I do see a lot of interest from those who haven’t worked in cybersecurity and are looking to break into the cybersecurity field. I have mentored and continue to mentor many to help them break into cybersecurity, only to watch them struggle to land a job because of the rigorous requirements and the expectation of hiring only experienced professionals. Remember, we all started somewhere. Let us not see a candidate just based on their experience, but also see how trainable they are, and whether they have a hunger to learn, adapt, and be trained. It is important we create an environment where we allow collaboration, cross-training, and a place where we encourage knowledge sharing and the ability to enhance those around us. Most importantly, building an environment that becomes a place your team wants to work and enjoys working will bring the best out in everyone.