Is There Really a Cybersecurity Skills Shortage?
Aaron Perkins, M.S., CISSP
Futurist Bringing Human-Centric Strategies to Technology
Dear ONE Community,
I initially planned to cover several topics in this newsletter. Specifically, I intended to address multiple misinformation claims that continue to proliferate across the cybersecurity industry. But no sooner had I started writing than I realized each misinformation claim really needs its own newsletter entry.
I am hesitant to say this will be a new series, although I do feel there is a distinct need, if not a demand, for clarification with regard to ideas and data findings published by a variety of players in the cybersecurity industry.?
With that short introduction as the backdrop for this ONE newsletter entry, the misinformation I am addressing here is the purported skills shortage in the cybersecurity industry.
In my research for this newsletter entry, I found that the cybersecurity skills gap (i.e., skills shortage) often lacks important context for the reader/listener/viewer to fully evaluate the claim’s veracity.
Before we dive in, let me just say right out of the gate that misinformation specifically about what it takes to? get into the cybersecurity field is rampant. It seems, no matter where you look, there are people parroting what they’ve heard about entering the cybersecurity industry without diving into whether what they heard is true. It’s bonkers.
ONE Research Verdict
The claim that cybersecurity has a skills shortage is INCOMPLETE.
The verdict of INCOMPLETE was based on several factors:
So, in this newsletter, I’m going to do my best to directly address just one piece of misinformation that needs that additional context.
Misinformation Claim: Cybersecurity has a skills shortage.
FACT: There IS a skills shortage in the cybersecurity industry. No one disputes this.
Where this quickly becomes misinformation is when well-meaning people omit the additional context needed to fully understand the skills shortage.
In 2024, cybersecurity practitioners from around the globe identified the following five skills shortages in their respective organizations:
Again, not misinformation.
What is rarely talked about, however, is why the skills gaps exist. Why is it exactly that skills gaps continue to snowball in the cybersecurity industry more than any other?
Let’s unpack the why behind the skills gaps.
The cybersecurity skills most in-demand by organizations across the globe are a moving target.
The most in-demand skills change year-to-year. Even before the global COVID-19 pandemic that began in 2020, cloud security and application security were becoming much-needed skills in the industry. The effects of the pandemic and the overnight requirement to move from centralized offices to fully dispersed environments was like throwing a match on dry tinder. Cloud and application security skills exploded as organizations globally suddenly needed those skills far more than they ever had.
Fast-forward a couple of years — cloud and application security are still high up on that list. But now, we have a new skill topping the list — artificial intelligence (more on AI further along in this newsletter).
Cybersecurity is most often seen as a technology problem, with the belief that only technologists can solve the problem.
Cybersecurity incidents have a massive impact across socioeconomic, political, and social aspects of everyday life. It comes down to a mismatch between competency and social skills.
领英推荐
To be clear, this is not an attack on any particular personality type; in fact, it is quite the opposite.
This is more of a call to action than anything — an opportunity for you, as the cybersecurity practitioner, to take a look at the skills gaps within your organization and evaluate whether you are approaching the problem in the most effective manner.
Building human and institutional capacity to address these risks requires soft skills with roots in disciplines such as psychology, sociology, communication and media studies. - World Economic Forum
The “Old Guard” is both the industry’s greatest asset and its Achilles heel.
Anyone who has been in the cybersecurity industry for more than five years, if they are being honest, will tell you the truth about the best path to get into the field. The truth is that there is no direct path into the cybersecurity industry.
Once more, for those in the back. </shout> There is no direct path into the cybersecurity industry. Those who tell you there is a direct path are trying to sell you something.
In other words, those of us who ARE in the cybersecurity industry all have wildly different stories of how we got here. For example, if? you wanted to follow my path into the cybersecurity industry, here’s what you would do…
There is no direct path into cybersecurity. Full stop.
We don’t actually know what we need.
I waffled on whether to use this wording, but I cannot think of more accurate wording to describe the cybersecurity industry and further delve into the why behind the never-ending skills shortages.
Technology is constantly changing, and as a result, providing training for the skills needed today may not address the skills in highest demand tomorrow. A perfect example of this is the number one most-needed skill of 2024 — artificial intelligence (AI).
I don’t have the time or space in this newsletter to unpack all the elements of AI in cybersecurity, although, ironically, when this newsletter first began, AI in cybersecurity was the newsletter’s entire focus.
AI, while not new, is suddenly all the rage. Everyone wants it, and yet, most organizations want to be sure that, when they DO implement AI, they do so in line with their risk appetite.
There are a variety of guidelines that have been published to manage the inherent or assumed risk from organizational AI implementations; however, the specifics of the cybersecurity skills needed are anyone’s guess.
To my point earlier about cybersecurity incidents impacting more than just technology, security skills surrounding AI include aspects such as data loss prevention, incident response, vulnerability management, and other “normal” cybersecurity skills requirements.
Cybersecurity-AI skills, however, also demand an understanding of the application of ethics in practice, meaningful social responsibility, transparency, and even business acumen.
Cybersecurity-AI skills demand an understanding of the application of ethics in practice, meaningful social responsibility, transparency, and even business acumen.
Wrap-Up
While the verdict on the “cybersecurity skills shortage” claim was judged INCOMPLETE, there are still more elements of truth to the statement than outright falsehoods.?
Intentionally addressing the cybersecurity skills shortage remains a critically important aspect of the nature of the cybersecurity field itself. But what's really bonkers is asking cybersecurity practitioners to consult their crystal ball and predict the future of what skills will be needed 5-7 years from now. We just don't know.
The skills shortage is here to stay, and my hope with this ONE newsletter entry is to provide at least some of the additional context required to fully understand the nature of this claim.
What did I miss? What else would you have added to this ONE newsletter entry? Let me know in the comments.
#misinformation #disinformation #cybersecurity #skillsgap #artificialintelligence
Interesting take on the cybersecurity skills shortage! It’s important to dig deeper and separate facts from fiction to address the real challenges in the industry.