Demand for cybersecurity professionals keeps rising and the world isn’t getting enough talent to fill in those slots. This year, the demand for infosec jobs rose to 38% and—according to industry research firm Cybersecurity Ventures—it’s seen to rise up to 3.5 million unfilled cybersecurity positions by 2025.
In the US, there are currently close to 600,000 job openings and nearly one-third of those are from California (63,000+ jobs) and Texas (67,000+ jobs). That’s despite the 1,053,468-strong US cybersecurity workforce, according to Cyber Seek data.
And industry pundits don’t see this slowing down anytime soon.
It’s the same situation in other parts of the globe. Michael Page, an international recruitment consultancy firm, stated that cybersecurity demand in India alone is expected to skyrocket to 1.5 million vacancies in 3 years.
“That’s the second highest (demand) in the Asia Pacific region outside China,” said Varsha Barooah, Director of Michael Page India as he referenced their report “The Humans of Cybersecurity”.
What’s causing the surge?
In a macro sense, it’s no surprise as cybercrime increased by a whopping 600% due to the COVID-19 pandemic. Phishing and ransomware became the most popular form of cyberattacks. The industries most impacted by these attacks are in the financial services and banking, e-commerce, and healthcare sectors.
Both people and companies worldwide became dependent on tech-enabled solutions to do most of their work (e.g. e-payments, errand services, last mile logistics, to name a few), most especially when the lockdowns hit, abruptly moving companies to adapt a remote work arrangement.
This accelerated the world’s dependence on online-based services which resulted in companies focusing on cybersecurity more than ever. In fact, a CrowdStrike report stated that 74% of companies see cybersecurity enhancement as a top priority and that 69% of them changed their cybersecurity response plan due to COVID-19.
In effect, the workforce situation increased the workload for skilled IT professionals, and paired with the massive influx of cyber attacks, many infosec professionals are suffering from burnout.
But the main problem is in sourcing talent to fill in the growing supply disparity to account for the shift in the way the businesses adapt technology to do their business.
“There seems to be a huge supply-demand gap, this has led to an increase in hiring for available positions on permanent or contractual basis. The demand for roles such as Security Engineers, Cybersecurity Analysts and Cybersecurity Engineers is on the rise,” said Barooah.
Moreover, IT governance firm ISACA states that the average time to fill a vacant cybersecurity position is 3 to 6 months.
Which cybersecurity positions are seen to be most in-demand?
The most in-demand skills in the cybersecurity sphere are:
- Access Management
- Cloud Security, Compliance and Controls
- Application Development Security
- Data Privacy and Security
- Threat Intelligence
- Security Strategy and Governance
- Risk Management
- Incident Response
- Health Information Security
These areas are covered by most of the top cybersecurity certificates from EC-Council, (ISC)2, ISACA, CompTIA+, GIAC, among others. Let’s take a look at each one of them (top 10):
1. Certified Information Systems Security Professional (CISSP)
Widely considered as the gold standard in cybersecurity certifications, the CISSP certification from (ISC)² is one of the most sought after credentials in the industry. Earning this advanced certification nets you a badge that you’re experienced in IT security and capable of designing, implementing, and monitoring a cybersecurity program.
This allows you to advance your career as a CISO, Security Administrator, IT Security Engineer, Senior Security Consultant, and Information Assurance Analyst. In fact, in our very own ISCN survey, the question “Which certification(s) would you say are most in-demand by employers?” a whopping 72% respondents gave the CISSP certification as their answer.
2. Certified Information Systems Auditor (CISA)
The CISA certification from ISACA helps you showcase your expertise in cybersecurity auditing such as assessing security vulnerabilities, designing and implementing controls, and reporting on compliance. This course is specifically designed for mid-tenure IT pros who want to become IT Audit Managers, Cybersecurity Auditors, Information Security Analysts, IT Security Engineers, IT Project Managers, and Compliance Program Managers.
3. Certified Information Security Manager (CISM)
If you have a CISM certification, it means you are an expert in the management side of the infosec domain. Topics covered by this ISACA certification are governance, program development, and program, incident, and risk management. This is best for those pivoting from the technical side into a managerial role such as IT Managers, Information Systems Security Officer, Information Risk Consultant, Director of Information Security, and Data Governance Manager.
4. CompTIA Security+
This entry-level security certification will make you qualified for the core skills required in any cybersecurity role. This covers network security, disaster recovery, risk management, operation security, compliance, threats and vulnerabilities, application security, data and host security, access control, identity management, and cryptography.
CompTIA Security+ essentially allows you to demonstrate your ability to assess the security of an organization, monitor and secure cloud, mobile, and internet of things (IOT) environments, understand laws and regulations related to risk and compliance, and identify and respond to security incidents.
This helps you land roles as a Systems Administrator, Help Desk Manager, Security Engineer, Cloud Engineer, Security Administrator, IT Auditor, and Software Developer.
5. Certified Ethical Hacker (CEH)
EC-Council’s CEH course is the world’s most advanced and in demand ethical hacking and penetration testing course. It involves lawfully hacking organizations to try and uncover vulnerabilities before hackers do. Earning this seals your skills in penetration testing, attack detection, vectors, and prevention.
As a proactive, white-hat hacker this certification is for jobs like Penetration Tester, Cyber Incident Analyst, Threat Intelligence Analyst, Cloud Security Architect, and Cybersecurity Engineer.
6. GIAC Security Essentials Certification (GSEC)
This Global Information Assurance Certification (GIAC) certification is another entry-level security credential but requires some background in information systems and networking. A GSEC cred covers active defense, network security, cryptography, incident response, and cloud security.
Paired with your IT background this allows you to take on roles as an IT Security Manager, Computer Forensic Analyst, Penetration Tester, Security Administrator, IT Auditor, and Software Development Engineer.
7. Systems Security Certified Practitioner (SSCP)
(ISC)² offers this intermediate-level security credential to show IT pros that they have the skills to design, implement, and monitor a secure IT infrastructure. Its exam tests expertise in access controls, risk identification and analysis, security administration, incident response, cryptography, and network, communications, systems, and application security.
Best for IT professionals working hands-on with an organization’s security systems or assets, this is suitable for positions like Network Security Engineer, Systems Administrator, Systems Engineer, Security Analyst, Database Administrator, and Security Consultant.
8. CompTIA Advanced Security Practitioner (CASP+)
If you’re an IT professional seeking to continue your career in technology instead of a managerial role, this advanced skills credential is best for you. Its exam covers topics such as enterprise security domain, risk analysis, software vulnerability, securing cloud and virtualization technologies, and cryptographic techniques.
This allows for getting into advanced roles in architecture, risk management, and enterprise security integration where you can end up as a Security Architect, Security Engineer, Application Security Engineer, Technical Lead Analyst, and Vulnerability Analyst.
9. GIAC Certified Incident Handler (GCIH)
As the most expensive credential on this list (US$2,499), this confirms your understanding of offensive operations, including common attack techniques and vectors and your ability to detect, respond, and defend against attacks.
The certification exam focuses on incident handling, computer crime investigation, hacker exploits, and hacker tools. If you get this, you might end up as a Security Incident Handler, Security Architect, System Administrator, et cetera.
10. Offensive Security Certified Professional (OSCP)
The credential from Offensive Security has become a sought-after certification for Penetration Testers and tests your ability to compromise a series of target machines using multiple exploitation steps and produce detailed penetration test reports for each attack. There are no formal requirements to take the exam but it is recommended to have familiarity with networking, Linux, Bash scripting, Perl or Python, as well as completion of the Penetration Testing with Kali course.
This is nice to consider if you’re a Penetration Tester, Ethical Hacker, Threat Researcher, or an Application Security Analyst.
One important thing to remember is that all of these credentials do not exactly require a degree in computer science or IT — only highly recommended because it helps you build a strong foundation. As a reference, (ISC)2 reported that only 8% of cybersecurity professionals finished with a high school diploma. In comparison, 76% either have a Bachelor’s or Master’s degree in Computer and IT, Business, or Engineering. However, it is mandatory to have hands-on experience in general IT roles or in an entry-level role as a cybersecurity analyst.
So if you’re mulling a career in information security, there is no better time than now because…
…there is a major shortage in infosec talent. But why?
In a report authored by Jon Oltsik, Senior Analyst at Enterprise Strategy Group (ESG) and co-published by Information Systems Security Association (ISSA), he said that 60% of survey respondents are “somewhat satisfied”, “not very satisfied”, or “not at all satisfied” with their current positions. It also most notably stated that:
- 96% of survey respondents agree that keeping their skill set up to date is a cybersecurity career requirement;
- 38% of those surveyed believe that their organization is providing an appropriate level of training for them to keep up with business and IT risks;
- 70% of survey respondents say that the cybersecurity skills shortage has had an impact on their organization.
Oltsik noted that this data hints at:
- a future with high attrition rates;
- an increased workload on existing staff increased workload on existing staff;
- companies hiring and training junior staff rather than experienced cybersecurity professionals;
- cybersecurity staff time spent disproportionately on high priority events;
- an inability to utilize/learn some security technologies to their full potential;
- the cybersecurity team having limited time to work with business units.
All of these factors have meshed into the chaos we now know as the massive workforce gap in the worldwide cybersecurity industry highlighted by salary inflation and aggressive recruiting tactics. In fact, 49% of those survey respondents were revealed to have been actively solicited by recruiters to consider other cybersecurity jobs at least once per week.
Apart from the inherent shortage of cybersecurity professionals, this situation based on the data above compounds the problem due to an overall dissatisfaction among the industry’s workforce due to burnout or toxic work environments leading to a change of jobs or simply leaving the industry altogether (e.g. for a career in data science and analytics).
But there are tons of independent research by various established IT firms and industry analysts stating different figures in the cybersecurity workforce shortage starting in the hundred thousands to 1 or 4-million. Each one has their respective methodologies in culling the data but one thing is for certain — the demand for cybersecurity professionals is massive and is projected to be so in the upcoming years.
“There is virtually a zero-percent unemployment rate in cybersecurity,” claimed Robert Herjavec (of Shark Tank fame) in a Cybercrime Magazine podcast.
Cybersecurity will increasingly become more critical in the future
As we become increasingly dependent on technology, the demand for cybersecurity (the entire discipline, not just the workforce) is rapidly becoming as basic as food and shelter. Therefore, more and more people are needed to satisfy this growing need. Cyberattacks lurk in every corner of the world waiting to exploit a bank’s vulnerability or take sensitive financial information from a John or Jane Doe.
Data breaches have exponentially increased during the pandemic and collectively cost companies US$6 trillion in 2021 globally and is projected to rise by 75% (US$10.5 trillion) in 2025. While it may be easy for huge companies to recover from a million-dollar data breach, it is not the same story for smaller businesses.
Perhaps what’s keeping people from embarking a career in cybersecurity is that it’s intimidating. Intimidating in the sense that a lot of people might be thinking that one must be a tech wiz.
Cybersecurity is not just for technically-skilled people
Corporate vice president of Security, Compliance and Identity at Microsoft Vasu Jakkal revealed in a blog post that cybersecurity needs people with diverse backgrounds — business, law enforcement, the military, science, liberal arts, marketing design, and an array of other fields.
“Highly technical roles are key, but on average they make up less than a third of a healthy cybersecurity organization,” said Joanna Burkey, CISO at HP Inc.
“To be successful in the future, we need to invite people who have expertise not just in technical roles, but also in risk management, business analysis, sales, deal support, and even marketing and communications,” she added.
Based on the numbers presented in this article, if you’re interested in the cybersecurity field, there are a number of career paths to take to get you jump started.
If you’re a student, a computer science degree is a major boost. If you’re a professional from a different field whether it’s creative, healthcare, business, or law, it’s not too late either. If you’re currently an experienced IT professional, one foot is practically inside the door — just a credential away from a full-fledged cybersecurity career.
The workforce gap isn’t slowing down in the foreseeable future because as mentioned earlier, cybersecurity enhancement is a top priority for three-fourths of companies worldwide, and that tells us that the workforce problem is here to stay (or up to 2025 at least…).