Type “cyber talent shortage” into Google and you’ll find about 3,330,000 results on the topic.

This isn’t a niche complaint either: the World Economic Forum, NIST, and the UK Government, have all acknowledged the cybersecurity talent shortage and have published information about it.

This so-called talent shortage is literally burning a hole through companies’ security postures – not to mention their profits if they fall victim to an attack. But, as a recruiter, I know there are good cyber personnel out there on the market. So what gives? And is the answer really as simple as encouraging more people into the industry?

The Problem

Before we go any further, let’s explore some statistics.

Global/USA

According to ISC2’s Cyber Workforce Study 2022, the global cyber security workforce is short of 3,432,476 people, a shortfall that has grown 26.2% from the year before. North America’s cyber talent shortfall is 436,080 according to the study.

The two main reasons given globally as to why organisations have a shortage of cybersecurity staff are “My organization can’t find enough qualified talent” (43%) and “My organization is struggling to keep up with turnover/attrition” (33%).

In figures highlighted at a June 2023 House Homeland Security Committee subcommittee on cybersecurity and infrastructure, the US has almost 700,000 cybersecurity job openings, and not enough cybersecurity experts to protect the nation’s critical and federal infrastructure. Members were informed that “we only have 69 skilled cybersecurity workers for every 100 that employers demand”.

UK

The UK Government’s Cyber security skills in the UK labour market 2023 report states that there are 30% more cyber job postings compared to the previous year. 37% of cybersecurity vacancies posted since 2021 were reported as “hard-to-fill”; the most common reason for this is given as “applicants lacking technical skills and knowledge”.

There is an estimated shortfall of 11,200 people needed to meet the British cyber workforce demand. Though cyber sector workforce figures are roughly in line with the general population in terms of racial and neurodiversity representation, one striking figure is that only 17% of the cyber workforce are female.

Worryingly, 8% of cyber security graduates were unemployed within fifteen months of graduating. This compares to 6% across all graduates.

The Problem with the Problem

Let’s look at this issue from a different angle. With demand so high, surely nobody should be out of work in cybersecurity. But if cybersecurity personnel are in such short supply, why are there good, experienced people on the market, looking for work? And why does it take them time and effort to actually find employment?

One common, knee-jerk solution to the cyber staffing crisis is to simply upskill more people and bring them into the security fold. I would personally like a world with more security-aware people in it, of course. And naturally, the solution for some organisations will legitimately be “we need more people”.

But, I would argue, simply throwing more bodies at the problem throughout the cyber industry without proper forethought might actually end up making its existing issues with job turnover and satisfaction more pronounced.

Also consider how training more entry level security staff might solve the issue eventually, but the talent shortage is currently being felt most acutely in middle and top management who need solutions NOW.

So we need a) solutions that can be felt up and down the chain of command, and b) solutions that can be applied immediately.

Personally, I see five areas where employers can change their approach in order to get more cyber talent through their doors and ease the cyber talent shortage.

5 Ways Employers Can Ease The Cybersecurity Talent Crisis

1. Review Your Expectations

As someone who deals with cybersecurity roles day in, day out, I can say that some organisations have unrealistic expectations when it comes to compensation, flexibility, and job attractiveness.

Compensation
Evaluate your current Employer Value Proposition for those in your security teams – how realistic is your compensation? Have you done an assessment on the market to see what your competitors are actually paying? Why should talented workers choose working for you over someone else? Does every job spec you advertise have a clear line of job progression? These are the questions that good candidates will be asking.

Flexibility
The work from home revolution was really more of a revelation – it gave employers and employees clear insight into who really needs to be where and when. Thankfully, a lot of operational cybersecurity can be done remotely nowadays, so why are some employers mandating a full or partial return to the office?

Employers need to realise that jumping on the “return to office” bandwagon can be incredibly disqualifying. Firstly, if a job can be done totally remotely, a remote approach means that you can employ the best person for that job, regardless of geography. Secondly, being in a place between the hours of 9 and 5 can be incredibly limiting for parents, carers, those with disabilities, and more.

(And personally, I don’t think return-to-office mandates are going to improve that “only 17% of the UK cyber workforce are female” statistic in any way; after all, women carry out at least 2.5 times more unpaid household and care work than men.)

Sure there may be a lot of jobs going unfilled, but are they unfilled because the talent isn’t there? Or are they unfilled because the parameters for the average job are too narrow, demanding, and inflexible for today’s market?

Job Attractiveness
And let’s not forget that the perfect person for a role may not currently be out of work – they may already be in a job being well rewarded. It might just take a nudge from an extra bit of flexibility or a few more development prospects to get them to jump ship. This is another way that having a clear Employer Value Proposition truly benefits an organisation.

2. Represent the Underrepresented

Diversity isn’t just those protected characteristics that you report on the national census. Sure, our gender, our sexuality, our race, and our disabilities play a part in who we are, but so do our experiences, our knowledge, our upbringing, and our common sense.

Sometimes, when reading between the lines of some job specs, the employer clearly wants someone who has walked in the existing team’s exact same shoes. This is naturally going to shrink the pool of candidates that the employer considers viable.

Then, in order to address the lack of diversity this approach inevitably creates, employers sometimes then actively seek out “diverse” candidates; though these candidates are still a carbon copy of the rest, they’re just different in regards to their race or gender or LGBTQIA+ status.

I argue that the best candidates for roles – especially ones in fields like security that require critical thinking and a fresh approach to risk – are often the polar opposite of what has come before. This may be someone who comes from a different upbringing, has a different outlook, and who has had different lived experiences.

Lots of employers want candidates to go beyond the job spec – but they are not willing to go beyond it themselves.

Security isn’t a field that should be dominated by “yes men” and “the same old, same old”. There are people out there who haven’t had the chance to get in front of certain stakeholders or be in certain positions of power, simply due to direct and indirect discrimination they have faced relating to who they are. End the cycle. Involve them.

3. Take a Long, Hard Look at Your Hiring Practices

Sometimes, hiring processes are doing some of the damage.

Nearly a third of cyber professionals felt that the HR departments at their firm “exclude strong job candidates because they don’t understand the skills necessary to work in cybersecurity”. It’s entirely possible that these HR professionals are just searching for certain key terms within applications when it comes to qualifications, tools, and experience.

This approach doesn’t pick up on a candidate’s transferable skills, their potential, and their softer abilities. Hiring simply becomes a tick-box exercise – the ultimate “computer says no” hiring!

Of course, not all HR personnel are like this – many are conscientious and go to lengths to understand what hiring managers are after. But if you’re currently struggling to hire any kind of highly specialised personnel, it might be worth exploring how much your HR teams actually know what to look for in those roles.

Other times it’s not a matter of knowledge. It’s simply that HR teams are desperately overworked and they simply don’t have the physical capacity or mental bandwidth to do anything other than Ctrl+F when it comes to narrowing down lists of candidates – especially when it comes to roles they don’t understand.

When HR problems like these aren’t addressed, sometimes the wrong people get hired, the whole organisation suffers, and it only gets worse as time goes on. In this situation, it can help HR teams to have specialist recruiters on speed dial. You don’t have to use us all of the time for every applicable role, but we’re a great “in emergency, break glass” measure when filling a role is getting tricky.

4. Focus on Employee Retention Rather than Onboarding

With the widespread spate of tech layoffs that plagued early 2023, it’s understandable that tech employees up and down the chain of command are keen for job stability.

To vastly oversimplify what happened, many tech firms enjoyed vast growth in the late 2010s – and the Covid-19 pandemic also fuelled further growth in tech as many of us worked from home or used the internet to pass our furloughed time.

From our article on the subject of the 2023 layoffs:

“Within many of these companies, more hands were needed to fuel new (possibly pandemic-related) profits; often quite quickly, and therefore without much forethought. So technical hiring managers might have been given somewhat of a blank cheque to make sure the techy lights stayed on – which resulted in them soaking up tech talent like a sponge.”

But what goes up, must come down. With the rocky economic climate that 2023 presented, these boom hiring practices suddenly didn’t align with the year’s largely bust economics. These companies found themselves vastly oversubscribed, and jobs therefore had to be shed.

If those companies had hired more cautiously and strategically; thinking about the sustainability of their hiring decisions rather than hoarding employees like Scrooge McDuck hoards gold coins, they would be in a very different position today.

Sure, you could argue that they may have been unable to grow as rapidly without the sheer number of people on their roster. But when people’s livelihoods are in the balance, stability is more important than growth. So as far as hiring is concerned, keep an even keel through the inevitable cycles of boom and bust. Don’t let an increased budget burn a hole in your pocket!

Granted, sometimes security personnel are suddenly needed because an incident has occurred and the organisation needs more hands on deck. But even when you’re hiring in a reactive environment, what job security are you offering those employees once the crisis is over? How are you willing to invest in them? If you’re not sure there will be a job for that person in a year’s time, then why should any applicant looking for stability even bother applying?

All employers can learn from the twin morals of the 2023 tech layoffs story: only employ people when you really need to, and invest in existing job retention and progression rather than simply getting more butts in seats. Once they’re on your payroll, prioritise their wellbeing to keep them there.

5. Address Common Cyber Retention Problems Within Your Organisation

According to 2022 Trellix research, over a third of the global cyber workforce plans to change professions due to sector-specific frustrations, further fuelling the security staffing crisis. 36% of respondents reported a lack of recognition for their work – something that is actively driving 12% of respondents out of the industry.

ISACA’s 2022 State of Cybersecurity research from the same year is equally damning. It asked respondents what factors they feel are causing cybersecurity professionals to leave their current jobs. The top response was simply finding employment elsewhere, but other than that, respondents answered “poor financial incentives – e.g., salary or bonuses” (48%), “limited promotion and development opportunities” (47%), “high work stress levels” (45%), and “lack of management support” (34%).

These are all internally solvable issues that are spilling over to create problems for the whole industry. What are you doing to show your appreciation for an often underappreciated department? How well are you incentivising those who keep your organisation safe from harm? And how are you supporting them to be their best?

Conclusion

Simply increasing cyber headcount doesn’t address the real issues I feel are eroding the cyber workforce: poor job satisfaction; poor hiring practices; lack of diversity; and inflexible, demanding job specifications.

If you’re an employer or hiring manager and some of the above points feel a little too familiar for comfort, I implore you to take a cold, hard look at how you are employing cyber personnel and engaging with your existing security teams.

Change isn’t some far off prospect here. We simply can’t kick the can down the road until more cyber personnel come on board. Change starts now, with you.

Back to Publications

More Publications

A Recruitment Revolution? The Ethics of AI Tools in the Hiring Process

Read more

The Cybersecurity Community Comes Together to Raise £296,000 for Childline

Read more

The Rise of the Fractional CISO: The Future for SMEs?

Read more