Is the cybersecurity skills gap finally shrinking?

(ISC)2’s 2020 Cybersecurity Workforce Study reveals only 18% of respondents reported an increase in cybersecurity incidents in the switch to home working.


Cybersecurity teams have come under huge pressure in 2020 as office workers have switched to home working during pandemic lockdowns. Amid the confusion, criminals have ramped up attempts to target home workers as they seek to penetrate secure corporate networks.

However, new research suggests that cybersecurity staff have scored considerable successes in keeping security protocols in place while protecting organisations from cyberattacks during the switchover.

“Cybersecurity teams rose to the challenge and solidified their value to their organisations,” says Wesley Simpson, chief operating officer of (ISC)2, a global body which runs training and certification for cybersecurity staff.

His comments reflect the findings of the (ISC)2’s 2020 Cybersecurity Workforce Study, which surveyed 3,790 cyber professionals globally between April and June this year. The study reveals that the majority of cybersecurity staff believe the security of their organisations was not compromised by having a remote cybersecurity team. More than nine out of ten said their organisations were well prepared for the shift to home working and just 18% of respondents reported an increase in cybersecurity incidents in the switch to home working. Some 54% said the number of incidents stayed the same as before remote working.

(ISC)2’s survey also quizzed respondents on how they handled the switch to home working during the pandemic. After lockdowns were announced, some 30% of cybersecurity professionals report that they were given a deadline of one day or less to transition staff to remote working and to secure those environments. Just under half were given two to seven days while about 15% were given longer than a week.

“The response to Covid-19 by the community and their ability to help securely migrate entire organisational systems to remote work, almost overnight, has been an unprecedented success and a best-case scenario in a lot of ways,” says Simpson. 

A shrinking skills gap

A striking finding of this year’s survey is that the skills shortage in the cybersecurity workforce appears to have shrunk for the first time. The survey shows that the industry has grown massively over the past year, recruiting an extra 700,000 staff worldwide since 2019, swelling the ranks of cybersecurity professionals in 2020 to 3.5 million globally, a 25% year on year rise. The cyber industry’s high-profile recruitment drive over the past decade appears to be paying off and has attracted waves of new cyber professionals.

(ISC)2 has long argued that a significant gap has opened up between supply and demand of cybersecurity professionals, with the staff shortage growing annually. Left unchecked, this could lead to organisations becoming overwhelmed by cybercriminals as they struggle to hire security staff. The workforce gap and skills shortages are a huge headache for the cybersecurity industry so news that the gap is shrinking will be welcomed.

Globally, the study estimates there is a shortage of 3.12 million professionals – a shortfall of under 50% of the current workforce - compared to a shortage of 4.07 million staff last year. A factor in this has been an increased supply of qualified cybersecurity staff entering the field as high salaries and growing demand over the years have attracted a higher number of recruits.

Within the global picture, the Asia-Pacific region has by far the greatest shortage of cybersecurity professionals, with a lack of some 2.045 million recruits. Japan, which employs some 226,000 cybersecurity staff lacks 92,466 cyber professionals. South Korea, with over 232,000 staff, needs another 44,102.

Latin America is the region with the second highest labour force gap, where some 527,000 recruits are needed. Brazil, which employs over 626,000 cybersecurity staff, has a shortage of 331,000. The US employs nearly 880,000 staff and needs another 360,000, the study says.

Increased interest amid a changing industry

The industry continues the fight to attract more talent, running ad campaigns and launching educational drives in schools and universities highlighting the opportunities available for those working in cyber.

Emily Orton, chief marketing officer at UK-based cybersecurity company Darktrace, which offers AI software to beat cyberattacks, says the pandemic has seen an upsurge in ransomware and the targeting of medical research. This has highlighted the skills shortage in the industry, she says. “Talking to customers all over the world – and we have them in 100 countries – I don’t know any who don’t find the skills shortage problematic,” she says.

But she believes the situation is improving as more graduates show an interest in cybersecurity careers.

At the same time, the requirements of the industry are changing, and it is becoming less technically demanding. This opens up recruitment to graduates from a range of backgrounds including humanities. “Cybersecurity roles need more communication and business strategy skills because technology is doing a lot more of the heavy-lifting in the manual and repetitive tasks, such as triaging threat alerts and cross-referencing them across networks. A lot of the in-the-weeds technical work is being automated,” she says.

She gives the example of Darktrace’s AI Analyst technology which analyses threats automatically and even writes up reports for managers using natural language. “You are getting humans adding value where they do it best – in longer term strategy decisions,” she says. “The skills are changing. Nevertheless, we need more people in this field.” 

A factor which has greatly aided cybersecurity staff during the switch to remote working is strong support from senior management. Some 67% of respondents to the (ISC)2 survey said they felt senior managers understand the importance of cybersecurity in remote working. However, many professionals said they were aware of colleagues who had been affected by lay-offs and short-time working because of the pandemic, while 19% reported that they had their salary reduced and 17% had hours cut.

Cybersecurity teams have had to work harder with the shift to homeworking, but have had fewer resources to hand as companies make cuts because of the pandemic-induced recession. More than half of the respondents expect their organisations to make cuts to technology and personnel budgets over the coming year because of revenue losses caused by Covid-19. As one participant said: “Cybersecurity has always been a value-added item in the budget when there was extra money. We were doing good to hold the line within my organisation until Covid-19 came along.”

Declining budgets may have played their part in reducing the skills gap this year since demand for cybersecurity professionals has reduced as companies cut back on spending. But when the pandemic recedes, the cybersecurity industry will need to hire a whole new generation of professionals to keep the world safe from cybercrime.