Uncertainty hits the cybersecurity jobs market
Hunters Race / Unsplash
Despite forecasts of healthy demand for cybersecurity skills, workers see more cuts and a more intense hiring process in their futures.
Every year, industry associations publish data indicating that demand for cybersecurity workers continues to be strong. 2023 was no different.
In October, there were only enough cybersecurity workers to satisfy 72% of the demand in the United States, with more than 570,000 cybersecurity job openings listed over the past 12 months, according to data collected by the cybersecurity jobs site Cyberseek.org, which estimates a total US cybersecurity workforce of 1.2 million. Globally, the cybersecurity workforce grew nearly 9% to 5.5 million in 2023, but the gap in needed workers continued to grow as well, with an estimated 4 million workers needed to satisfy cybersecurity demand, according to an annual report by certification body ISC2.
Overtaxed security teams, however, do not necessarily mean enormous opportunity for prospective cybersecurity specialists. Some job seekers and cybersecurity experts have questioned whether the "cybersecurity shortage" equates to more cybersecurity jobs. In particular, companies appear to be looking for ideal cybersecurity professionals, leaving workers — even technical job seekers — without offers, said Ben Rothke, a New York-based information security manager who has penned criticisms of rosy cybersecurity outlooks.
"A lot of companies are trying to find people who just don't exist, saying that they need someone with application security, network security, cloud experience," he said. "Those are job reqs for three people, not one."
The disconnect between employers and job seekers means that turning willing workers into employable cybersecurity specialists will continue to be difficult in 2024, said Tim Herbert, chief research officer at CompTIA, an education and certification organization and one of the three groups responsible for Cyberseek data.
"The hiring employer may see the situation as a shortage of viable cybersecurity candidates, while job candidates may see it as an unattractive or over-spec’d position," he said. "Compensation disconnects are especially challenging among small and medium-size employers and certain industry sectors that may never be in a position to pay market premiums for in-demand cybersecurity talent."
Strong demand, in theory
Cybersecurity is often a bright spot in the labor landscape — at least on paper. While more than a third of certified information-security managers (36%) felt their cybersecurity team was adequately staffed, 59% considered their team to be significantly or somewhat understaffed, according to the State of Cybersecurity 2023 report published by ISACA, an information-security and technology certification organization. The vast majority of CIOs (80%) plan to increase their investment in cybersecurity in 2024, the No. 1 planned budget increase, according to a survey of technology executives by business intelligence firm Gartner.
Figure 1 - Nearly six-in-ten companies consider their security teams to be understaffed. Source: ISACA
Yet, by most accounts, 2024 will be a more challenging hiring environment for cybersecurity workers. While economists no longer consider a recession to be the most likely result of the past 18 months of rate increases, companies have slowed hiring and become more conservative, even as the likelihood of an economic "soft landing" has increased.
The cause of the disconnect between potential job numbers based on surveys and the reality faced by job seekers and employers is the difference between theory and practice.
Often, decision makers are optimistic in their cybersecurity staffing goals: Only 10% of executives expected to cut their cybersecurity workforces in 2023, for example. Yet, in reality, budgetary considerations and the view of cybersecurity as a cost center results in more strict budgets: Nearly half of security professionals (47%) suffered some form of reduction to their teams, such as budget cuts or hiring freezes, with 22% of cybersecurity professionals seeing layoffs, according to the ISC2's workforce report.
The disconnect comes in what decision makers and workers "want" versus what the company can afford and cybersecurity professionals can accept, said CompTIA's Herbert. Surveys often ask whether technology-business decision makers feel they need more full-time employees. The shortfall represents a perfect world where every executive could hire cybersecurity staff without thinking about budget and prioritization over other technical positions.
On the other hand, job seekers have unreal expectations as well. Workers see the large salaries offered by top technology firms and expect to find a job with that level of compensation, Herbert said.
"Certain segments of workers do need to be mindful of their expectations," he said. "While their first choice may be a venture-funded Silicon Valley unicorn, the immediate option may be an insurance company based in the Midwest."
Companies need to invest in workers
Another problem is that the U.S. approach to cybersecurity training has been scattershot, with credentialing groups pushing more education, most companies requiring college degrees, and bootcamps and non-university programs falling short of goals. The cybersecurity-training pipeline for entry-level workers, as it exists today, has multiple points of failure, said Will Markow, vice president of applied research for labor-market analysis firm Lightcast, another source of data for the Cyberseek.org site.
For example, 73% of job postings for entry-level cybersecurity positions still require a four-year degree or higher, according to CompTIA.
"For a long time, IT educators and training providers didn't have great information about how to prepare workers for careers in cybersecurity, and there wasn't a clear training pipeline between an educational program and a career in cybersecurity," Markow said. "I think there's still a lot of work that needs to be done working with employers to educate them on how to be responsible recruiters for cybersecurity workers."
Workers are already looking to learn the latest cybersecurity skills. In 2023, system security ranked as a top-10 skill for learners on Coursera, while cybersecurity skills account for half of the Top-10 learned technical skills, according to the company's Job Skills of 2024 report. System security leads the packs, with computer security incident management, cyberattacks, security software, and security strategy all in the top-10 trending tech skills for 2023.
"Cybersecurity evolves faster than traditional learning pathways can keep up with," Nancy Hammervik, chief workforce solutions officer for CompTIA, said in a statement. "It is a significant challenge, but also a promising opportunity. A growing number of employers are considering and hiring job candidates who travel alternate career pathways, but have the knowledge and skills required to succeed in cybersecurity roles."
Are security experts fundamentally different?
While technical security experts are in demand, companies need to make sure that they have a long-term need for such professionals.
Often, companies that look to hire very technical security people will often face a retention battle, said Lee Kushner, a former technical and cybersecurity recruiter of more than two decades. Technical experts often do not want to be managers, they just want to be technologists and solve interesting security problems. After they solve a particular issue, the company will be paying a significant salary to a person who is no longer needed, he says.
"You have a model that, I think, is generally flawed," he said. "Because we're geared towards the permanence of employment with security professionals, and quite frankly, I'm not quite sure that the technical nature of [some] security jobs are really geared for permanent employees."