A large gap remains between the number of open cybersecurity positions and the tech professionals needed to fill these roles. Now, new research details how this ongoing issue imperils security, with 90 percent of organizations reporting they experienced a breach over the last year that they can partially attribute to a lack of internal cybersecurity skills.
The report, released in June by cybersecurity firm Fortinet, also found that 58 percent of IT decision-makers suggest the top cause of security breaches is IT and security staff who lack cybersecurity skills and training. Additionally, seven in 10 respondents noted that the cybersecurity skills shortage creates additional risks for their organizations—up from 68 percent that reported the same issue in 2022.
A major issue is recruiting enough talent, training staff, and retaining those tech pros who are of the most value to the organization. “[Fifty-four percent] of organizations say they struggle to recruit cybersecurity talent. These numbers are down slightly from 56 [percent] in 2022 and 60 [percent] in 2021, but recruiting candidates with cybersecurity expertise remains an issue for more than half of respondents,” according to the survey, which included responses from 1,850 IT and cybersecurity decision-makers in 29 countries including the U.S.
The survey results highlight an ongoing problem for organizations: Hiring enough skilled tech pros to fill thousands of open cyber positions as breaches, ransomware and other attacks increase and the cost of recovery skyrockets. The need is great enough that the Biden administration has prioritized hiring more workers from non-traditional backgrounds.
The results, however, remained mixed. “While many companies have diversity hiring goals, we aren’t seeing hiring numbers increase significantly among women, minorities and veterans,” said Rob Rashotte, vice president of global training and technical field enablement at Fortinet. “Despite 91 percent of respondents saying they prefer to hire candidates with technical certifications, 71 percent of organizations require potential new hires to hold a four-year degree.”
For tech professionals interested in cybersecurity, having the right hard and soft skills can help close part of the barrier needed to get noticed by organizations that need help securing their data, networks and infrastructure. As breaches increase and recovery efforts hit the bottom line, candidates who can upskill and tap into trends, including artificial intelligence (A.I.), stand the best chance of landing a position they want.
Cybersecurity Threats Call for a More Skilled Workforce
The Fortinet survey shows that companies unprepared for cyber threats put themselves at risk—both financially and with their reputations. The report noted that 87 percent of organizations surveyed experienced one or more security breaches in 2023, with more than half (53 percent) reporting over $1 million in lost revenues, fines and other expenses related to these incidents.
These threats drive the need for more experienced tech professionals, with 65 percent of the survey respondents reporting that they plan to grow their IT and security teams in response to these threats. The most needed skills include:
- Cloud security (46 percent)
- Cyber threat intelligence (37 percent)
- Malware analysis (34 percent)
“As organizations grapple with a surge in cyberattacks and data breaches, compounded by increasingly stringent regulatory requirements, the demand for robust cybersecurity defenses has skyrocketed,” Darren Guccione, CEO and co-founder at Keeper Security, told Dice. “This pressing need highlights the urgency for skilled cybersecurity professionals who can protect critical assets and ensure compliance. Business leaders face significant challenges in sourcing cybersecurity talent while managing distributed remote workforces and navigating this dynamic threat landscape.”
While certifications and technical skills are important, Fortinet’s Rashotte noted that soft skills such as writing and communication are also critical and a way to find talent in non-traditional areas.
“Organizations should be identifying candidates who possess the right soft skills and then using certifications to help them gain cybersecurity-specific knowledge,” Rashotte told Dice. “According to the report, most leaders are open to this approach, with 89 percent of respondents saying they would pay for an employee to obtain a certification.”
The report’s finding that a lack of cybersecurity skills creates more risks for organizations also underscores the need to find talented security professionals in other areas and upskill their abilities. “This finding underscores the importance of upskilling and reskilling existing employees, as well as the need for recruiters and hiring managers to take more creative and flexible approaches to recruiting new talent,” Rashotte noted. “Reexamining and revising education and training requirements for cybersecurity roles is a great place to start.”
Executive Buy-In
While security executives and CISOs understand hiring cybersecurity talent takes time and effort, it’s also important to get the buy-in of other c-suite members. The costs and risks associated with these incidents are powerful reminders for executive leadership that organizations need strong cybersecurity defenses, including a skilled staff.
“This [push for hiring] is often accomplished by demonstrating the cost of breaches and the increasing personal consequences for executives such as fines, job loss, etc.,” George Jones, CISO of Critical Start, told Dice. “This has led to a push for stronger cybersecurity investments to mitigate the cost of breaches, which often exceed $1 million, and the potential for severe reputational damage.”
Once that buy-in is there, security leaders need to identify candidates and pull them into the cyber organization.
“Bridging the cybersecurity skills gap requires a multi-faceted approach, including evolving hiring practices, emphasizing continuous learning and fostering stronger industry-academia collaborations,” George Jones added. “By understanding the financial and strategic importance of cybersecurity, organizations can make a compelling case to invest in the right people and resources.”
How AI Fits Into the Picture
Several experts noted that A.I. has the potential to address the cybersecurity skills gap by automating manual processes, allowing IT and security operations to focus on more strategic issues and creating better defenses.
“Currently, the cybersecurity industry faces a skills gap due to a shortage of professionals with the necessary expertise to handle evolving cyber threats,” Craig Jones, vice president of security operations at Ontinue, told Dice. “A.I. can alleviate some of this pressure by handling certain tasks, but it also requires professionals who not only understand cybersecurity but are also proficient in managing and interpreting A.I. outputs.”
While generative A.I. has the potential to automate tasks, Guccione noted that no technology can fully automate cybersecurity operations and skilled workers who understand risks and can make decisions based on data are still needed.
“While A.I. can accelerate threat detection through advanced data analysis, it also has limitations that complicate implementation,” Guccione said. “Neural networks and large language models can provide believable and mostly accurate assessments, but they often lack the ability to explain rationale. Without that key piece of information, it’s risky for IT and security teams to make business-impacting decisions based on A.I. insights alone.”
The need to deploy A.I. for cybersecurity also drives a need for tech professionals who understand the technology and can incorporate it into cyber defenses. In time, this trend could cause another skills shortage.
“This transition may lead to a labor gap, where the demand shifts towards cybersecurity professionals adept in utilizing A.I. and machine learning alongside traditional cybersecurity skills,” Craig Jones noted. “This new requirement could potentially exacerbate the gap if current cybersecurity professionals do not adapt or if training programs fail to incorporate A.I. skills. The industry might face a situation where there are enough people interested in cybersecurity roles, but not enough with the right blend of A.I. and cybersecurity skills.”