The cybersecurity skills shortage has been going on for years, and it's getting worse, with a rising number of firms citing the issue.
Nearly three-quarters (71%) of IT and cybersecurity professionals worldwide surveyed earlier this year said their organizations had been impacted by the cybersecurity skills shortage, according to a report from research firm Enterprise Strategy Group (ESG) and the cybersecurity professional organization Information Systems Security Association. That's a sharp increase from 57% who cited the skills gap in a study released by ESG in July 2022.
The worsening shortage has led to an increased workload for cybersecurity teams, unfilled open job requisitions and high burnout among staff, according to survey respondents. Nearly all of them said the cybersecurity skills shortage and its associated impacts have not improved over the past few years and 54% said it has gotten worse.
"While there certainly has been a [rise] in cybersecurity education programs, the skills shortage has gotten worse due to increasing demand for talent," said Jon Oltsik, distinguished analyst and ESG fellow. "Organizations need bigger staffs due to their growing IT footprint and the cybersecurity complexity."
So what can companies do to get more cyber talent when there are so few professionals to be had?
AI to the rescue?
Artificial intelligence, particularly generative AI, might play a growing role in easing the skills shortage.
"Since CISOs can't hire their way out of the skills shortage, they need to lean on three things: process automation, advanced analytics and managed services," Oltsik said. "Generative AI has the potential to help in all three areas."
Generative AI can help aggregate security data, suggest next steps to make enhancements and even take automated actions if configured to do so, Oltsik said. "This can improve staff efficiency and productivity," he said.
Gen AI can also piggyback on analytics engines to aid security analysts in areas such as alert triage and security investigations, Oltsik said. The technology can also help train cybersecurity analysts, he said.
"It should be noted that [gen AI] for security is still in its genesis stage and not widely deployed," Oltsik said. "Many CISOs I talk to remain skeptical and plan on taking a more pragmatic approach to adoption." This might change over the next 12 to 18 months, he added.
"As a cybersecurity professional, I would have to advise organizations to be extremely careful when using generative artificial intelligence and ensure that whatever form of AI or machine learning that is considered be a mature product or solution," said Candy Alexander, the immediate past president of ISSA International and CISO and practice lead at business management consultancy NeuEon LLC.
Gen AI and large language models "are still very much in their infancy and are known to have bias," Alexander said. "Imagine the possibility of manipulating some of the [gen AI applications] and LLMs with corrupt knowledge pools."
Still, there is potential for gain. "I believe this is an area to watch and perhaps experiment with," Alexander said. "It is tough to verify [gen AI] and LLM at this point. It's kind of like the Wild West at the moment."
Others are more favorable toward AI as a solution today.
"Generative AI could help organizations bridge cyber security skills and talent shortages with on-the-job training and as a virtual team member," said Jason Shockey, senior vice president and CISO at mortgage servicer Cenlar FSB.
Let's say an organization has an inexperienced member of its cyber team, which is a common scenario, Shockey said. Cyber security trainees require hours of coaching and mentoring to be effective and deliver results. From time to time, senior team members are unable to mentor because they must focus on their own tasks and leave the inexperienced workers to themselves.
"Generative AI could be leveraged to increase the knowledge and work rate of those inexperienced people, by completing repetitive tasks and revealing knowledge blind spots — like a job aid or virtual cybersecurity mentor," Shockey said.
Generative AI could also be used as a virtual team member when there's a personnel gap, Shockey said. "For example, an organization's cyber team just lost their lead security architect and are finding it challenging to backfill that gap," he said. "The team could bridge that gap by letting generative AI evaluate data and review architectures from a security perspective. In other words, you can treat generative AI as a virtual member of the cyber team."
Addressing the shortage through training, better pay
Another thing organizations can do to attract more security talent is to make the jobs they need to fill more appealing to candidates. A good place to start is pay. Fifty-nine percent of ESG survey respondents cited increasing compensation as a way to be more competitive in attracting talent, "so it's clear that security pros are often underpaid," Oltsik said.
Aside from money, organizations can offer to pay for incentives such as certifications and travel/expenses at industry events. The research shows that professionals want continuous training and career development, Oltsik said.
Human resources teams and recruiters often post unrealistic job requirements for cyber jobs, such as entry-level positions requiring five years of experience, Oltsik said. "Security pros believe that it's important to cast a wider net, find talented individuals with good analytical and problem-solving skills, and train them accordingly," he said.
Casting a wider net can include looking more broadly within and outside the organization, beyond those who are security experts.
"In order to maximize the organization's potential to close their cyber talent and skills shortage, outreach to all people in the [organization] is required," said Shockey.
"That wider cast net makes it more likely to find the needed cyber talent," Shockey said. "If the existing workforce is small, no problem. Offer external viable candidates the opportunity to get assessed and matched to see if they're a good fit" for the organization's security team.
CISOs and other cybersecurity leaders need to make sure that senior business executives grasp the importance of acquiring the needed skills.
"It appears there is misalignment of the security strategy," at organizations, said Alexander. Business leadership doesn't fully understand the function of cybersecurity and what skills are needed to fill positions or to simply keep up with technology, she says.
"It's kind of like having a fighter jet that gets updated every couple of years, and if the pilot isn't trained [or] certified to fly it, it can be dangerous," Alexander said. It is important that business executives continually talk with cybersecurity leaders and for cyber leaders to communicate to business leaders, including HR, in business terms, she said.
