Australia's recent budget ushers in the nation's ‘biggest ever' cybersecurity spend, with $10bn pledged to see electronic spy agency Australian Signals Directory (ASD) double in size and ramp up its ability to launch offensive cyber operations.
That's great news for the IT industry, but the expansion will also likely usher in massive demand for cybersecurity jobs.
Already, the increase in cybersecurity incidents has more than doubled the demand for cybersecurity professionals. Some sources state that around 3.5 million cybersecurity jobs will likely go unfilled worldwide between 2022 and 2025.
Considering the impact of cybersecurity incidents and the number of open jobs, why is it so difficult to staff cybersecurity professionals?
So let's dissect the scarcity problem.
On the surface, it seems as though there are not enough qualified professionals to fill all the job requirements. But let's dig deeper. By the end of 2021, it was estimated that there were 1,053,468 employed cybersecurity professionals and 597,767 job openings. Organisations often look for the following four cybersecurity roles:
1. Cloud Security: Focuses on implementing and managing the security of critical assets in cloud environments.
2. Security Analysis and Investigation: Focuses on in-depth analysis of threat intelligence and security event artifacts for proactive investigations.
3. Application Security: Focuses on developing and configuring mobile and web application code using secure coding best practices and monitoring.
4. Security Orchestration and Automation: Focuses on leveraging machines to help prioritise and drive process standardisation for cybersecurity operations.
It can be tough to find a suitable candidate with the right combination of skills, certifications (depending on your industry), and experience. The practitioners that have the opportunity to raise skill levels and deploy creative solutions are sought out by some of the world's top employers who can afford to offer higher pay and other benefits, making it hard for smaller organisations to compete. This also leaves these smaller organisations struggling to fill available roles due to budget and resource constraints.
But it's also the case that employer expectations may be unrealistic. Although numerous data and stats show the scarcity of skilled workforce in the cybersecurity industry, the hiring process is also to blame. Hiring managers and recruiters often miss collaborative opportunities to set realistic expectations, understand the technical discipline required, and post job descriptions tailored to suitable candidates.
Organisations should consider the skills gained through personal pursuits and not only the years of professional experience. Furthermore, organisations prefer candidates with experience overpotential, which is not scalable for our industry.
What will be the repercussions of the talent shortage? Open roles affect team members who are already at the organisation. As the complexity of cyberattacks increases, the complexity of deploying, configuring, and managing security solutions increases too.
These security solutions create multiple alerts and, if not tuned properly, will flood teams with false positives and cause what we call ‘alert fatigue'.
Alert fatigue is when a team or member who is already stretched thin may not be able to handle the influx of alerts and is likely to experience team members' burnout. Those burned out security practitioners will likely make more mistakes. In this way, organisations suffer at the hands of the very problem they created.
So how do we combat the cybersecurity skills crisis?
Today, the crisis affects over 57% of organisations. It's challenging to fill the workforce shortage without organisations changing their hiring strategy. The sizable ones should look for alternatives.
For instance, a cybersecurity team member can provide guidance and help develop a robust cybersecurity program. In addition, hiring managers can focus on assessing aptitude rather than exclusively testing skills. Some vendors might even offer interested candidates the opportunity to learn and receive mentorship outside of the workplace and provide continued education to new team members.
Organisations ready to take major steps toward filling open cybersecurity roles should:
1. Encourage cybersecurity education and provide required certification courses to support professionals at all job levels.
2. Eliminate pay gaps and provide more flexible working conditions.
3. Diversify management and hiring team practices for providing essential guidance to interested candidates.
4. Promote and encourage women, minorities, and under-represented groups who have the required qualifications for leadership roles.
5. Implement cybersecurity automation to help refocus human efforts and reduce the daily workload.