Although the cybersecurity skills gap has been well documented over recent years, the demand for cybersecurity skills has increased. A recent report by the UK government’s Department for Digital, Culture, Media and Sport showed that more than half of UK businesses are lacking basic skills.
The authors state that “the people responsible for cyber security in these businesses lack the confidence and support they need to perform the basic tasks set out in the government-endorsed Cyber Essentials program.”
This includes tasks such as setting up firewalls, protecting personal data, and detecting and eliminating malware. A third of companies had more advanced skills in tasks like penetration testing and forensic analysis.
The most alarming aspect of the report is that basic cybersecurity skills numbers have not changed over the four years the government has been collecting data. The authors claim that in fact, the number of companies lacking incident management skills has increased over the past 4 years.
The authors state that “the qualitative evidence continues to indicate, in line with previous year’s, that management boards (outside of the cyber sector), lack an understanding cyber security.” The interviews reveal a knowledge gap among the c-suite decision makers tasked with monitoring cyber security.
Similar results were also found in the global cybersecurity workforce study by (ISC). This study showed that global cybersecurity workers need to increase by approximately 65% to be able to protect organizations from the increasing number of cyberattacks.
Nearly 5,000 cyber professionals were surveyed by the researchers to better understand the range and depth of cyber talent available to organizations and the supply in relation to demand.
The authors state that for 2021, they estimate there will be 4.19 million cybersecurity professionals in the world. This is an increase of over 700,000. The Cybersecurity Workforce Gap, on the other hand, is the number of cybersecurity professionals organizations require to properly protect their critical assets. The gap has fallen to 2.72million for the second year in a row, compared to 3.12million last year.
According to the researchers, organizations must increase the number of cybersecurity workers by approximately 65% if they are to protect their critical assets. Surprisingly, 77% of people who work in this sector say they are happy with the job. This represents an increase of about 10% over the same number in 2019. This may have contributed to the 30% increase of cyber professionals in the US in 2021. However, it is not enough.
Filling the gap
How are companies responding? According to a UK report, around three quarters of cyber companies provide training for employees in cyber roles. However, this drops to only 1 in 5 in organizations that are not in the cyber sector. Only 12% of the 20% that provide training for staff say they have met their needs.
According to the authors, there is a low level of training for key cybersecurity certifications such as Certified Information Systems Security Professional (CISSP), Cisco Certified Network Professional and Cisco Certified Network Associate. Organisations complain about the lack of time required to attend cybersecurity training. This is especially true when it takes away time that could have been spent earning income.
Non-cyber companies also have to be aware of cybersecurity training paths. There is also a lack in professional development routines and cultures for digital employees. This is combined with low-quality cybersecurity training from the outside market, and it’s clear that there is a lack of training and development.
Employers responded by offering self-guided training, mentorship, and work shadowing. However, it is rare for non-cyber organisations to offer cybersecurity training for staff who are not IT professionals. Only 11% of respondents reported doing so within the past year. The figure was lower than 50% even in larger organizations, which might be considered more at-risk (and have higher budgets). This created a false impression that cybersecurity training was not necessary for staff.