Dive Brief:
- The global cybersecurity workforce is at an all-time high, with an estimated 4.7 million people in the profession, but it’s still 3.4 million short of what businesses need to adequately protect against increasingly complex threats, according to the (ISC)² 2022 Cybersecurity Workforce Study. Although the cybersecurity workforce added 464,000 jobs in the past year, an 11% increase, the gap between demand and supply is growing much faster, at a 26% year-over-year rate, the study found.
- Organizations that train internal talent, such as by rotating job assignments, implementing mentorship programs and encouraging employees outside of cybersecurity to join the field, were least likely to have staffing shortages, the international association of certified cybersecurity professionals noted in the study. Outsourcing helped only slightly, according to the 11,779 practitioners who responded.
- When it comes to hiring, cybersecurity managers can’t work alone, (ISC)² emphasized. While hiring managers know best what kinds of candidates to look for, HR managers are more likely to have the expertise on finding and attracting those candidates, (ISC)² explained. Organizations where HR and hiring managers did not have an effective working relationship were more than 2.5 times as likely to have significant staffing shortages, the study found.
Dive Insight:
Cybersecurity is a highly technical skill, and shortages are most acute in aerospace, government, education, insurance and transportation, according to the study. Even so, the challenges HR professionals face in filling cybersecurity roles are common to all industries and echo what HR pros face across the board.
For example, the study highlights how upskilling internal talent may be a viable way to reduce staff shortages. Gen Z, who seem hungry for L&D, should find the strategy attractive. A 2022 LinkedIn report on workforce confidence indicated that learning opportunities are a top factor in Gen Z’s job hunt.
It also may be imperative to upskill current cybersecurity staff: Nearly one-third (30%) of those who responded to the (ISC)² study indicated they left a job within the past two years due to the lack of opportunities for advancement or career growth.
In fact, one of the most important things HR professionals and company leaders should be doing right now is investing in their cybersecurity teams at all levels, (ISC)² CEO Clar Rosso emphasized in an email to HR Dive.
“Team members of different ages and experience levels need different levels of support from their organizations,” Rosso wrote. This includes investing in “professional development, mentorships, flexible work arrangements and career pathing,” she explained. “For example, encouraging people to pursue and accomplish new professional milestones like earning certifications, as well as recognizing these achievements, helps to keep people engaged for a long time,” Rosso added.
Employers should also “promote cybersecurity awareness for the entire organization so that everyone can play their part and not put all the weight on the shoulders of the cyber team,” she noted.
Making diversity, equity and inclusion a priority is another must-do, Rosso said. According to a report from the Aspen Institute, the cybersecurity industry has not done a good job of addressing its “overwhelming white-ness and male-ness,” Cybersecurity Dive previously reported. Given the profession’s “profound demographic shifts in age, gender, race and ethnicity,” as the (ISC)² study found, HR and hiring managers need to expand their perspective on potential staff.
In particular, nearly half (49%) of cybersecurity professionals under 30 identify as non-White, the (ISC)² study revealed. It also found that cybersecurity workers under 30 want their teams to be diverse, and organization diversity initiatives had the second biggest impact on how they rated their employee experience, or “EX” (e.g., engagement, burnout and sense of being fairly evaluated, among other factors).
In turn, worker experience seems to affect the bottom line: 68% of employees with a low EX said workplace culture impacts their effectiveness in responding to cybersecurity incidents. That’s an obvious concern in light of the increased risk of cyberattacks due to current world events and behavior by some remote employees that makes a company more susceptible to breaches.
HR professionals play a critical role in ensuring that a company’s cybersecurity staffing needs are met, Rosso pointed out. HR’s collaboration with cybersecurity hiring managers — through regular check-ins to discuss and develop realistic and achievable job descriptions — is key to attracting the right talent, she said. By frequently communicating with team managers, HR can help with relationship building and provide insight into what is working to attract and retain individuals, Rosso added.
