The state of the cybersecurity workforce: New report reveals worrisome trends

Way back in 1999, I got my first real job in Silicon Valley at a company that was then called McAfee.com. (What can I tell you? It was a different time, when it seemed cool to add “.com” to your actual company name.) 

I wasn’t especially looking for a job in cybersecurity, but that’s the industry I stumbled into, and I’ve had many occasions to be glad of it over the years since. For one thing, I get to feel genuinely good about what we do here at Barracuda, helping all kinds of organizations fight back against cybercrime.

For another thing, there’s pretty good job security. The cybersecurity business is fairly recession-proof. After all, no matter how the economy is doing, folks need security (but see below).

ISC2 Cybersecurity Workforce Study: Big challenges

Or so it has seemed for most of my career. Based on one of the findings of the 2023 ISC2 Cybersecurity Workforce Study, however, that may not be the case anymore. 

The report’s subtitle is a pretty good summary of what the overall findings reveal: “How the Economy, Skills Gap and Artificial Intelligence are Challenging the Global Cybersecurity Workforce.” Or, as the Executive Summary begins, “Cybersecurity professionals are facing greater pressures than ever that diminish their ability to defend institutions and organizations around the world from ever-increasing threats.”

Insufficient growth

The study—based on a survey of nearly 15,000 cybersecurity pros around the world, along with government statistics—found that in 2023 the global cybersecurity workforce grew by 8.7%. But that wasn’t enough to close the gap between available workers and the number needed, which grew by 12.6% compared to 2022. 

The availability gap is not distributed evenly around the globe, not by a long shot. Latin America, Australia, Singapore, the Middle East, and parts of Europe all saw the gap decline, most by double digits. 

The biggest growth in that gap was found in Canada, the UK, Spain, India, and—with a shocking 97.6% growth—Japan. (Looking for cybersecurity work? You might want to brush up on your Japanese).

Not immune to cutbacks

Did I say something about job security? Yeah, no. Nearly half of respondents have seen their teams affected by layoffs, budget cuts, and hiring or promotion freezes. 

Industries with the fewest layoffs include government, education, and aerospace. The most cybersecurity layoffs were in entertainment/media, construction, and, well, security software/hardware development.

(This seems like an appropriate place to give a quick shoutout to Barracuda, which weathered the Covid lockdown and subsequent economic slowdown without resorting to layoffs. And now we’re hiring.)

Respondents also reported that these cutbacks have resulted in increased workloads, decreased morale, decreased ability to prepare for future threats, increased skills gaps, and increased insider risk-related attacks.

Insider attacks

Here’s something to think about: 71% of respondents said that economic uncertainty makes malicious insider attacks more likely. Indeed, 39% of cybersecurity pros either have been approached by a malicious actor or know someone who has.

Most important, those working at companies with cybersecurity layoffs are three times as likely to have been asked to act as a malicious insider. 

Cloud, AI/ML, Zero Trust skills most in need

Unsurprisingly, the biggest skills gaps for the cybersecurity workforce are in the areas of cloud computing, artificial intelligence/machine learning, and zero trust implementation. 

In part, this is due to the novel threats and attack surfaces that emerging technologies represent. But it is also due to the fact that AI and zero trust are expected to have a positive effect on overall cybersecurity preparedness.

The (somewhat) good news

The study concludes on a fairly positive note, reporting that a majority of respondents say that the negative impact of worker shortages can be mitigated by closing skills gaps. Companies who encourage workers to pursue ongoing training, education, and certifications with reimbursement programs were better able to get through times of economic uncertainty, even if they had layoffs.

It should be noted, of course, that ISC2 (the International Information System Security Certification Consortium) is a nonprofit whose main focus is on providing training and certification programs for cybersecurity professionals. 

Summing up

There is a lot more in the report than I’ve covered here, both in terms of high-level findings and detailed breakdowns. It’s definitely worth your time to download and read the whole thing. 

But already we can list a couple of practical takeaways. 

• As an organization facing economic uncertainty, you should absolutely prioritize minimizing cutbacks to IT security organizations. And even if cutbacks and layoffs are unavoidable, be sure to continue investing in professional training of your security staff in order to gain the skills most in demand as new technologies transform the threat landscape.

• As an individual cybersecurity pro, having or acquiring the right set of skills is crucial. Once you have the skills to manage cloud security, AI and machine learning, and zero trust implementation, you’ll be one of the most in-demand professionals in the world. Especially in Japan.