Cybersecurity skills gap widens again

A global survey of 409 C-level executives published by the World Economic Forum finds the cybersecurity skills gap expanded by 8% last year, creating an estimated gap of 4.8 million cybersecurity positions that are not likely to be filled. Only 14% said they have the right level of cybersecurity expertise required in their organization.

More troubling still, nearly 60% of respondents said geopolitical tensions have affected the cybersecurity strategy by, for example, requiring them to modify their insurance policies, switch vendors, adjust trading policies, or cease doing business altogether in certain countries. Nearly 70% said they find existing regulations are too complex or convoluted.

Additionally, two-thirds of respondents said they expect the rise of artificial intelligence (AI) to impact their organization’s cybersecurity strategy, but only 37% said they have the tools needed to accurately assess that risk.

In the meantime, 42% said their organization was hit by successful phishing, vishing, deepfake and other social engineering attacks in 2024.

Hopefully, as advances in AI continue, these types of increasingly sophisticated social engineering attacks will become easier to thwart. The only way to win that battle will be to rely more on AI to augment the cybersecurity expertise that is available. The days when a message full of typographical errors written by a supposedly Nigerian prince that needs some help transferring funds out of his country are long over. A different approach that relies more on advanced analytics to, for example, verify the source of a message is required.

Cybersecurity professionals can also take some comfort in the fact that C-level executives finally have a greater appreciation for the modern risks the organization faces. That may not always result in additional funding, but it should at the very least result in a more rational conversation about how that funding is being allocated. There is always a tendency to keep allocating too much funding to legacy technologies even as the threats an organization faces evolve.

Unfortunately, too many organizations are also learning this lesson the hard way, as the volume of cyberattacks only continues to increase. In fact, the velocity of those attacks has now reached a level that it is all but impossible to successfully defend against them without relying on automation.

Theoretically, investments in automation should also reduce the level of burnout experienced by cybersecurity professionals. One of the big reasons there are so many vacancies is the fatigue rate among cybersecurity professionals remains too high. The more tedious cybersecurity tasks are, the more likely it becomes that a cybersecurity professional will conclude the field doesn’t have enough to offer when there are so many other areas that pay as well or, in some cases, better.

Of course, unlike many of those other fields, cybersecurity professionals know they make a difference every day. Unfortunately, those efforts are not often recognized. Worse yet, senior business and IT leaders still tend to only really focus on cybersecurity when there is a major incident, and at that time they all but forget how well the organization has been defended up to that point.

Alas, the simple truth is that nearly five million additional cybersecurity professionals will not be found and trained any time soon and to be candid, things may get worse before they might get better. Cybercriminals are already making extensive use of AI to craft phishing attacks that are difficult to detect, while at the same time the deep fakes being created are steadily improving. Cybersecurity may be a thankless job, but the need for the everyday heroes that ensure it has never been greater.