What Talent Gap? Hiring Practices Are the Real Problem

Talk of the talent gap in cybersecurity continues, with ISACA, ISC2, and even the Biden administration releasing new publications addressing the problem. Indeed, the US alone has almost half a million open cybersecurity positions, and ISC2 estimates a shortfall of 4.8 million professionals needed to secure the world's computing resources.

However, all that the surveys and studies tell us is that the cybersecurity sector is inadequately staffed, not that companies are looking to hire or that there are no people to fill positions. What exists is a disconnect between companies and candidates over issues like pay and required certifications, as well as budgeting struggles within organizations.

The recent "ISC2 2024 Cybersecurity Workforce Study" quantifies the budget issue inside companies. "In 2024, 25% of respondents reported layoffs in their cybersecurity departments, a 3% rise from 2023, while 37% faced budget cuts, a 7% rise from 2023," the report states. That means fewer job openings and less money to fill those positions that are opened.

Among a sea of qualified candidates, job seekers are struggling to figure out how to stand out to recruiters and hiring managers.

"I do tons of networking," says Xavier Ashe, a job seeker with more than 30 years' experience targeting director-level and CISO roles. "That's allowed me to get a number of opportunities to interview, but the competition is tough. Everyone is looking, and there are a lot of great folks I'm competing against."

Hiring Expectations Are Misaligned

In a Dark Reading article on this year's "Service for America" cybersecurity push, Shane Fry, CTO of RunSafe Security, blamed the employment gap on large organizations' tendency to favor highly skilled cyber workers with college degrees.

"This can lead to some great candidates, but it also ostracizes a large group of folks that are so passionate about cyber that they picked up the skills on their own and don't have a degree to put on a resume," Fry wrote. "There's a ton of opportunities for businesses to provide on-the-job training and external training courses to get people from the fringes of cybersecurity into the cybersecurity fold."

CyberSeek, a joint project between tech certification organization CompTIA, labor market analyst Lightcast, and US federal cybersecurity program NICE, shows that external training might require better alignment between job seekers and hiring organizations. Its cybersecurity career heat map compares certifications held and certifications requested. Some certs, like CompTIA+ and Certified Information Systems Security Professional (CISSP), are overrepresented in the hiring pool, while others — such as Certified Information Systems Auditor (CISA) and Certified Information Security Manager (CISM) — do not have enough certification holders to meet employer demand.

CyberSeek illustrates a further misalignment in its Career Pathway graphic, which represents entry-level, mid-level, and advanced-level positions with circles proportionally sized to the number of job openings. All of the entry-level and all but one of the mid-level job types are tiny dots representing fewer than 7,000 jobs nationwide in the US; the big circles representing north of 24,000 job openings are out of reach of people making a career switch or just starting out.

Besides how the field tilts away from early-career job seekers, senior-level candidates are running into a different issue: disparity between what they expect to be paid for their experience level and what job listings offer. Budget cuts affect the hiring environment, even leading to layoffs, according to ISC2's study. "In 2023, the top causes for talent and skills gaps were an inability to find the talent or skills they needed to succeed," the ISC2 said. "But today, it's not about supply, it's about limited resources for hiring."

That matches Ashe's job-hunting experience. "The big companies are lowballing executive compensation," he says. "I turned down one offer this summer due to the pay cut I would have to take."

The ISC2 study found a 0.1% increase in global cybersecurity workers in 2024 over 2023. Compared to the 8.7% increase in 2023 over 2022, "This year's numbers suggest that hiring has slowed for 2023–2024," the study concludes.

If You Can't Hire, Improve the Tech

So if nobody is hiring entry-level people, and nobody can hire higher-level professionals because of salary requirements, how can an organization maintain its cybersecurity team? By keeping existing workers from jumping ship, says Steve Wilson, chief product officer at Exabeam.

One way to create a better working environment, Wilson says, is to make the workload less crushing by automating more. Machine learning algorithms analyze raw data as it flows through the network, continuously learning patterns of normal behavior and identifying anomalies. When a suspicious case emerges, traces of unusual activity are summarized and presented in natural language, making it easier for analysts to interpret the data without sifting through dense logs. This approach saves time and allows security professionals to focus their efforts where they matter most.

"It's about reaching the point where we can identify what's abnormal and worrisome, and then get that in front of a human analyst to take action," says Wilson. "That's where the real work starts and where the time saved becomes so valuable."

For the beginning analyst, these kinds of tools allow them to understand exactly what is suspicious about a flagged issue, in the process learning to understand the technical points, Wilson says. This gives Tier 1 analysts a chance to fix the problem themselves rather than escalate it to a Tier 3 analyst. By reducing escalations, the workload for Tier 3 analysts is eased, and they can use the LLM to search for obscure data points for tougher problems.

"It builds the skills for those younger ones because they can ask the dumb question without feeling like they're exposing themselves," Wilson says. "And then it frees up the time on those senior ones to actually go work the really tricky problems."

Notes Bryan Kissinger, CISO and senior VP at Trace3: "People get burned out when they're doing a job they don't like or their team around them is not supportive of work/life balance," he says. "The more repetitive and mundane activities ... a lot of that can be taken up by tools and automation."

The Right People, If You Can Keep Them

While poor salaries dropped as the reason cybersecurity talent left a job, from 54% in 2023 to 50% in 2024, work stress levels pushed 46% of staff to leave their cybersecurity jobs this year (up from 43% in 2023). That's according to the ISACA's "Global State of Cybersecurity 2024," which also cited lack of support from management (34%), poor work culture (32%), and return-to-office initiatives (32%) as reasons people quit.

Retention is key to Trace3, Kissinger adds. "Sometimes it's very challenging to tell when someone's burning out," he says. "[An employee was] ready to leave because they were burning out, and I said, 'This is the first I've heard about it. Can we bring on some contractors to help us moderate the workload?' Unless people speak up, you're really doing yourself a disservice."

Adds Wilson: "Sometimes these automation products, whether they're cybersecurity or marketing or whatever, there's a value proposition that says you can have less people on your staff. I don't think there's anybody saying, 'I'm spending too much on my SOC team — I'm going to reduce that by bringing in automation.' What they're saying is, 'My SOC team is overwhelmed, and people are quitting because they're burned out.'"