What Is the Cybersecurity Skills Gap?

Simply put: there aren’t enough skilled individuals to fill cybersecurity positions. In 2021, there were an estimated 3.5 million open job requisitions for cybersecurity professionals globally — with 465,000 in the United States alone. Unfilled job requisites increased 350% from 2013, and it’s predicted that the same number of open positions will remain through 2025.¹

A handful of factors have contributed to the cybersecurity skills gap, which has been on the industry’s radar for roughly the past decade. Job postings with misaligned requirements are one reason cybersecurity positions go unfilled. How can an entry-level analyst hold certifications that take multiple years to achieve? And similarly, how can a job prospect have 10 years of experience working with a specific technology that was developed less than five years ago?

Cybersecurity can also attract ‘non-traditional’ candidates, whose expertise has been developed outside of a classroom or through hands-on experience, whose applications can become hindered by inflexible degree requirements. Similarly, requiring stringent criteria for cybersecurity positions, including multiple certifications or extensive experience, can also limit a position’s applicant pool.

Recent ESG and ISSA research, captured from a survey of 489 cybersecurity professionals, highlights mistakes when hiring cybersecurity talent. While supply and demand plays an important role, the findings show many believe their organizations contribute to the skills gap: 29% of respondents said their organization’s HR department doesn’t understand the requisite skills, and 25% indicated job postings were unrealistic. Nearly 60% of respondents “felt their organization could be doing more to address the cybersecurity skills shortage.”²

In addition to the shortage of qualified cybersecurity professionals, ESG and ISSA research also indicates another lesser-discussed implication in the cybersecurity skills gap: currently employed cybersecurity professionals who “lack the advanced skills necessary to safeguard critical business assets or counteract sophisticated cyber-adversaries.”³

The Cybersecurity Demand Gap

The increasing number of cyberattacks on organizations of all sizes is driving demand for cybersecurity personnel. The demand gap, also referred to as the cybersecurity workforce gap, is created because the need for cybersecurity professionals outweighs the supply of qualified individuals. The cybersecurity skills gap hurts those in the cybersecurity workforce. ESG and ISSA findings show 57% of organizations are impacted by the skills gap — leading to a heavier workload and burnout among staff.⁴

Criminal and nation-state sponsored hacking has grown rapidly and increased in sophistication, while academic curriculum is still relatively new and emerging, and education and training outlets in the U.S. have found it challenging to progress at the same rate as the growing threatscape.

The estimated global cost of cybercrime in 2021 was $6 trillion, and it’s expected to rise to $10.5 trillion by 2025.⁵ For additional perspective, cybercrime was estimated at $3 trillion in 2015. Meanwhile, almost two-thirds of cybersecurity professionals believe their organizations are understaffed. Cybersecurity staff shortages have major consequences.

Responses to the ISC(2) 2021 Cybersecurity Workforce Study illustrated the ramifications to their organizations from having understaffed cybersecurity departments:

• 32%: misconfigured systems
• 30%: not enough time for proper risk assessment and management
• 29%: slow to patch critical systems
• 28%: process/procedure oversights
• 27%: inability to remain aware of all threats active against our network
• 27%: rushed deployments⁶

Bridging the Gap

There are a handful of ways those in the industry can help address — and bridge — the cybersecurity workforce gap.

While the main focus of cybersecurity education and training is technical aptitude, curriculum should also help develop students’ soft skills. Possessing soft skills, such as teamwork, communication and collaboration, helps cybersecurity professionals translate their technical knowledge into value for their employer.

A study conducted by Tripwire also showed that possessing soft skills is highly valued by security teams: every survey participant thought soft skills were important when hiring, and top soft skills desired included analytical thinking and good communication.⁷

[1] Cybersecurity Jobs Report: 3.5 million openings in 2025. Cybercrime Magazine. Nov. 9, 2021. https://cybersecurityventures.com/jobs/

[2, 3] ESG RESEARCH REPORT: The Life and Times of Cybersecurity Professionals 2021, Volume V. A Cooperative Research Project by ESG and ISSA, July 2021. https://www.esg-global.com/hubfs/ESG-ISSA-Research-Report-Life-of-Cybersecurity-Professionals-Jul-2021.pdf

[4] The Life and Times of Cybersecurity Professionals 2021. July 2021. https://www.esg-global.com/hubfs/ESG-ISSA-Research-Report-Life-ofCybersecurity-Professionals-Jul-2021.pdf

[5] Cybercrime To Cost The World $10.5 Trillion Annually By 2025. Nov. 13, 2020. https://cybersecurityventures.com/cybercrime-damages-6-trillion-by2021/

[6] A Resilient Cybersecurity Profession Charts the Path Forward (ISC)2 CYBERSECURITY WORKFORCE STUDY, 2021 ISC2-CybersecurityWorkforce-Study-2021.ashx

[7] Survey Says: Soft Skills Highly Valued by Security Team. Oct. 17,2017. https://www.tripwire.com/state-of-security/featured/survey-says-soft-skillshighly-valued-security-team/