(ISC)² finds cyber security workforce must grow by 145% to close skills gap

(ISC)² – the non-profit membership association of certified cyber security professionals – has announced the findings of its 2019 Cyber Security Workforce Study, which for the first time estimates the current cyber security workforce (2.8 million professionals), as well as the amount of additional trained staff needed to close the skills gap (4.07 million professionals). The data indicates a necessary cyber security workforce increase of 145% on a global scale.

Here in the UK, the current cyber security workforce estimate stands at 289,000, alongside 121,000 in France and 133,000 in Germany. The shortage of skilled professionals across the EMEA region has now grown to reach a figure of 291,000.

“We’ve been evolving our research approach for 15 years to reach this point whereby we can confidently estimate the current workforce and better understand what it will take as an industry to add enough professionals to protect our critical assets,” said Wesley Simpson, COO at (ISC)2. “Perhaps more importantly, the study provides actionable insights and strategies for building and growing strong cyber security teams. Knowing where we stand and the delta that needs to be filled is a powerful step along the pathway to overcoming our industry’s staffing challenges.”

Along with providing these estimates, the study takes a closer look at who cyber security professionals are and what motivates them, reveals how organisational security teams are staffed and outlines data-driven insights into immediate and longer-term methods for building qualified and resilient cyber security teams now and in the future.

Key findings from the study

Among the key findings from the study are the following:

*65% of organisations report a shortage of cyber security staff, with a lack of skilled/experienced cyber security personnel being the top job concern among respondents (36%)

*Two-thirds (66%) of respondents report that they’re either somewhat satisfied (37%) or very satisfied (29%) in their jobs, while 65% intend to work in cyber security for their entire careers

*30% of survey respondents are women, 23% of whom have security-specific job titles

*37% are below the age of 35 and 5% are categorised as Generation Z (ie under 25 years of age)

*62% of large organisations with more than 500 employees have a CISO, although that number drops to 50% among smaller organisations

*48% of organisations represented say their security training budgets will increase within the next year

*59% of cyber security professionals are currently pursuing a new security certification or plan to do so within the next year

*Just 42% of respondents indicate that they started their careers in cyber security, meaning that the remainder moved into the field from other disciplines

*Top recruiting sources outside of the core cyber security talent pool include new university graduates (28%), consultants/contractors (27%), other departments within an organisation (26%), security/hardware vendors (25%) and career changers (24%)

Strategies for building cyber security teams

In the face of the growing need to build the workforce and recruit new talent, there are four main strategies outlined in the report. These encompass (1) highlighting training and professional development opportunities that contribute to career advancement (2) setting levels on applicant qualifications to make sure the net is cast as widely as possible for undiscovered talent (3) attracting new workers such as recent college graduates who have tangential degrees to cyber security, or otherwise attracting seasoned professionals such as consultants and contractors into full-time roles and (4) strengthening from within by further developing and cross-training existing IT professionals with transferable skills.

The Cyber Security Workforce Study shows that cyber security and IT professionals are largely satisfied in their careers and optimistic about their futures, but the size of the current workforce still leaves a significant gap between the number of cyber security professionals working in the field and the number needed to keep organisations safe.

The study is based on online survey data from 3,237 individuals responsible for security/cyber security throughout North America, Europe, Latin America and the Asia-Pacific region. This more than doubles the respondent base from the 2018 study (1,452). Respondents were a mix of certified professionals in official cyber security roles, as well as IT/ICT professionals who spend a minimum of 25% of a typical work week handling cyber security-related responsibility. Unlike legacy gap calculation models that simply subtract supply from demand, this study’s calculation takes other key factors into consideration, including the percentage of organisations with open positions and the estimated growth of companies of different sizes.

To download a complimentary copy of the study and to read the detailed report methodology visit: https://isc2.org/Research/Workforce-Study

About the Author
Brian Sims BA (Hons) Hon FSyI, Editor, Risk UK (Pro-Activ Publications) Beginning his career in professional journalism at The Builder Group in March 1992, Brian was appointed Editor of Security Management Today in November 2000 having spent eight years in engineering journalism across two titles: Building Services Journal and Light & Lighting. In 2005, Brian received the BSIA Chairman’s Award for Promoting The Security Industry and, a year later, the Skills for Security Special Award for an Outstanding Contribution to the Security Business Sector. In 2008, Brian was The Security Institute’s nomination for the Association of Security Consultants’ highly prestigious Imbert Prize and, in 2013, was a nominated finalist for the Institute's George van Schalkwyk Award. An Honorary Fellow of The Security Institute, Brian serves as a Judge for the BSIA’s Security Personnel of the Year Awards and the Securitas Good Customer Award. Between 2008 and 2014, Brian pioneered the use of digital media across the security sector, including webinars and Audio Shows. Brian’s actively involved in 50-plus security groups on LinkedIn and hosts the popular Risk UK Twitter site. Brian is a frequent speaker on the conference circuit. He has organised and chaired conference programmes for both IFSEC International and ASIS International and has been published in the national media. Brian was appointed Editor of Risk UK at Pro-Activ Publications in July 2014 and as Editor of The Paper (Pro-Activ Publications' dedicated business newspaper for security professionals) in September 2015. Brian was appointed Editor of Risk Xtra at Pro-Activ Publications in May 2018.

Related Posts