(ISC)² – the non-profit membership association of certified cyber security professionals – has announced the findings of its 2019 Cyber Security Workforce Study, which for the first time estimates the current cyber security workforce (2.8 million professionals), as well as the amount of additional trained staff needed to close the skills gap (4.07 million professionals). The data indicates a necessary cyber security workforce increase of 145% on a global scale.
Here in the UK, the current cyber security workforce estimate stands at 289,000, alongside 121,000 in France and 133,000 in Germany. The shortage of skilled professionals across the EMEA region has now grown to reach a figure of 291,000.
“We’ve been evolving our research approach for 15 years to reach this point whereby we can confidently estimate the current workforce and better understand what it will take as an industry to add enough professionals to protect our critical assets,” said Wesley Simpson, COO at (ISC)2. “Perhaps more importantly, the study provides actionable insights and strategies for building and growing strong cyber security teams. Knowing where we stand and the delta that needs to be filled is a powerful step along the pathway to overcoming our industry’s staffing challenges.”
Along with providing these estimates, the study takes a closer look at who cyber security professionals are and what motivates them, reveals how organisational security teams are staffed and outlines data-driven insights into immediate and longer-term methods for building qualified and resilient cyber security teams now and in the future.
Key findings from the study
Among the key findings from the study are the following:
*65% of organisations report a shortage of cyber security staff, with a lack of skilled/experienced cyber security personnel being the top job concern among respondents (36%)
*Two-thirds (66%) of respondents report that they’re either somewhat satisfied (37%) or very satisfied (29%) in their jobs, while 65% intend to work in cyber security for their entire careers
*30% of survey respondents are women, 23% of whom have security-specific job titles
*37% are below the age of 35 and 5% are categorised as Generation Z (ie under 25 years of age)
*62% of large organisations with more than 500 employees have a CISO, although that number drops to 50% among smaller organisations
*48% of organisations represented say their security training budgets will increase within the next year
*59% of cyber security professionals are currently pursuing a new security certification or plan to do so within the next year
*Just 42% of respondents indicate that they started their careers in cyber security, meaning that the remainder moved into the field from other disciplines
*Top recruiting sources outside of the core cyber security talent pool include new university graduates (28%), consultants/contractors (27%), other departments within an organisation (26%), security/hardware vendors (25%) and career changers (24%)
Strategies for building cyber security teams
In the face of the growing need to build the workforce and recruit new talent, there are four main strategies outlined in the report. These encompass (1) highlighting training and professional development opportunities that contribute to career advancement (2) setting levels on applicant qualifications to make sure the net is cast as widely as possible for undiscovered talent (3) attracting new workers such as recent college graduates who have tangential degrees to cyber security, or otherwise attracting seasoned professionals such as consultants and contractors into full-time roles and (4) strengthening from within by further developing and cross-training existing IT professionals with transferable skills.
The Cyber Security Workforce Study shows that cyber security and IT professionals are largely satisfied in their careers and optimistic about their futures, but the size of the current workforce still leaves a significant gap between the number of cyber security professionals working in the field and the number needed to keep organisations safe.
The study is based on online survey data from 3,237 individuals responsible for security/cyber security throughout North America, Europe, Latin America and the Asia-Pacific region. This more than doubles the respondent base from the 2018 study (1,452). Respondents were a mix of certified professionals in official cyber security roles, as well as IT/ICT professionals who spend a minimum of 25% of a typical work week handling cyber security-related responsibility. Unlike legacy gap calculation models that simply subtract supply from demand, this study’s calculation takes other key factors into consideration, including the percentage of organisations with open positions and the estimated growth of companies of different sizes.
To download a complimentary copy of the study and to read the detailed report methodology visit: https://isc2.org/Research/Workforce-Study