The global cybersecurity workforce gap has reached four million people, a 12.6% increase compared to 2022, according to the ISC2 2023 Cybersecurity Workforce Study.
More than nine in 10 (92%) of professionals surveyed revealed they had skills gaps in their organization, with 67% reporting having a shortage of cybersecurity staff needed to prevent and troubleshoot security issues.
This shortfall comes despite an 8.7% increase in the global cybersecurity workforce compared with 2022, reaching 5.5 million professionals.
Cutbacks and Layoffs Impacting the Sector
The cyber skills gap has been exacerbated by significant cutbacks to cybersecurity operations amid the turbulent global economic environment.
Nearly half (47%) of respondents said they had experienced cyber-related cutbacks in the past year, including layoffs, budget cuts and hiring or promotion freezes. Of this group, 22% were impacted by layoffs, both first- and second-hand, within cybersecurity.
ISC2 CEO Clar Rosso expressed her surprise and disappointment with the level of cutbacks and layoffs in cybersecurity, which she believes will have a significant impact on the skills gap.
Speaking to Infosecurity, Rosso noted that there has been a much greater understanding from the c-suite that reducing cyber staff increases cyber risk to their organization and resulting financial and reputational harm, “but they do it anyway.”
She added: “The logical conclusion from that is they are more concerned about economic risk than cyber risk and they’re not fully understanding the equivalency between the two risks because they are inextricably tied together.”
An additional 28% of cyber professionals reported layoffs elsewhere in their organizations, which has had a significant impact on security teams.
More than a third (35%) of respondents in organizations that had implemented cutbacks have seen company-wide cybersecurity training programs eliminated. Close to three-quarters (71%) of this group reported a negative impact on their workload as a result of organizational cutbacks, while 57% felt their threat response was inhibited.
Overall job satisfaction remained high however, with 70% reporting being somewhat or very satisfied in their jobs today. This represents a slight fall from 74% in 2022.
Insider Threats Are on the Rise
Over half (52%) of respondents reported an increase in insider risk-related incidents, and half had either personal or second-hand contact with a malicious insider in the past year.
Of those who have had this kind of contact, 39% said they or someone they know has been approached to become a malicious insider at their organization, Meanwhile, 33% have been targeted at home or at work because of their professional role.
This rise in insider threats is linked to the economic environment, with 71% of respondents agreeing that times of economic uncertainty increases the risk of malicious insiders.
Respondents at organizations that have had layoffs in cybersecurity are three-times more likely to have been approached as malicious insiders.
“We need to help business leaders understand insider threats better; it’s a threat vector I just don’t think business leaders really understand very well,” commented Rosso.
Lack of AI Skills in Cybersecurity
Another concerning finding from this year’s Workforce Study was that 47% of respondents admitted they have no or minimal knowledge of artificial intelligence (AI), and just 16% said they have significant knowledge in this area.
AI and machine learning (32%) was behind only cloud security (35%) for the area which had the most gaps in knowledge in security teams. In third was zero trust implementation (29%).
Yet Rosso believes cyber professionals are better equipped to secure AI than these figures suggest. She noted that securing AI shares many of the basic principles of general cybersecurity, such as the CIA triad (Confidentiality, Integrity and Availability).
"Cyber professionals are more able to secure the technology than they give themselves credit for”
“I do think cyber professionals are more able to secure the technology than they give themselves credit for,” she said.
Rosso added that the growth of AI has led to ISC2 conducting a more regular analysis of their certification programs to ensure they are up-to-date.
“What AI is driving us to do is instead of thinking we have the luxury of doing those tests on a three-year rotational basis, we’re going to have to do them more frequently as emerging technologies become more prevalent in organizations,” Rosso said.
Risks associated with AI and emerging technologies was cited as the biggest challenge facing cybersecurity professionals over the next two years (45%), followed by worker/skill shortages (43%) and keeping up with changing regulatory requirements (38%).
Encouragingly, 52% of cyber professionals said their organizations are governing the use of AI internally, expanding their management of AI or planning to formally manage AI use within the next 12 months.
Participants also listed advancements in AI as the third most positive impact on their ability to secure their organization, behind zero trust (34%) and automation (40%).
Improvements in Diversity
Increased diversity in the cybersecurity workforce was one of the biggest positives to emerge from this year’s study, Rosso highlighted. It found that 66% of newcomers to the cybersecurity profession within the US, Canada, Ireland and the UK in the past 12 months were non-white.
“It is huge to see that scale tipping in that space,” she noted.
Another encouraging finding was that security teams are increasingly embracing diversity, equity and inclusion (DEI) initiatives, with 69% stating that an inclusive environment is essential for their team to be able to succeed.
Organizations adopting skills-based hiring have seen a particular positive impact, with an average of 25.5% women in their workforce compared to 22.2% among those who haven't embraced this initiative.