Five years ago, we spoke confidently about the cybersecurity skills gap. It was simple: More cybersecurity professionals were needed to fill the demand. Fast-forward to today, and there are still only 83 cybersecurity workers for every 100 jobs, according to CyberSeek.
It’s clear that the situation is more complex than we initially thought.
To develop real solutions, we need a deeper understanding of the gap's true nature — and where the challenges lie.
Understanding the Skills Gap Data
The cybersecurity job market has shifted dramatically in recent years. We're seeing an increasing demand for professionals who possess not only cybersecurity knowledge but additional skills like cloud or AI expertise. This expansion of required skills has broadened the scope of what it means to be a cybersecurity professional and, in many cases, made the job more complex.
According to a recent ESG report, 63% of cybersecurity professionals said that working in the industry has become more challenging over the past two years, with the top two reasons being increased complexity and workload and increased cyber threats due to growing attack surfaces.
Additionally, many assume the oft-cited 4.8 million worker shortage refers to entry-level positions. This is far from the truth. A significant percentage of open cybersecurity jobs are more advanced, and in some cases, people with entry-level skills have been filling these roles. The reality? Those with the required experience and skills are likely already employed and not looking for new roles.
Improving the Hiring and Training Funnel
The need for more cybersecurity talent is not going away, but solving this problem requires serious recalibration on several fronts, including:
- Where do we find new talent? The answer is increasingly coming from non-traditional pathways.
- What are the actual skills needed to fill the open roles? We often ask for more than is necessary, discouraging viable candidates.
- Does current training provide new and existing professionals with the verified skills organizations need? New hires are expected to provide value faster than ever, and existing professionals must continually learn to stay relevant. We need to train them efficiently — and validate that training delivers real-world skills.
My own entry into cybersecurity was unconventional. I started in civil engineering and transitioned into IT and cyber because I showed interest and initiative. The industry needs to adapt and encourage more people who begin their careers with non-traditional backgrounds or jobs.
Finding and Training Cybersecurity Talent
Truly closing the cybersecurity skills gap requires a different approach than what the industry has built around. Typically, it focused on people with some technology experience trying to upskill or re-train, which is no longer sustainable in today’s cybersecurity landscape.
An ISC2 Cybersecurity Workforce Study in 2023 showed that 80% of cybersecurity professionals agreed there are more pathways into cybersecurity than in the past and 51% say they are changing hiring requirements to accept more applicants from non-cybersecurity backgrounds. However, the study doesn't show how many of these applicants are actually getting hired.
The Rise of Alternative Education
It's not surprising that we're seeing a slight decline in college enrollments, as people opt for workforce skills development through accelerated technical programs and boot camps.
The political landscape backs this trend. Over the summer of 2024, US Acting Principal Deputy National Cyber Director Jake Braun said that some degree requirements for federal and contractor roles would be lifted, and “unnecessary” college degrees were a talking point in the 2024 presidential election.
Some universities are shifting to provide more flexible learning pathways students want by partnering with boot camp-style programs — combining traditional degree programs with real-world skill development and certifications. The goal is to achieve better outcomes for both students and their future employers.
Finding Talent Within Your Organization
Organizations across the board are finding that matching cultural and corporate ethos is often an even bigger challenge than finding the right technical skills.
If someone in the organization shows interest in changing careers, it should be encouraged — whether they’re coming from accounting, sales or any other department. These career transitioners continue to make up a larger portion of cybersecurity professionals each year.
Unlocking Talent with Generative AI
Generative AI is already being used creatively to train people and keep their skills up to date. At the RSA Conference 2024, I led a session where I did just that. By leveraging ChatGPT, along with some guidance, more than 100 people were able to learn how to use Wireshark to analyze network traffic and find malware — essentially using GenAI as a tutor.
AI-driven student assistants, hands-on lab assistants and other AI tools are helping learners transition between roles and build targeted skills quicker than has ever been possible in history. While human teachers may tire of answering the same questions repeatedly, AI doesn't, potentially leading to a better learning experience in some cases.
A Better Path Forward: How Employers Can Help
When I started in this field, anyone with even minimal training was almost guaranteed a job. The industry has long since matured past that point, and we need to adjust accordingly. While some specific micro-roles still operate in that mode, they need to be clearly identified so that job seekers receive honest messaging about what to expect after obtaining certifications or hands-on skills.
The hard work of mapping skills to the likelihood of immediate employment hasn't been done sufficiently using real-world data. With recent advances in GenAI and other technologies, we now have the capability to undertake this necessary industry-wide project — and better fill those skills gaps.
Employers can be great partners in this effort by:
- Better evaluating the actual skills required for a job. This leads to improved job descriptions, more qualified candidates and clearer training objectives around the requirements to succeed in each role.
- Embracing new learning and training methods. These may not align with traditional approaches. The new generation of entry-level workers learns differently than we did — and has new tools to do so. We need to meet them where they are.
- Being more intentional about reporting skills needs. The more accurate the information we have in the industry, the more likely we are to find real solutions to the talent gap and build a workforce with the skills needed to address current and future challenges.
We need an open dialogue and conversation around these points as we work together to address the cybersecurity skills gap in this evolving landscape.