The cybersecurity skills gap is becoming a yawning chasm, with a 73% increase in 2022, equivalent to 56,811 unfilled vacancies in the UK, according to the latest ISC(2) 2022 Cybersecurity Workforce Study. Indeed, competition over skilled professionals is getting so intense that 60% of companies claim to have had staff poached, according to ISACA’s State of Cybersecurity 2022 survey.
Organizations have taken a variety of approaches in an attempt to mitigate these shortages, from providing more flexible working conditions to investing in training and recruiting new staff. However, those that have left their jobs say they’ve predominantly been motivated by other factors. These include higher pay (31%), growth opportunities (30%), a negative business culture (25%) or stress and burnout (21%) and only half thought they would remain in their organization for the next five years.
The transitory workforce has been further reinforced by the current economic climate. With wages plateauing and double-digit inflation, those professionals in high demand are voting with their feet, and employers are all too aware of this. According to the 2023 Salary Guide UK, 58% of employers expect staff to leave seeking higher pay. But given that many organizations can’t afford to compete on pay alone, and efforts such as offering hybrid working are now commoditized, they must explore other ways of improving retention.
Underappreciated and Supported
One of the interesting points made in the ISC(2) report is that those organizations with the most significant shortages all shared common issues. These failed to prioritize cybersecurity, sufficiently train staff and offer opportunities for growth or promotion. The report revealed that the vast majority – 70% – felt overworked, while around a quarter complained of a lack of support from senior management, and 22% felt the burden of responsibility on them was too great. Yet despite these issues, only 28% of organizations had employee experience (EX) programs in place that focused on recognition and well-being.
Almost 70% of those with low morale said the poor workplace culture contributed to their effectiveness in responding to cyber incidents. This can create a self-perpetuating circle in recruitment terms because companies that repeatedly experience breaches can see a higher staff turnover, with a recent report claiming that half of employees said they would be more likely to leave following a cyber-attack.
What We Should Be Doing
Cybersecurity professionals, therefore, continue to feel sidelined, unappreciated and overburdened. Indeed, The State of Security 2022 report by Splunk found that 76% of cybersecurity staff have taken on responsibilities they were not ready for, partly due to the skills shortage.
In real terms, this means that organizations need to be more proactive and focus on valuing staff to boost morale. They need to determine responsibilities, alleviate workloads and recognize the contribution made by cybersecurity. Key to achieving this will be the use of automation and tooling to improve efficiency rather than generating a plethora of alerts, with advances in AI promising to help here. But the organization can also improve matters structurally by creating flatter hierarchies that then reduce the managerial and generational divide and by making cybersecurity a shared responsibility that is embedded into the business culture.
When determining responsibilities, the organization needs to offer a clear job remit and avoid job creep, whereby more duties are added over time but without recompense. This sounds deceptively simple, but the reality is that many job descriptions have developed organically along with technological advances, making it difficult to determine appropriate responsibilities and remuneration.
Providing a Path
Thankfully, advances are being made here with the UK Cyber Security Council developing its Cyber Pathways Framework covering 16 specialisms. This will specify the qualifications and experience associated with different cybersecurity disciplines, introducing some much-needed transparency and showing how career paths can develop. For organizations, this could prove a real boon by enabling them to provide skilled cyber professionals with a clear career path and the training and support necessary to achieve those goals.
Moreover, the UK Cyber Security Council is also launching a chartered status scheme that will recognize achievements. This will see three professional titles – Associate, Principal and Chartered – awarded to those professionals meeting certain criteria adjudicated by industry bodies such as ISACA. It’s a step that will see the industry finally put on par with others, such as the legal and financial sectors. But, more importantly, it also recognizes the achievements of individuals, elevating their status.
Going forward, it’s clear that recognizing and supporting cybersecurity professionals carries the most weight when retaining talent. Therefore, organizations that focus on achieving these goals through EX programs are much more likely to successfully attract and keep their workforce.