The 2023 ISC2 Cybersecurity Workforce Study Delves into Cloud Security and AI
The security industry is at a critical juncture. Capturing the state of affairs is a recent report released by the International Information System Security Certification Consortium, or ISC2.
“A perfect storm”
As they state in their Executive Summary, “Our study shows that a perfect storm of economic uncertainty, rapidly emerging technologies, fragmented regulations and ever-widening workforce and skills gaps is creating huge uncertainty for a profession whose role it is to protect global infrastructure and systems from attack.” Their conclusion? “The cybersecurity workforce needs more support and investment from leaders across the public and private sectors.”
To support that point, they surveyed their most prominent and most geographically diverse group yet; 14,865 cybersecurity professionals were canvassed from across Africa, Asia, the Middle East, North America, Europe, and Latin America.
At a glance, here are some stats worth following up on in the report:
- 67% reported they don’t even have enough staff to troubleshoot security issues.
- Only 52% believe their organization has the resources required to stay safe over the next 2-3 years.
- 58% are going to try to cancel out the effects of worker shortages by increasing the skill level of their workers.
- Over one in five (22%) of cybersecurity professionals have experienced layoffs, either first or second-hand.
- Almost 40% have been approached by malicious actors wanting to leverage their insider status or know someone who has.
Notably, a lack of skills and a dearth of workers are two of the factors contributing largely to this “perfect storm”. However, it’s interesting that 67% attested that the absence of needed skills was the worse of the two evils. Understanding that could give workers an edge before diving headlong into the industry.
What’s in the Report
While this barely scratches the surface, here is an overview of the most common topics:
The workforce gap | Despite a growing global cybersecurity workforce, demand is still outpacing supply. With the gap growing by 12.6% this year, it’s interesting that 31% of cybersecurity professionals are still expecting additional cutbacks to come. The total cybersecurity workforce gap stands at around 4 million workers, and the only surveyed region not feeling the pinch is the Middle East.
The current state of the cybersecurity workforce | Focusing on the effect of cutbacks, the study reveals that nearly one-half (47%) have been affected by cybersecurity-related downsizing of some sort; layoffs, budget cuts, and hiring or promotion freezes. Likely due to Hollywood’s recent Writer’s and Actor’s Strikes, the Entertainment industry experienced the most cyber layoffs. Military experienced the least.
Culture and DEI | A year after introducing Employee Experience (EX) ratings, ISC2 found that most cybersecurity professionals are happy with their jobs despite significant industry turmoil. Most report a “passion for cybersecurity work in general,” although cutbacks have dented morale. On the DEI side, 69% believe an inclusive environment is integral to team success, and the amount of non-white and female workers increases the younger you go. That leaves the “under 30” age group boasting the most diversity in the field.
New Career Pathways | One good thing to come out of the skills gap is a rush to fill it. Eighty percent agree that there are more pathways into the industry than in the past. Nearly 60% reported witnessing an increase in technically experienced applicants (with no cybersecurity experience), and new recruits (1 year or less) are 14% more likely to already have a bachelor’s degree in the field. The number one reason the “happiest” workers entered cybersecurity? The ability to work in a continuously evolving industry. What motivated the switch for the least happy? “My company reorganized and I was pushed into a cybersecurity role.”
Skills in Demand | Nearly half (47%) of all security professionals consider cloud computing security the most sought-after skill for those looking to advance their careers, and 32% of hiring managers agreed. Interestingly, while non-hiring professionals predicted GRC skills were the next highest in-demand, hiring managers listed communication (and at only a point lower than cloud-computing security). Not surprisingly, not even having made the top ten list one year ago, AI/ML skills are now in the top five.
Certifications | Roughly twenty percent of respondents will pursue a cybersecurity professional development certificate in the next six months, and nearly half (49%) plan to do so within the next five years. Looking to fill their personal skills gap, skills growth remains the top driver for certification. Staying current with security trends is next, and “my organization asked me to do it” comes last. And while organizations offer significant incentives for “leveling up”, the report suggests that the strongest message of support a company can give comes in the form of time to get it all done – those “specific blocks of study time for certification.”
Cybersecurity Landscape: Present & Future | Three-fourths of the over 14,000 global respondents noted that the current threat climate is the worst it has been in five years, and this varies by industry. Even the industries least affected (Construction and Automotive) still agree to the tune of 65% and 64%, respectively. Malicious insiders are the second biggest near-term challenge for practitioners, and attackers are 3x more likely to recruit victims of a layoff to do their dirty work. Looking forward, most security professionals believe the risk of emerging technologies like blockchain, quantum computing, AI, VR, and intelligent automation will be the biggest cybersecurity challenge we will have to face.
Cloud Security and AI/ML
While unsurprising, it is important to reiterate the importance of cloud security and a/ML acuity as primary in-demand skills. With 92% reporting skills gaps, cloud computing security (35%) and AI/ML (32%) were the top two most common, followed by Zero Trust implementation. As AI/ML proliferates, ISC2 noted that employees are “much less prepared to wield and effectively use its power compared with other cybersecurity competencies.” This leaves the door wide open for those who are. And the irreversible trend toward hyper-distributed environments will ensure that those who understand cloud security will always have a job.
The threat landscape is changing. The security technology is changing. And as this report illustrates, it’s time for us to change, too.
Editor’s Note: The opinions expressed in this guest author article are solely those of the contributor, and do not necessarily reflect those of Tripwire.