Connect with us

Hi, what are you looking for?


Management & Strategy

Cybersecurity Workforce Study Needs to be Taken with a Pinch of Salt

The global cybersecurity workforce has increased by 700,000 to 3.5 million (while the shortfall has decreased by 950,000 to 3.12 million); and companies have apparently transitioned to remote working securely. 

The global cybersecurity workforce has increased by 700,000 to 3.5 million (while the shortfall has decreased by 950,000 to 3.12 million); and companies have apparently transitioned to remote working securely. 

These are the big takeaways from the 2020 ISC2 Cybersecurity Workforce Study, which queried 3,790 people who spend at least 25% of their time concentrating on cybersecurity tasks. The first takeaway relates to the workforce. “Overall we’re seeing some very positive trends from the cybersecurity workforce reflected in this new data,” said Clar Rosso, CEO of ISC2. “The response to COVID-19 by the community and their ability to help securely migrate entire organizational systems to remote work, almost overnight, has been an unprecedented success [the second takeaway] and a best-case scenario in a lot of ways. Cybersecurity professionals rose to the challenge and solidified their value to their organizations.”

But while these figures are welcome, there are nevertheless caveats. The cybersecurity workforce is a huge and diverse market, and the in-demand skill set is constantly changing. We don’t know where the 700,000 additional staff are operating. Are they skilled data engineers able to triage the alerts from machine learning, or experts in cloud security brought in to help secure the new home-office hybrid environment — or are they less-skilled cyber administrators brought in to help manage and train remote workers?

While the ISC2 figures show the workforce gap narrowing slightly, we cannot assume from this that the cybersecurity skills gap is narrowing. “Form should follow function,” Setu Kulkarni, VP strategy at WhiteHat Security, told SecurityWeek. “The real question to ask is do we have the right talent for the modern cyber-security needs. While we may have an uptick in the number of available cybersecurity professionals, are they the right-skilled professionals? For example, let’s take a closer look at one critical need we have in the industry today — DevSecOps. Do we have cybersecurity professionals who can perform all the duties required to implement good DevSecOps? The answer is no.”

It is perhaps more realistic to consider that the overall workforce shortage remains at 3.12 million, and that cybersecurity employment still needs to increase by 41% in the U.S. and 89% worldwide in order to fill the workforce gap, regardless of the skills gap.

One noticeable feature in ISC2’s workforce figures is the disparity between the number of new staff (up 700,000) and the number of required staff (down 950,000) — suggesting that demand is decreasing and fewer people are being actively recruited. This is supported by the study, where 23% of respondents said that they or a peer had been laid off as a result of the pandemic.

“The plans to downsize security teams are concerning,” comments Dr Kiri Addison, head of data Science and threat intelligence at Mimecast. “2020 has seen many successful cyberattacks and our threat researchers found that COVID-19 has opened new opportunities for threat actors in the first months of 2020, with a 35% rise in email-based malware threats from January to April.”

Advertisement. Scroll to continue reading.

Kulkarni accepts that narrowing the workforce gap is ‘an encouraging macro trend’, “it is our job to make sure that we not only upskill our workforce to meet the needs of modern cybersecurity, but also put in place relevant grassroots training and development to have a cybersecurity educated entry-level workforce.” The implication is that the existing workforce needs to be upskilled in situ, while new staff are encouraged to join the industry from the outside.

However, it is not at all clear that in-house skills training is enough. “Simply increasing on-the-job training will yield limited returns,” warns Brendan O’Connor, CEO and co-founder at AppOmni. “The growing sophistication of cloud services and even more complex cybersecurity challenges cannot simply be addressed by additional training.” He adds, “Organizations should consider a balanced approach to training their employees and investing in automation tools. Extensive training and around-the-clock manual monitoring are not necessary when the right automation tools can complement the IT staff as they build up their skillset.”

Steve Durbin, managing director of the Information Security Forum, sees little option to in-house training. “Apprenticeships, on the job learning, backed up with support training packages are the way to go to tackle head on a shortage that is not going to go away,” he told SecurityWeek. He doesn’t know whether it will work, but adds, “Whether or not CISOs and their HR departments will value such earned skills remains to be seen but there is a practical element to be considered here: organizations can either adopt an attitude that says we will work with the rich skill sets that are available and provide the security components by online training, apprenticeships and practical skills transfer through mentoring schemes, or they can sit back and wait for the perfect candidate to come along some time, maybe never.”

The second takeaway from the ISC2 report is the speed and success with which organizations have adopted the work from home paradigm. Says ISC2, “The data shows that 30% of cybersecurity professionals faced a deadline of one day or less to transition their organizations’ staff to remote work and to secure their newly transformed IT environments. 92% of respondents indicated that their organization was ‘somewhat’ or ‘very’ prepared to respond, and just 18% saw security incidents increase during this time.” This is a remarkably upbeat view of the success of the transition. But the caveat is simple — it’s too soon to tell. 

Given that the FireEye 2020 M-Trends report noted that the global median dwell time for attackers to live quietly inside networks is 56 days, and that 12% of its own investigations continue to have dwell times of greater than 700 days, it is quite likely the 18% of recognized incidents does not include an unknown number of as yet undetected incidents. It is quite possible that this will get worse before it gets better. Mimecast research on British home workers indicates that after working from home for a few months they are developing lax cybersecurity habits. “These bad practices result in more cybersecurity incidents across businesses, with three in four IT leaders witnessing cybersecurity issues once a month or more — more worryingly, 20% of them admit occurrences happen more than once a day.” 

This relaxed approach to security at home is quite likely to increase over time. Sam Small, the CSO at ZeroFox, told SecurityWeek, the effect of the pandemic on cybersecurity will last throughout 2021. “What we don’t know is whether the security teams will learn how to defend home/office hybrid environments faster than the criminals will earn how to exploit them.” But it’s too soon to claim that the transition has been a success.

Related: Spike in Company Compromises Correlates With Lockdowns 

Related: NSA Issues Cybersecurity Guidance for Remote Workers, System Admins 

Related: Cybersecurity Workforce Gap: 145% Growth Needed to Meet Global Demand 

Related: Addressing the 3 Million Person Cybersecurity Workforce Gap 

Written By

Kevin Townsend is a Senior Contributor at SecurityWeek. He has been writing about high tech issues since before the birth of Microsoft. For the last 15 years he has specialized in information security; and has had many thousands of articles published in dozens of different magazines – from The Times and the Financial Times to current and long-gone computer magazines.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join security experts as they discuss ZTNA’s untapped potential to both reduce cyber risk and empower the business.


Join Microsoft and Finite State for a webinar that will introduce a new strategy for securing the software supply chain.


Expert Insights

Related Content

Application Security

Cycode, a startup that provides solutions for protecting software source code, emerged from stealth mode on Tuesday with $4.6 million in seed funding.

CISO Strategy

SecurityWeek spoke with more than 300 cybersecurity experts to see what is bubbling beneath the surface, and examine how those evolving threats will present...

CISO Conversations

Joanna Burkey, CISO at HP, and Kevin Cross, CISO at Dell, discuss how the role of a CISO is different for a multinational corporation...

CISO Conversations

In this issue of CISO Conversations we talk to two CISOs about solving the CISO/CIO conflict by combining the roles under one person.

CISO Strategy

Security professionals understand the need for resilience in their company’s security posture, but often fail to build their own psychological resilience to stress.

Management & Strategy

SecurityWeek examines how a layoff-induced influx of experienced professionals into the job seeker market is affecting or might affect, the skills gap and recruitment...

Cybersecurity Funding

2022 Cybersecurity Year in Review: Top news headlines and trends that impacted the security ecosystem

Endpoint Security

Today, on January 10, 2023, Windows 7 Extended Security Updates (ESU) and Windows 8.1 have reached their end of support dates.