• (ISC)² reports that while big gains have been made in hiring cybersecurity professionals around the world in 2022, the number of unfilled positions have expanded dramatically.
• Nearly 70% of the 11,779 professionals surveyed for the study say understaffing made their organizations vulnerable.
With the volume of threats on a seemingly endless upward trajectory, awareness of how critical it is to have effective security technology and personnel in place has been a long-time board-level concern. Unfortunately, lack of resources, particularly of the human variety, has plagued the security industry for years. Despite some major efforts across industries to bring in more security talent, there are still major gaps in coverage. In its 2022 Cybersecurity Workforce study, the non-profit security professional’s organization (ISC)² report an 11.1% increase in the number of security professionals in the workforce globally. This represents an addition of 464,000 security staff in the last year. Unfortunately, demand is outstripping supply. The number of unfilled IT security positions has more than doubled to a 26.2% increase in the last year, which translates to more than 3.4 million vacant spots.
Most of the surveyed organizations say the staffing gaps place their operations at risk. Respondents in aerospace, government, education, and transportation report the most serious skills gaps. And of the 70% who lack adequate IT security headcount, more than half say their organization is at moderate or extreme risk of a cyberattack.
When asked what issues they have experienced that could have been mitigated if they had enough cybersecurity staff, concerns were higher for each option this year than last. Nearly 50% say they don’t have enough time for proper risk assessment and management, and 43% note their organization has lacked effective oversights in process and procedure.
Many have noted scarce resources are forcing them to scramble to carry out the most fundamental tasks, 39% admit they are slow to patch critical systems, and 38% observe they don’t have enough time to adequately train each cybersecurity team member.
Though it does appear organizations are actively trying to staff up, there are a myriad of reasons behind the security workforce gap. The inability of the organization to find adequate talent is most often cited. In the competitive environment, organizations struggle with turnover.
On a broader scale, technology companies are investing in cybersecurity education in both higher education and secondary grades. For example, IBM is working with universities and secondary institutions to develop curriculum and provide support resources. Initiatives like these, which help schools hone their cybersecurity professional programs, are ramping up at institutions across the US and abroad.
How effective these will be in helping close the gap remains to be seen. However, it is abundantly clear that if the gaps widen even further, the level of risk will continue to escalate at pace.