Like with many other things we start paying attention to a problem only when it gets worse. Like ransomware that is around since 1989, the talent gap has been reported for at least a decade.
One of the first warnings came in 2010 with a report called “A Human Capital Crisis in Cybersecurity” by the Center for Strategic & International Studies. Then, in 2016 “Hacking the Skills Shortage” report from McAfee was mentioning that 82% of the survey respondents reported a shortage of cybersecurity skills. The existing data clearly shows that little improvements were made over the decade and today the number is close to 60% of the organizations are affected by this problem.
According to (ISC)² 2021 Cybersecurity Workforce Study, the estimate for the supply-demand cybersecurity workforce gap is close to 4.2 million with a 700,000-increase year over year.
Another professional association puts the number close to 3 million, but what is certain is that
we have millions of unfilled jobs for the cybersecurity domain. This comes with a multitude of
problems, and some will be covered by this paper. We must do more research on this topic and
more people to talk about it to understand how far and deep this goes.
According to CyberSeek, in U.S. alone there are more the 100,000 job openings that require a
CISSP certification but nationwide there are just over 90,000 CISSPs (Certified Information
Systems Security Professionals). The other example is even more eye-opening with 40,000 jobs
requiring the CISM certification and just 17,000 CISMs (Certified Information Security Managers).
Yes, this is a known problem for a long time and the recent development is that now governments, industries, and organizations acknowledge what is happening because every one of them are affected.
As more experts are looking into this problem and more people are talking about it, we seem to
understand more about the size, shape, and form. What started as a recruiting problem slowly
evolved into a pandemic, for which, there is no vaccine at this point.
There are multiple dimensions of the problem, and this paper will be a best effort to cover as
many as possible. This problem, as well as cybersecurity and technology are constantly changing,
only the issues stay the same.
What we acknowledged, and this is a good start, is that our education systems curricula are not
up to date enough to prepare the next generation of cybersecurity professionals. Fresh graduates
are not ready for entry-level jobs as they are not equipped with the necessary technical skills and
more worryingly not even with the human skills. Some of the latest literature talking about this
subject is reporting that analytical and critical thinking along with communication are skills
missing from people that just finished higher education. This is a frightening thought, knowing
the time and financial investment needed for a bachelor or master’s degree but not being
prepared for a first time job interview.