The 7 most in-demand cybersecurity skills today – Source: www.csoonline.com

Cybersecurity teams find themselves understaffed, overburdened, and rushing to keep up with a rapidly changing threat landscape, as cyberattackers continually devise new ways to attack organizations — and organizations accelerate their embrace of the latest technologies.

As a result, security professionals must continually upskill themselves to ensure they keep pace with organizations’ latest skill demands. Unfortunately, deciding what skills to develop can be challenging, as there are a dizzying number of branches on the cybersecurity skill tree, and security professionals may not know what will produce the best return, now and in the years to come.

In a recent survey of 7,698 hiring managers and 8,154 non-hiring managers in cybersecurity worldwide, cybersecurity training organization ISC2 sought insights into the most pressing, in-demand skills for security pros today. Both groups shed important light on their organizations’ talent gaps. Non-hiring managers see what skills in their peers are prioritized for hiring and promotions and are themselves key influencers in such decisions.

Hiring managers, of course, are the ultimate judge: By choosing one candidate over another, they vote for the most valuable skills with the time and effort they will invest into managing, leading, and training the new hire.

Following are these skills in reverse order, ascending to the most prized and in-demand skill today.

7. Artificial intelligence / machine learning

Hiring manager preference (according to ISC2): 24%

Non-hiring manager preference (according to ISC2): 33%

AI and ML may dominate the headlines, but they are not the top skills sought after today. ISC2 states that the reason is timing: Hiring managers prioritize skills that produce an immediate benefit, and they view AI and ML as skills with a more long-term horizon. This thinking matches a recent Gartner prediction, as the research firm believes that 17% of all cyberattacks will one day involve generative AI — but not until 2027.

AI and ML encompass domain knowledge of how these technologies may be used against enterprises. For example, jailbroken or local large language models (LLMs) may be harnessed by criminals to execute social engineering attacks, such as spear phishing, much more quickly and at scale. Hackers can also inject malicious inputs into LLMs in what is known as a prompt injection, one of several key LLM vulnerabilities enterprise security teams must be prepared for.

Cybersecurity professionals may also employ AI and ML to protect their organizations. For instance, companies can use AI and ML to detect anomalies representing a specific type of threat, such as a ransomware attack, and automatically take preventive action by isolating the targeted device or network. The company can learn from these inputs and improve predictive security for the future.

AI and ML are crucial to organizations. With the existing talent gap stretching cybersecurity teams thin, enterprises should minimize their reliance on manual processes. By automating cybersecurity processes, companies can reduce human error involved in security vulnerabilities, enable staff to focus on higher-level or more strategic initiatives, and fend off more attacks.

Relevant certs:

Governance refers to the various policies an organization implements for its IT operations, including security-specific policies such as acceptable use, access control, and incident response policies. Risk management involves a proactive approach to identifying, mitigating, and minimizing risks, and planning for incident response. Both governance and risk management must be performed in compliance with a wide range of regulatory frameworks and compliance measures, which may apply to all organizations in a market.

For example, the EU’s GDPR has strict rules governing any data that leaves the EU. Others may be sector-specific: Healthcare organizations in the US must abide by strict privacy measures around personal health data set by HIPAA. 

ISC2 adds that GRC is increasingly important due to emerging technologies, especially AI. With AI creating unprecedented threats, and increasing regulatory policies, enterprises need GRC expertise to help navigate these new technological, legal, and regulatory waters.

Security analysis may include vulnerability assessment, penetration testing, log and event analysis, security architecture review, and other security evaluation functions. For example, before launching a product, a security analyst might evaluate it for potential security issues.

Security analysts often work closely with risk analysts to determine a security issue’s potential impact on the business, how likely that might be, and the extent to which the issue should be prioritized vis-a-vis other vulnerabilities. Both these skills appear on this list, suggesting an opportunity for talents who can both identify threats and assess them from a business perspective.

Professionals capable of security analysis are valuable because they give organizations the perspective of a hacker. They can identify weak points in applications, networks, or systems and suggest ways to improve them. Without strong capabilities in security analysis, an organization can go to market with products or platforms with glaring vulnerabilities.

According to Gartner, worldwide spending for application security is projected to grow from 2023 to 2024 by 15.7% to US$6.6 billion. Enterprises are budgeting so much due to the ever-increasing complexity of the modern software stack: Even a smaller enterprise may use dozens of applications across its organization, each introducing more possible attack vectors to its systems.

Securing applications from third-party vendors starts during the procurement process and eventually integration into the enterprise stack. Once up and running, companies often need application-specific security expertise to continuously monitor this software, as well as strong patch management processes.

Application security can also involve securing an application the enterprise sells, licenses, or distributes. This responsibility is complex. Cybersecurity professionals in this area must prevent hackers from exploiting vulnerabilities in their software, which have various targets, including databases, application code, APIs, third-party libraries, and web servers. And during the development lifecycle, cybersecurity best practices must also be applied, including code reviews and vulnerability testing for common threats.

While there is overlap between GRC and risk assessment, GRC professionals generally deal with risk mitigation at a much higher level due to the additional oversight they must bring to both governance and compliance. If GRC professionals have this breadth, those responsible for risk assessment, analysis, and management must have depth.

Risk analysts must be highly technical. They should be able to identify cybersecurity risks, evaluate their potential impact, and be hands-on in planning controls, processes, and strategies to minimize them. Thus, they should be familiar with a variety of preventive, detective, and corrective tools and technologies, including patch management, encryption, zero trust architecture, and backup and data recovery.

Talent with these skills is crucial for enterprises, as they provide in-the-trenches know-how for identifying, assessing, and managing risks at a granular level.

Security engineers are the builders in cybersecurity, constructing not only technical solutions but also systems, such as those for access control, or processes, such as plans for incident response. They often focus narrowly on specific technologies, such as networks or architecture, or tasks, such as threat modeling, software or hardware testing, or dealing with network intrusions.

Because of this, security engineers are paid handsomely, with an average salary in the US at US$127,094. Despite the lucrative pay, there is still a massive gap: The US Bureau of Labor Statistics estimates that there will be a 33% growth in the field by 2033.

ISC2 postulates that the demand for security engineers is high because they provide immediate benefits. Because they have a hands-on role in shoring the organization’s cyber defenses, they are a high priority for any team. They prevent data breaches, ransomware attacks, and other intrusions that have high direct and indirect costs, like reputational damage and lost productivity, making them well worth their high salaries. Crucially, they minimize opportunity costs, enabling organizations to focus on strategic plans rather than resource-draining and distracting breaches or hacks.

Relevant certs

• Information Systems Security Engineering Professional by ISC2

1. Cloud computing security

Hiring manager preference: 36%

Non-hiring manager preference: 48%

According to Gartner, cloud computing is the fastest-growing technology market, and with businesses investing so much into the cloud, it should be no surprise that cloud security ranks as the most in-demand skill, according to ISC2’s survey. This skill area retained its top position from 2023, suggesting relative stability for security professionals who want to develop this ability.

By ISC2’s definition, cloud security comprises three areas: cloud platform and infrastructure security, cloud data security, and cloud architecture and design. These skills matter to organizations because they are responsibilities enterprises share with all major providers, such as Azure, Amazon Web Services, and Google Cloud Platform.

While the definition and scope of shared responsibility differs slightly between providers, the overall relationship is the same. The cloud provider secures the data centers, servers, and virtualization layer, and the customer must secure everything built on that foundation, including applications, data, and access management. There is a similar division of responsibilities for platform-as-a-service (PaaS) and software-as-a-service (SaaS) as well.

With cloud resources now the top target for cyberattacks in 2024 — cloud management infrastructure at 26%, cloud storage at 30%, and SaaS applications at 31%, per Thales — enterprises would be wise to prioritize protecting their properties in the cloud. Hiring managers and non-hiring managers agree, with both placing cloud security skills atop their lists.

Relevant certifications

• Azure Security Engineer Associate from Microsoft
• AWS Certified Security – Specialty
• Professional Cloud Security Engineer from Google Cloud Platform
• ACA Cloud Security Certification from Alibaba Cloud
• Certificate of Cloud Security Knowledge from Cloud Security Alliance

See also:

• 17 hottest IT security certs for higher pay today
• Top 12 cloud security certifications
• Essential skills for today’s threat analysts