photo-dave - Fotolia

News Stay informed about the latest enterprise technology news and product updates.

(ISC)2: Cybersecurity workforce shortage nears 3 million worldwide

With a workforce in short supply, the skills gap has affected the professional growth of security pros worldwide, an (ISC)2 Cybersecurity Workforce Study found.

research puts the cybersecurity workforce shortage at roughly 2.93 million globally, with the demand versus supply of security professionals in Asia-Pacific far outpacing all other regions combined.

The shortfall in Asia-Pacific, estimated at 2.15 million,  is attributed to growth in numerous countries and security and privacy regulations, according to the International Information System Security Certification Consortium Inc. (ISC)², a nonprofit organization headquartered in Clearwater, Fla., that fielded the study.

The (ISC)² Cybersecurity Workforce Study (formerly the Global Information Security Workforce Study) surveyed close to 1,500 self-identified security professionals worldwide, including IT professionals that spend at least 25% of their time on security-related tasks. Best known for its CISSP certification, (ISC)² offers training and information security certification programs (SSCP, CCSP, CAP, CSSLP, HCISPP) for security professionals worldwide. Not restricted to (ISC)²'s 142,000 members, roughly one-third of those surveyed in the double-blind study belonged to the professional organization.

"We all have anecdotal evidence of people not getting a job, so what does this kind of a report mean to them?" said John McCumber, (ISC)² director of cybersecurity advocacy for North America,  who discussed the organization's latest research at last week's (ISC)² Security Congress 2018 in New Orleans.

That question is hard to answer, McCumber said, because there's a lot of regional variance across the globe. North America has a cybersecurity workforce shortage that is significant, with demand outpacing supply by 498,000, followed by Europe, the Middle East and Africa, with an estimated 142,000 open positions; and Latin America, with 136,000.

According to (ISC)²,  the cybersecurity workforce shortage is putting companies at risk for harmful cyberattacks. The lack of cybersecurity staff created "extreme" or "moderate" risk for 59% of the organizations surveyed.

"Unlike a lot of technology, security doesn't have an easily definable ROI, and I've given up trying to chase that," McCumber said. "The reason is because it's risk management."

Roughly 48% of companies represented in the survey expected to increase cybersecurity staffing in the next 12 months, while 39% anticipated no change; 5% expected a decrease, and 8% didn't know.

"The 48% of businesses are looking to increase their staff because they've realized that what they have currently is not suitable for the risk that they carry," said Tony Vizza, (ISC)² director of cybersecurity advocacy for the Asia-Pacific region.

Vizza noted that cybersecurity has some parallels with the early aviation industry, which has learned over the years to implement controls to prevent human error and better manage risk.

The top three qualifications for employment, according to the cybersecurity professionals surveyed, included relevant cybersecurity experience, 49%; knowledge of advanced cybersecurity concepts, 47%; and cybersecurity certifications, 43%. Graduate and undergraduate degrees related to cybersecurity scored lowest at 21% and 20%, respectively, the survey found.

Almost half expect cybersecurity staff to increase

Broader global workforce

While the cybersecurity workforce shortage comes as no surprise, the global cybersecurity community is becoming younger and more diverse than previous studies indicated, according to (ISC)². More than one-third or 35% of the cybersecurity professionals surveyed identified as millennials; baby boomers and generation X accounted for 49% of respondents.

Women represented 24% of cybersecurity professionals, a sharp increase from the 11% shown in other studies. The difference may be attributed in part to a "broader view of who works in the field," according to (ISC)² researchers.

The study found that on average, cybersecurity professionals have worked in IT for 13 years, with seven years spent on security-related tasks. Roughly 65% of cybersecurity professionals reported to IT directors or C-level executives whose primary function was not related to cybersecurity.

The annual salary of the cybersecurity professionals surveyed, on average, is $85,000, according to (ISC)². Cybersecurity professionals with certifications earned more, at $88,000; those without earned less at $67,000.

The cybersecurity workforce shortage has also affected the professional growth of current employees, the report found. The biggest job concerns, according to the cybersecurity professionals surveyed, involved lack of skilled or experienced cybersecurity personnel, 37%; as well as resources to perform successfully, 29%; budget for key security initiatives, 28%; and time to do the job effectively, 27%.

Some cybersecurity professionals indicated a desire to shift priorities from time-consuming tasks such as security administration, network monitoring and incident response to "high-value cybersecurity" areas such as threat intelligence analysis, penetration testing and forensics. However, the majority of respondents expressed job satisfaction; 21% indicated they are "very satisfied" and 41% are "somewhat satisfied."

"Most people are satisfied with their jobs," McCumber said. "Who knew?"

Dig Deeper on Information security certifications, training and jobs

Join the conversation


Send me notifications when other members comment.

Please create a username to comment.

Security professionals often claim they can't find jobs, yet there's a workforce gap. Is it a skills shortage or poor communications with hiring managers and human resources?
One thing that should be addressed rapidly is a given organization's inclination to throw kitchen sink job descriptions to the candidates without really knowing what they actually need.  While this could be said for other professions, it is acutely present in InfoSec and until a wider adoption and structured approach to this (NIST NICE being a good example) is adopted, I do not see it improving.  When I see a job description that covers three InfoSec positions as an expectation for one human being, I don't bother reading further.
Agree. Good point.  Many in this space don't know what they are looking for.
Standards will be important to help direct them to address the right things. 
Enforcement will also be important like HIPAA in the healthcare space.

Interesting question. I would suspect a problem exists on both sides of the interview process. On one side, the initial screening and interview process within the organization is probably performed by people who have no idea what their looking for or asking the candidates about. Thus potential superstars may never make it in the door for the next round of interviews. On the other side of the spectrum are the candidates. I would suspect many are new graduates entering the workforce to help address this shortage and probably do not interview well or demonstrate a great understanding of the business environment. Even those who have a few years of experience likely don't have a great understanding of how business operates whereas they haven't been in the business world long enough. In addition to having the technical skills for deploying the many great tools now available in the cyber security space, you must understand how the business works in order to deploy them properly within the organization. I am optimistic that the current wave of millennials entering this market place will quickly learn and excel in this space. Just gotta get them in the door.
I concur with most of the comments here. As an information assurance student nearing graduation, I have found limited opportunities for entry-level information security jobs on the job market. It seems as if the market is only wanting CISSP qualified professionals with at least 3 -5 years of experience, failing to recognize the potential of emerging IA professionals that have demonstrated their commitment to the field. I have also heard of prior experience being sort after for instance in critical reasoning fields - I however have not had this experience.