How Can We Address the Cybersecurity Skills Gap?

Updated on

A 2019 report from Burning Glass noted a 94% growth in the number of cybersecurity job postings since 2013. Unfortunately, the available pool workers with the cybersecurity skills needed to fulfill these roles has risen in proportion, creating a significant gap. What can be done to increase the available pool of candidates?

Get The Full Series in PDF

Get the entire 10-part series on Charlie Munger in PDF. Save it to your desktop, read it on your tablet, or email to your colleagues.

Q1 2020 hedge fund letters, conferences and more

Cybersecurity Skills Gap

The Challenges at a Glance

There are significant challenges that contribute to the off-kilter balance between the number of cybersecurity professionals and the number of organizations that desperately need them. According to Cybersecurity Ventures, the unemployment rate of cybersecurity roles has been at a staggering zero percent since 2016 with no signs of changing. Simultaneously, there is an underlying skills gap where critical security roles are left unfulfilled due to a seeming lack of qualified candidates - what is going on here?

  • The Catch-22 of Cybersecurity: There’s a clear need for cybersecurity talent, but companies are often seeking candidates with accreditations that require extensive professional experience. This leaves recent graduates and other entry-level talent with difficulties finding roles where they can gain the experience they need to qualify for highly sought after certifications.
  • High Demand, Low Supply: Even with the availability of cybersecurity training programs increasing, the available talent pool simply cannot keep up with the rising demand for cybersecurity roles. According to Cyberseek, there were 270,000 openings for Information Security Analysts from October 2018 - September 2019, yet there were only 112,000 workers employed for that role.
  • Costs of Talent: With the clear divide between the availability of cybersecurity talent and the ever-increasing demand for their skills, the salaries that established security professionals can demand has naturally increased. According to the report from Burning Glass, the average advertised salary for a cybersecurity job is now $93,540.
  • Costs of Education: The cybersecurity landscape is constantly evolving, requiring security professionals to regularly upgrade their skills and knowledge. The costs of acquiring new certifications and renewing existing ones becomes a significant hurdle for existing and upcoming professionals if they’re forced to pay for these expenses out-of-pocket.

Cybersecurity Skills Gap

Challenge 1: The High Demand for Cybersecurity Skills

While the zero percent unemployment rate is clearly a leading indicator of the incredibly high demand for cybersecurity skills, there are plenty of other staggering statistics that paint a clear picture of the rising demand and the forces driving it. For a clearer view of the unbalanced supply and demand of cybersecurity talent in the US, check out this heat map from Cyberseek.

  • Cyberwarfare: Iran, China, North Korea, and Russia are investing in their cyberwarfare capabilities; naturally, this has caught the attention of the US. Global powers are increasingly recognizing that maintaining a workforce with strong hacking and cybersecurity skills greatly increases their espionage and attack capabilities while simultaneously bolstering their ability to defend against cyberattacks from hostile forces.
  • Fulfillment Time: General IT roles are among the hardest-to-fill jobs in the market, with an average 41 day period before a successful candidate is hired. A recent report from Burning Glass has shown that cybersecurity roles are even more difficult to fulfill, with an average of 50 days passing before a successful candidate is placed.
  • Data Privacy: The evolving data privacy landscape has introduced extra-jurisdictional enforcement of data security and data privacy legislation, leading to a heightened demand for skilled workers that can assure compliance by protecting sensitive data against common security threats such as mismanagement and illicit exfiltration.

Cybersecurity Skills Gap

Challenge 2: The Talent Shortage & Skills Gap

While there’s certainly no shortage in employment opportunities, the businesses that need skilled candidates to fill critical security roles are having difficulties finding and recruiting the talent they need. Cybersecurity professionals looking to advance in their careers by taking on these roles are often faced with rigid demands for particular industry certifications that are cost prohibitive for them to attain on their own time.

The InfoSec Institute has reported that there is a global shortage of nearly 3 million cybersecurity professionals, with an estimated 498,000 openings in North America alone. Cybersecurity Ventures estimates that by 2021 there will be a grand total of 3.5 million unfilled cybersecurity jobs.

This incredible gap in available talent has naturally driven up the salaries that security professionals can command, further exacerbating the difficulties that small-to-medium businesses have in maintaining the security of corporate data. This creates a significant vulnerability for small businesses that cannot fiscally maintain their own IT security staff, making them an increasingly valuable target for cybercriminals.

Further complicating the skills gap is the lack of early job experience opportunities for upcoming security professionals. While entry-level roles certainly exist, companies that have significant data security requirements will require experienced talent that can readily address their needs, making upcoming talent that they can build up over time a less attractive option.

How the Gap is Being Addressed

The 2019 Cybersecurity Workforce Study from (ISC)2 estimates that at 145% growth in the cybersecurity workforce is required to properly fulfill current demands. In an effort to help bridge this gap, a number of government private sectors, and academic organizations are working together to create the resources that are needed to attract new prospects to the field and bolster the capabilities of current talent.

  • Early Introduction: Reachout programs are being created to educate K-12 students on potential careers in cybersecurity, providing them with an opportunity to speak with seasoned professionals that will provide them with the resources they need to pursue the education and other resources they need.
  • Scholarships: To help address the costs of cybersecurity training a number of institutions are offering scholarships that help potential talent achieve the fundamental education that many organizations demand.
  • The “New Collar”: Employers of cybersecurity talent often rely on academic degrees to determine the aptitude of potential candidates. The “new collar” approach advocates that the focus be shifted to nontraditional educational pathways where security talent learns the skills they need throughout their careers from other sources such as first-hand experience, community colleges, and software boot camps.
  • Building From Within: In line with the New Collar approach, employers can leverage the transferable skills of their existing workforce to recruit and train potential cybersecurity talent from their currently available talent pool. Employees with a keen interest in cybersecurity and an aptitude for continuous learning can take on cybersecurity roles in their organizations when provided with support and investments in skills training from their employers.

A significant force for addressing the skills gap is going to be a shift away from traditional education and a greater emphasis on employees with transferable skills and a genuine passion for security. Prospects that are quick to learn, eager to continue learning, and have solid research skills are going to be heavily relied on to develop the cybersecurity skills needed to fulfill core functions. Employers will need to do their part by investing in the skills development of their employees over the long term, making security knowledge prevalent throughout their workforce.


The world will always need workers that are skilled in cybersecurity. Workers need to be provided with the resources they need to build the necessary skills and there needs to be a change in the way candidates are deemed to be qualified for critical roles. Employers need to work to understand the transferable skills, non-traditional experiences, and genuine interests that indicate a candidate's potential to excel in a cybersecurity career.