Amidst a global pandemic that prompted a wide range of governmental response actions and mandates, the cybersecurity industry was largely untouched, as shown by respondent data to ISACA’s State of Cybersecurity 2021: Global Update on Workforce Efforts, Resources and Budgets. This year’s report reinforces past reporting and, in certain instances, mirrors prior year data. Bottom line up front – staffing levels, hiring and retention remain pain points across the globe, and cybersecurity budgets continue a downward trend. It is hard not be discouraged that despite so many investments by governmental entities, industries, as well as education and training partners, the situation has largely remained unchanged.
Reporting of cybersecurity skills gaps or talent shortages has historically been overly broad so ISACA continues to refine survey questions to glean new insights that can shed light on the inadequacy of today’s supply pipeline. Such data is necessary to inform meaningful changes that ultimately positively influences cybersecurity’s human resource woes. From my perspective, an inconsistent lexicon remains an issue among all those working the problem. Reporting was long coined a skills gap, and over the past few years began to morph into a talent gap which, while closer to the truth, seems to muddy the waters when what is ever-present is an imbalance in cybersecurity’s human capital inventory or, more simply stated, supply vs. demand. In other words, we have a shortage and, to be more specific, a labor shortage. To acknowledge the technical nature of any IT-related occupation, perhaps shortage ofskilledlabor is most appropriate? The problem with this depiction, however, is that the overwhelming gap in today’s cybersecurity workforce is reportedly not technical but rather a lack of soft skills. According to the State of Cyber data, soft skills came in at 56 percent, with all other response options no closer than 20 percentage points. It is worth emphasizing that although soft skills are the largest reported area for improvement within the cybersecurity workforce, there also remains a persistent and growing need for technical individual contributors.
The continuance of soft skills as the major shortfall among modern practitioners is one that problem-solvers must acknowledge and act on. Examples of soft skills include communication skills, leadership, critical thinking, teamwork, work ethic and positive attitude. On occasion the terms grit or perseverance are highlighted. While several of these skills can be taught, the question becomes who is responsible for solving it? For those already in the workforce, one might assume responsibility falls on the employer but which functional area – if any – funds it? And if not the employer, can we require existing employees to remedy an issue that was likely never specified in a job description?
From a financial resourcing perspective, all indications are that cybersecurity spending has normalized with slight year-over-year improvements noted in the “Significantly underfunded” and “Somewhat underfunded” responses to the question about organizational cybersecurity budgets. With the global pandemic enduring more than a year now, it is quite feasible that training budgets will be adversely affected as enterprises continue to wrestle with cost-saving measures. Should this occur, it could make an already bleak situation worse.
For those companies with robust professional development programs, the soft skills gap might be easily addressed for existing staff. This might be useful when transitioning employees from other business units into a cybersecurity role. After all, there is something to be said for those who already understand corporate culture, mission and stakeholders. I would argue that at least here in the United States, the issue of soft skills is a national-level discussion, especially when academic standards involving science, technology, engineering and math (STEM) have taken center stage for many years now.
Especially concerning to me is the increased reliance on technical communication devices both in and out of the formal classroom. Social media and text applications have become mainstream and have weaved their way into most customer support options for companies. Additionally, over the course of the past year, scores of students attended school virtually, which surely increased the frequency and scope of non-verbal communications. But communication is but one soft skill.
Critical thinking, which includes analysis, interpretation, inference, explanation, self-regulation, open-mindedness and problem-solving, is imperative for cybersecurity professionals. Critical thinking is more important than ever due to the rise of disinformation. We appear to be setting up tomorrow’s leaders for failure long before they get their first job.
Time to retool hiring practices
Cybersecurity remains a lucrative career field for those who are interested and have the aptitude. The latter appears to be gaining traction as primary focus area among hiring managers when it comes to entry-level jobs, which simply are not plentiful. I am curious how large the pool of prospective cybersecurity practitioner is sitting on the sidelines with skills atrophying, having completed some related program but unable to find a position because vacancies are mid-level or above. The ongoing pandemic is a tremendous change agent, so hopefully those involved with recruitment are challenging all assumptions and retooling their hiring practices.
About the author: Jonathan Brandt, CISM, CDPSE, CCISO, CISSP, CySA+, CPI, PMP, is an information security professional practice lead in ISACA’s Content Development department. In this role, he contributes thought leadership by generating ideas and deliverables relevant to ISACA’s constituents. He serves ISACA departments as a subject matter expert on information security projects and leads teams whenever external resources as necessary. Brandt is a highly accomplished U.S. Navy veteran with more than 25 years’ experience spanning multi-disciplinary security, cyber operations, and technical workforce development. Prior to joining ISACA, Brandt was a project manager for classified critical infrastructure projects across the globe. Formal education includes a B.S. in Cybersecurity and M.S. Ed in Workforce Education and Development.
