The cybersecurity skills gap is a real threat — here’s how to address it

• The rapid expansion of the digital economy — and our growing reliance on it — make cybersecurity an absolutely critical profession.
• The world needs 3.4 million cybersecurity experts to support today’s global economy, but the industry is struggling to fill that gap.
• The World Economic Forum is convening a multistakeholder initiative to help fill the global cybersecurity skills gap.

We’re investing billions in digitalising our economies. This spurs economic growth — but it could also bring us to a world where the lights don’t stay on, salaries aren’t paid and public services are strangled.

The World Economic Forum’s Global Cybersecurity Outlook 2023 report shows that the sectors like electricity, payments and hospitals are most at risk because they face the largest critical gaps in access to skilled cybersecurity professionals.

Such a shortage leaves these key parts of our societies vulnerable to cyberattacks.

Cyber talent shortage — a global problem

According to the Future of Jobs 2023 report, cybersecurity is among the top strategically emphasised skills for the workforce. Yet, there is a shortage of 3.4 million cybersecurity experts to support today’s global economy. This number is only expected to grow as the impact of emerging technologies is felt across organizations. To illustrate, while the rise of large AI language models has its benefits, it also heightens cyber threats such as phishing and identity fraud which add to the workload of overstretched cyber teams.

Given the global nature of the challenge, no single actor alone can find the solution. It requires collaboration across the public and private sectors. We must prioritise thoughtful investment in the creation and expansion of cybersecurity talent. This endeavour gives us an opportunity to create skilled, socially valuable and long-term careers for people from all walks of life and in all regions of the world.

To bridge the talent gap, the following three key areas require attention.

Addressing the misperception

‘People think that cybersecurity is something that’s highly technical. Yes, some roles require deep technical expertise, but cybersecurity is a vast domain and making an organization cyber-resilient also requires generalist roles that need a broader skillset.’
Bobby Ford, Chief Security Officer, Hewlett Packard Enterprises.

The cybersecurity industry suffers from the misperception that professionals require a technical background in IT security or engineering, discouraging non-traditional candidates from pursuing a career in the field. However, many technical skills required for cybersecurity roles can be acquired on-the-job with proper training and development. Apprenticeships have a clear role in bringing people into the cybersecurity field. The explosion in demand for cybersecurity professionals is a clear opportunity to create skilled and long-term careers for people who have fallen outside of the formal education system or whose education was not in a technical subject.

Societies need to institutionalise collaboration between the private sector, which owns and manages most IT infrastructure, and governments, which are best positioned to shape systems of education and public service that facilitate the training of cybersecurity experts.

On the local level, more needs to be done to raise awareness of cybersecurity career paths and how the sector is open to everyone — from engineers to artists. The training of people from some of the most economically deprived backgrounds in countries like South Africa illustrates that cybersecurity is an accessible profession, albeit one that requires focused multi-year training programmes.

More than half of business and cybersecurity leaders report that they do not have enough people and skills — but the gap is closing. Image: Global Cybersecurity Outlook Report 2023

Widening the cybersecurity talent pool

Today, organizations are struggling to widen the cybersecurity talent pool due to weak communication of the benefits of working within the industry. This lack of clarity seeps into the behaviour of recruiters, who often struggle to define the scope of the role individuals are being hired for, which adds to the challenge of attracting talent. In fact, cyber job descriptions are often poorly defined and tend to combine several roles into a single position, which discourages potential candidates from applying.

To expand the talent pool, the industry should promote clear requirements for roles, including job qualities and skills. There will also need to be greater flexibility in hiring that perhaps focuses on capabilities over certifications.

Recruitment programmes that focus on diversity of candidate backgrounds, not just on computer scientists, have a track-record of success. So it should come as no surprise that 95% of cybersecurity professionals believe that “more could be done to encourage a greater recruitment drive of employees into cyber-security related roles”. Moreover, increasing emphasis is being placed on the importance of soft skills including effective communication, problem solving, strategic thinking and people management.

Diversity of the cybersecurity workforce from the point of view of gender and ethnicity is also essential. At present, women represent just 24% of cybersecurity professionals. The adoption of practices such as the provision of scholarships for women or other underrepresented groups in cybersecurity programmes can help promote cultural diversity across organizations.

<

Retaining cyber talent

Pressure and burnout are frequently listed as reasons why cybersecurity professionals leave their jobs — this needs to change. Research shows that 70% of cybersecurity labour feels overworked, and 25% of cybersecurity leaders will change jobs as a result of multiple work-related stressors.

To improve retention, public and private organizations alike must make sure they manage the underlying factors that contribute to high attrition rates and provide incentives, including flexible work arrangements, as well as employee wellbeing solutions.

What’s the opportunity?

The World Economic Forum is convening a multistakeholder initiative in order to accelerate public-private responses to filling the global cybersecurity skills gap and devise actions to help individuals enter and thrive in the cybersecurity workforce.

To that end, this new initiative will seek to raise awareness and knowledge amongst C-suite executives and decision-makers about cybersecurity skills deficit and its economic and security implications, and define strategic approaches and processes that will help build sustainable cyber talent pipelines within organizations and across sectors.

In doing so, the Forum’s initiative will develop a strategic cybersecurity talent framework to aid the recruitment and retention of cybersecurity professionals across sectors, ultimately contributing to the protection of the critical infrastructure that we rely on every day.