Micro Focus is now part of OpenText. Learn more >

You are here

You are here

The state of the cybersecurity job field: 5 key factors you need to know

Jaikumar Vijayan Freelance writer

Many cybersecurity team leaders continue to face challenges finding qualified cybersecurity professionals to fill jobs in their organizations, despite the relatively high salaries and stability associated with the field.

In a skills survey specific to security operations centers (SOCs) recently published by Cyberbit, about six in 10 respondents said that barely half of all applicants for cybersecurity positions they received were qualified. Two areas where SOC teams felt most unprepared: lack of adequate skills in intrusion detection, and network monitoring, with 55% and 58% respectively identifying them as major areas of concern.

Concerns over inadequately prepared cybersecurity job applicants come even as demand for cybersecurity jobs remains strong. Jobs in the cybersecurity sector will grow by 31% between 2019 and 2029, or much faster than the average for virtually all other occupations, the US Bureau of Labor Statistics has projected.

In 2020, the worldwide cybersecurity workforce gap—or the difference between the number of skilled professionals required to protect organizations and the number available to fill those roles—declined slightly, according to (ISC)2. Even so, the cybersecurity gap was an astonishingly high 3.12 million people worldwide, and 359,000 in the US alone.

Here are five factors security experts say are key to understanding the difficulty that organizations have in finding suitable candidates for open cybersecurity jobs.

1. The HR and cybersecurity communication gap

A disconnect exists between HR and the information security team at many organizations. Cyberbit's survey found that HR departments often do not have a clear idea of cybersecurity roles and the requirements for those roles; in fact, just one-third of the respondents to the survey felt that HR understood those requirements. The gap can often affect an organization's ability to attract the right talent for the cybersecurity team.

Clar Rosso, CEO at (ISC)2, said that recruiting managers need to be willing to work hand-in-hand with security team members to get a clear idea of the attributes they need to look for in candidates. Hiring managers need to make sure they understand what opportunities the security team will provide for candidates to learn technical skills on the job and to support professional development.

Importantly, pay attention to how you craft job descriptions, said Deidre Diamond, founder and CEO of cybersecurity staffing and recruiting firm CyberSN. Make job descriptions as detailed as possible and avoid making requirements overly broad or ambiguous.

Job descriptions matter, and they are being done incorrectly,especially when it comes to finding qualified people who aren't actively seeking jobs but whom you might still want to talk to, Diamond said. 

"Job descriptions need to speak to the tasks and projects that an employer needs handled, not a list of qualifying technologies."
Deidre Diamond

2. Misperceptions about the profession

Wrong perceptions about cybersecurity may be holding back people from entering or exploring the field as a career option. A 2020 study from (ISC)of 2,500 individuals in the US and UK who are not currently in the cybersecurity field suggests that not enough job seekers are considering a cybersecurity job to close the gaps.

Despite a ready availability of jobs, relatively high salaries, and good job stability, many are not drawn to the field because of mistaken perceptions of what the work entails. Many individuals consider the cybersecurity profession to be one that requires a high level of specialized technical skills, the survey found.

Though 69% agreed that cybersecurity might offer a good career path, 61% felt that they would need more education or certifications to enter the field. Some 27% felt that their inability to code was a disqualification, while more than one-quarter (26%) described the field as being too intimidating.

"We need to demystify cybersecurity careers,” said (ISC)2's Rosso. Careers in cybersecurity may be perceived as "highly specialized and unattainable by those outside the profession, when in fact many roles do not require technical skills," Rosso said. Though 22% of respondents in the (ISC)2 survey said they would entertain pursuing a career in IT, none were interested in cybersecurity, likely because they see it involving an elite set of skills within IT that would be too difficult to attain.

"We are actively working with government, academia, and businesses globally to ensure role-based competencies are identified at the right levels. [Those already in the field need to let others know] what it really takes to be a cybersecurity professional and the great professional rewards that come with helping protect the data, systems, and infrastructure of the world's businesses and governments."
Clar Rosso

3. An overemphasis on college creds

One reason why some organizations have a hard time finding cybersecurity professionals is that they insist on hiring only people with formal four-year degrees in cybersecurity. That's a mistake, said John Pescatore, director of emerging security trends at the SANS Institute. 

"Inquisitive people don’t really need traditional four-year degrees to be successful and impactful."
John Pescatore

What they do need is hands-on experience with cybersecurity, rather than merely having attended classroom lectures that talk about doing something. This is especially true for entry-level cybersecurity jobs, he said.

Many university cybersecurity degree programs tend not to be very useful to hiring organizations because of their overemphasis on a lecture-driven format, Pescatore said. Often, they are also not especially exciting to creative, inquisitive, and analytical individuals seeking a career in cybersecurity, he added. "This has largely been true in software engineering for many years," he said.

And now many of the same colleges that have been teaching software engineering have sort of grafted on cybersecurity to how they were teaching computer science. "Hirers found that new hires with those degrees either took a long time to be productive or really weren't good fits for the mix of skills needed to succeed or even have fun in a cybersecurity career," Pescatore said.

Pescatore advocates that organizations consider individuals with certified hands-on skills in cybersecurity rather than focusing just on candidates with formal four-year degrees.

"SANS has found that community colleges—many of which are experienced in certification of medical equipment technicians—are a fantastic place for the right mix of theory and hands-on education."
—John Pescatore

(ISC)2's Rosso said there is a tremendous opportunity to build cybersecurity core competencies into formal educational channels. Over 75% of respondents in a study that (ISC)2 conducted last year said they had never been offered a cybersecurity curriculum during their formal education.

"There's still not enough formal cybersecurity education to give people a proper understanding of what cybersecurity roles entail, which leads to misperceptions about the field."
—Clar Rosso

4. Overly technical thinking

Hiring managers should think more broadly about the requirements for cybersecurity roles. Academic degrees in cybersecurity and certifications in the field are important. But not all roles require technical skills. In fact, plenty of opportunities in the cybersecurity field are good fits for nontechnical professionals.

Tom Pendergast, chief learning officer at MediaPro, a security training firm, said cybersecurity workforce discussions often focus on technical and information security-related skills.

"There's a lot of room on the human side of cybersecurity training and awareness space for people who write and communicate well, who can distill complex policies into clear directives, and who can help people appreciate and connect with their cybersecurity teams."
Tom Pendergast

People who majored in English, communications, and marketing—and others with similar backgrounds—can find a home in security and privacy awareness, Pendergast said.  (ISC)2's Rosso urges hiring managers who are looking for cybersecurity staff to consider factors including the abilities to work on cross-functional teams and to assess risk. 

5. A lack of coding skills

Individuals looking to break into the cybersecurity profession—and those in it already—can help themselves and their employers by picking up coding skills, said CyberSN's Diamond. In fact, one of the best skills to break in at the entry level is Python coding, she said.

Python is used in daily cybersecurity tasks, including automation, cloud environments, malware analysis, and portions of AI, she said. Python was designed to be a straightforward and generally lightweight scripting language that would require minimal coding background to accomplish automation and analysis. "So it has become a sort of go-to scripting language for cybersecurity professionals."

The adoption of agile and CI/CD software development models—and the consequent focus on DevSecOps—has increased the need for coding skills, or at least a familiarity with coding, for cybersecurity professionals.

Corporate cybersecurity will increasingly require application security engineers and DevSecOps professionals to integrate automation into software development pipelines, to mitigate risks in APIs and production software, Diamond said.

So, while coding still is not an absolute must-have skill for cybersecurity at the moment, it is increasingly becoming a good-to-have capability.

"Generally, an understanding of coding concepts is essential for automation and continuous growth as a cybersecurity professional. It is a skill that can be acquired as a person gains experience and learns along their career."
—Deidre Diamond

Make changes in your security-hiring practices

A number of factors are continuing to hamper the ability of information security leaders to find adequately prepared individuals for cybersecurity jobs.

Tackling the issue requires some fundamental changes in how organizations approach requirements for cybersecurity roles and how well they communicate those requirements to candidates, especially those who may want to enter the field but are staying away from it because of misperceptions about the profession.

Keep learning

Read more articles about: SecurityInformation Security