The ongoing cybersecurity skills shortage…and how to fix it

In 2023, the National Cyber Security Centre reported a 64 per cent rise in cybersecurity incidents considered serious enough for investigation. Yet, growth in the cybersecurity workforce is still marred by a major skills deficit as talent flows continue to place strain on organisations. 

So what skills is the industry lacking and as budgets continue to be squeezed, how can it do more with less?

 A supply-demand imbalance

For smaller businesses, there is a clear shortage of ‘jack of all trades’-type candidates. This is becoming increasingly true as cyberattacks become more niche and sophisticated, causing experts to focus on a specific discipline within the market instead.

In the wider cybersecurity industry, we are still a lingering talent and skills deficit across the board. Whether it be analyst work, engineering or consultancy, they are all facing the same issues.

However, this isn’t due to a lack of candidate interest. Instead, it is a supply-demand imbalance. Whilst there are numerous candidates eager to break into the industry, entry-level opportunities are scarce. And when you look at mid-level positions the opposite is true– there are plenty of positions but not enough people to do them.

Discrepancy in salary expectations.

Talent levels are also being impacted by an emerging discrepancy in salary expectations. 12 to 18 months ago, the high demand for cyber talent, spiked by increased homeworking security needs, forced salaries to rise to overinflated levels. As a result, we’re currently seeing candidates who, in the grand scheme of things, have limited experience–only having worked two to three years in the field–but who are putting themselves in a higher salary bracket.

Meanwhile, companies are trying to bring salary rates back down to a more sustainable level and are not willing to pay these inexperienced candidates more than they believe they are worth.

We’re therefore seeing an impasse develop where companies are not willing to either drop the requirements and lessen the experience level to match what they want to pay, or to increase salaries to meet candidate expectations. In other words, some businesses are hoping for a lot for relatively low pay.

However, we are seeing signs that a balance is returning. Desperate times call for desperate measures and candidate expectations are likely to shift, particularly if redundancies push people out of work, forcing them to take lower pay.

Additionally, whilst salaries remain relatively unbudgeable, with businesses unwilling to eat into their profit margin or pass costs onto the customer, we may see a trend of employers softening on other areas, such as experience requirements.

So, what can companies be doing to plug this skills gap?

Looking ahead

To ensure that more entry-level candidates are securing roles in the market, there needs to be a greater onus on forward planning. Up until recently we’ve seen many reactive roles being advertised, where the candidates are needed to fulfil a function immediately and hit the ground running. These positions lend themselves to candidates moving sideways rather than up.

Whereas ideally, if more time could be given to putting a growth plan in place and hiring based on future need, there would be an opportunity to bring in entry level candidates and give them time to train to the level of expertise required.

This trend of ‘reactive’ hiring has been heavily influenced by the threat of recession earlier in the year, forcing wary businesses to strip back on anything other than necessity hires. As hiring picks back up–as we are anticipating it will in 2024–scoping out where growth could happen in the next 12 months, considering timeframes needed to train new candidates and starting the ball rolling on hiring entry-level talent earlier, will help to future proof business growth.

Improving diversity

A lack of diversity in cyber is a recognised issue. But while the will is there, there is a clear lack of knowledge on how to improve in this area. As a result, policies often come in the form of a tick box rather than forming part of a strategy. 

Ultimately, businesses need to find the best person for the job and are simply looking for those with the skills necessary to carry out the role, regardless of gender. But with the majority of the cyber market still occupied by men, there are simply not enough female candidates in the talent pool to begin with. As the industry cries out for talent, it’s crucial that more is done to open up the industry and not just to fill gaps, but also to improve innovation.

It is widely accepted, for example, that on average women demonstrate a keener eye for detail than men, making them perfectly suited towards cybersecurity roles. 

Neurodiverse candidates can also offer significant value in terms of skillsets and diversity of thought. Those with autism or ADHD, for instance, often demonstrate an ability to remain hyper-focused. 

Organisations should be examining the inclusivity of their employment policies and actively targeting neurodivergent people. By taking the time to understand the barriers that they may face, introducing training on unconscious bias, and championing diversity of thought, businesses can make pioneering leaps forward.

Building a security culture

To approach cybersecurity on a budget, businesses should be focused on building a security culture, increasing awareness across the entire team and hiring the correct personnel. In other words, instilling a ‘security-first’ mindset across the whole workforce, and making security everyone’s responsibility. 

Simply training employees to become more aware of security attacks and attackers’ methods is an effective way to reduce the number of successful cyberattacks.

If you’re interested in putting your skills to good use in an exciting fast paced industry, get in touch with our cybersecurity talent team today.