The Recruitment of Cybersecurity Professionals: Strategies to Address Talent Shortages and Expertise Gaps

AndyC 12 September 2024

A recently published study and expert panel organized by the International Information System Security Certification Consortium has highlighted the urgent need for more cybersecurity experts in the technology sector, despite facing significant challenges

Cybersecurity Hiring: How to Overcome Talent Shortages and Skills Gaps

A recently published study and expert panel organized by the International Information System Security Certification Consortium has highlighted the urgent need for more cybersecurity experts in the technology sector, despite facing significant challenges.

The 2024 ISC2 Cybersecurity Workforce Study, based on insights from 15,852 cybersecurity professionals and decision-makers worldwide, revealed that 90% of participants encounter shortages in specific skills within their organizations. These gaps are particularly pronounced in fields such as artificial intelligence, cloud computing, security, and the implementation of zero trust frameworks.

Some of these deficiencies may arise from discrepancies between job seekers’ expectations and what prospective employers offer. During a panel discussion titled “Bridging the Gap: Challenges in the Cyber Workforce” on September 10, Brandon Dunlap, Gartner’s senior executive partner in security and risk management, mentioned the common scenario of demanding “entry-level jobs with five years of experience.”

On a global scale, the shortfall in the cybersecurity workforce stands at 4.8 million professionals, according to ISC2. This translates to a 19% disparity between the roles required to fortify systems and the professionals adept at fulfilling these roles. Despite this, certain countries like Canada, Brazil, Mexico, the Netherlands, and Spain have witnessed a reduction in this gap (ISC2 clarifies that this number may not align with the actual number of vacant positions).

Challenges in Defining Cybersecurity Roles

These impediments can hinder companies from filling vacancies or make it arduous for job seekers to locate suitable positions. Defining cybersecurity roles can pose a considerable challenge for HR teams. Simon Salmon, an ISC2 instructor and head of IT at Nottingham City Council, compared referring to “cybersecurity” as a blanket term to mentioning “medicine” without specifying the medical specialization.

Chair of the ISC2 board of directors, Dan Houser, stressed the importance of engaging in thorough discussions with recruiting and staffing personnel to ascertain the specific requirements for hiring suitable talent.

Emerging Trends: Budget Constraints and Rise in Layoffs

Many organizations prioritize hiring for intermediate to advanced roles, indicating a lack of initiatives to nurture foundational skills. Among the surveyed entities:

  • 39% identified insufficient budgets as the primary cause of cybersecurity skill shortages, compared to the previous year’s emphasis on talent scarcity.
  • Layoffs have increased by 3% year-over-year, reaching 28%.
  • 37% of companies have experienced budget reductions, marking a 7% rise from the previous year.
  • There has been a 6% surge in hiring freezes, affecting 38% of organizations.

Houser highlighted the issue of companies failing to offer competitive salaries, particularly government positions struggling to match the pay levels in the private sector.

Addressing this, Houser pointed out, “The challenge lies not in the scarcity of labor but in the availability of labor at a reasonable compensation rate.”

Lisa Young, vice chair of the ISC2 board of directors, emphasized that companies should provide fair remuneration, cultivate a supportive and collaborative work environment, and ensure employees feel valued and empowered to contribute meaningfully.

She questioned, “How often do businesses express gratitude for our efforts?” This aspect poses a particular challenge in cybersecurity because “the absence of negative incidents is often viewed as successful,” she noted. “The effectiveness of our work is frequently inconspicuous.”

Nurturing Novice Professionals

While experienced professionals tend to sustain high job satisfaction as they progress in their careers, nearly one-third of surveyed organizations disclosed a lack of entry-level cybersecurity personnel.

Although larger corporations are more inclined to offer entry-level and junior roles (1-3 years of experience), the predominant focus of most entities remains on recruiting for intermediate to advanced positions. This practice may contribute to the proficiency gap by neglecting the cultivation of a talent pool capable of eventually assuming senior positions as seasoned employees retire or depart.

Graph showing larger companies were more likely to have entry-level workers, ISC2 found.
Larger companies were more likely to have entry-level workers, ISC2 found. Image: ISC2

SEE: Why Your Business Needs Cybersecurity Awareness Training (TechRepublic Premium)

Dunlap recommended additional initiatives to bolster cybersecurity job growth:

  • Establishing cybersecurity training schemes.
  • Linking employee compensation to training efforts.
  • Launching internal mentorship programs, matching mentors with employees based on compatibility.

Given the rapid evolution of the technology landscape, Young stressed the importance of continuous professional development. Continuous learning enables professionals to acquire the necessary skills to address the technical gaps highlighted by ISC2, such as artificial intelligence/machine learning, cloud computing security, zero trust implementation, digital forensics, and application security which rank high on the list.

Infographic depicting the full range of technical skills gaps commencing with AI/ML.
AI/ML kicks off the comprehensive technical skills gap list. Image: ISC2

The report uncovered a discrepancy in perceived versus desired AI competencies: While 23% of cyber security professionals acknowledge the demand for AI/ML skills, only 12% of recruiters seek these skills for cyber security roles.

Infographic highlighting the gap between perceived demand and sought-after skills peaks in AI/ML.
The gap in sought-after skills versus perceived demand peaks in AI/ML. Image: ISC2

Opting for early recruitment or unconventional sources

According to Dunlop, vocational schools and community colleges can serve as abundant talent pools for cyber security professionals.

Salmon is involved in a project that identifies adolescents possessing the soft skills essential in cyber security — traits such as eagerness to learn, effective customer communication, personable demeanor, and punctuality — and provides them with technical training.

“Remarkably, we noticed that individuals with neurodivergent conditions or dyslexia were often overlooked, yet they showed exceptional performance,” explained Salmon.

“By promoting inclusivity, we can help combat the shortage,” Salmon emphasized.

About Author

AndyC

Andy Curtis is an award-winning security consultant, researcher and public speaker. He has been working in the computer security industry since the early 1990s, having been employed by state and federal government, leading healthcare and banking providers across three continents. He has given talks about computer security for some of the world’s largest companies, worked with law enforcement agencies on investigations into hacking groups, and is a regular voice on TV and radio explaining IT security threats.

See author's posts

Tags: , , , , , , , , , , , , , ,

More Stories

Microsoft 365 accounts targeted in wave of OAuth phishing attacks

AndyC 20 December 2025
State-linked and criminal hackers use device code phishing against M365 users

State-linked and criminal hackers use device code phishing against M365 users

AndyC 20 December 2025
Three ways teams can tackle Iran’s tangled web of state-sponsored espionage

Three ways teams can tackle Iran’s tangled web of state-sponsored espionage

AndyC 20 December 2025
Proofpoint CEO On Closing ‘Watershed’ .8B Hornetsecurity Deal, IPO Plans

Proofpoint CEO On Closing ‘Watershed’ $1.8B Hornetsecurity Deal, IPO Plans

AndyC 20 December 2025
What Cyber Defenders Really Think About AI Risk

What Cyber Defenders Really Think About AI Risk

AndyC 20 December 2025

Palo Alto Networks, Google Cloud Expand Partnership in Multibillion-Dollar Deal

AndyC 20 December 2025

You may have missed

Surge of OAuth Device Code Phishing Attacks Targets M365 Accounts

Russia was behind a destructive cyber attack on a water utility in 2024, Denmark says

AndyC 20 December 2025
Russia-Linked Hackers Use Microsoft 365 Device Code Phishing for Account Takeovers

Russia-Linked Hackers Use Microsoft 365 Device Code Phishing for Account Takeovers

AndyC 20 December 2025

Microsoft 365 accounts targeted in wave of OAuth phishing attacks

AndyC 20 December 2025
State-linked and criminal hackers use device code phishing against M365 users

State-linked and criminal hackers use device code phishing against M365 users

AndyC 20 December 2025
Three ways teams can tackle Iran’s tangled web of state-sponsored espionage

Three ways teams can tackle Iran’s tangled web of state-sponsored espionage

AndyC 20 December 2025

Subscribe To InfoSec Today News

You have successfully subscribed to the newsletter

There was an error while trying to send your request. Please try again.

World Wide Crypto will use the information you provide on this form to be in touch with you and to provide updates and marketing.