For as long as I’ve worked in cybersecurity career education, over a decade, there has been a widening talent gap. Hundreds of thousands of jobs are unfilled. Every year since 2019, the cybersecurity programs at Bay Area community colleges have prepared over 400 students with skills, industry certifications, and credentials for entry-level roles, only to be told by hiring managers that they need 5 years of experience for those jobs.
Meanwhile, those same managers compete for talent they consider qualified from a pool of mostly unhappy, job-hopping cyber professionals. According to 2023 research commissioned by the Information Systems Security Association, nearly two-thirds of the 301 respondents believe that working as a cybersecurity professional has become more difficult over the past 2 years and only 44% really enjoy the work.
Why? Here’s what they say:
- Over a third said their organization is struggling to keep up with turnover/attrition
- Twenty-five percent say their organizations don’t offer opportunities for growth and promotion
- Twenty-three percent believe their organization doesn’t put enough resources into training non-security IT staff for cybersecurity roles
These are symptoms of a legacy leadership dilemma that has plagued IT organizational culture for almost 3 decades. People aren’t as important as the work to get done. If there was ever a dire reason to stop this trend, it’s the lack of talent needed to protect and defend our information and infrastructures.
According to Cyberseek, as of October 2023, there are 572,392 cybersecurity job openings in the US, a 74% increase since 2010. There are over a million cybersecurity professionals in the US, but that’s only enough to fill 72% of the job demand. Per the ISSA study, the shortage is particularly severe in aerospace, government, education, insurance, and transportation – critical infrastructure.
Granted, cybersecurity can be hard, stressful work. Top reasons cited were:
- Overwhelming workload
- Working with disinterested business managers
- Finding out about IT initiatives/projects that were started by other teams within the organization with no security oversight
- Keeping up with the security needs of new IT initiatives
- Constant emergencies and disruptions that take away from primary tasks
No wonder these cyber professionals are stressed, unhappy, and seeking something different. The ISSA study analysis suggests that these issues are ones that organizations control. No doubt, but what’s not working?
Training up existing IT staff and entry-level hires and offering opportunities for growth or promotion for those pros who have been around awhile is worth the investment. Organizations with initiatives to train and develop internal talent – rotating job assignments, mentorship programs, and encouraging employees outside of cybersecurity to join the field – are least likely to have shortages. Yet too few are willing to make that investment in futures and let the turnover/attrition problem be a justification. It’s a vicious cycle.
As a result, IT leaders and the cultures they sustain are highly transactional in how they deal with people, and this is not unique in the cybersecurity workforce. It’s exacerbated by the growing need for cyber talent and the lack of leadership strategies to break the cycle.
The cybersecurity talent gap is a leadership problem.
The top reason people leave a job is to get out of an unsupportive, unhealthy toxic workplace culture and away from the bad managers substantiating that culture. The top reason employees are attracted to and stay with an organization is opportunities for learning, career, and personal development. Underlying that reason is the feeling that management cares and is trustworthy. They are true leaders.
Unfortunately, cybersecurity leaders are not immune to the toxicity of the culture. A 2022 report from Savanti found that Chief Information Security Officers (CISOs) are hired, managed, and evaluated as technical experts rather than business leaders. That skills gap is also creating unsustainable job churn at that level, stunting an organization’s ability to build a long-term strategy.
Approaches to closing the cybersecurity talent gap need to include leadership development. As the research cited above reveals, the issues are in the organizations’ control, meaning they are the outcomes of management decisions, behaviors, and practices. Too often, initiatives to develop internal talent and address the shortage such as those suggested above are short-lived when leaders abandon the long view under the pressure of the technical, transactional nature of cybersecurity work.
Transformational leadership emphasizes long-term vision, inspiration, and personal growth, while transactional leadership focuses on short-term goals, compliance, and structured procedures. Learning to understand and recognize the value of both styles and how to adapt the approach to meet the needs of their people and organizations prepares cybersecurity leaders to be the missing change.
