Blog

The Cybersecurity Workforce Shortage & Strategies for Success

Written by ForeNova | April 17, 2024

Cybersecurityventures.com reported that there are close to 3.5 million open positions in the cybersecurity field worldwide.

There is a shortage of over 347,000 cybersecurity professionals in Europe, with France alone lacking nearly 60,000 experts in 2023, according to (ISC)² estimates.

A significant element driving this skill gap is the increasing effects of cybersecurity breaches on organizations worldwide. The frequency and complexity of attacks compel organizations to continue to recruit and retain valuable cybersecurity talents.

This article discusses the importance of organizations understanding the workforce gap's root cause and the steps they can take to achieve their cybersecurity projection and compliance objectives.

Overview of the Cybersecurity Workforce Shortage

Organizations needing help recruiting and retaining talent remain a global problem, not just in the United States and the EU. A contributing factor to this issue started during the COVID-19 pandemic. International technology firms like Google, Apple, Microsoft, and Amazon went on a hiring spree. This increase in hiring tarnished other firms seeking similar experienced talent. While this hiring spree affected most U.S.-based firms, global companies in the EU witnessed their cybersecurity resources being recruited aggressively by different organizations, including competitors.

After COVID-19, many technology companies have laid off or restructured their organizations. In hindsight, this action should have allowed many firms to capture talent departing them. However, a challenging byproduct of the hiring-to-firing spree became the compensation model.

During the hiring spree, experienced security, application, and DevOps engineers commanded a much higher salary with a total compensation package close to $500,000 per year. During the layoffs, organizations attempted to restructure their compensation packages back to pre-COVID-19 levels.

Furthermore, the talent who let go became very reluctant to lower their compensation demands, along with the desire to work from anywhere. Employers struggled with this challenge, wanting people to return to their offices.

In 2024, with the demand for experienced cybersecurity talent still high, small-to-mid organizations need help to lure the right talent at a much lower compensation point.

Factors Contributing to the Shortage of Skilled Professionals in Cybersecurity

Compensation, demand, and a limited talent pool are just a few factors adding to talent storage. Another dual-edge byproduct of the program is the global adoption of artificial intelligence (AI) and machine learning (ML), which are becoming mainstay tools in every organization.

With the rapid growth and demand for ChatGPT-like capabilities, CEOs, CIOs, and COOs recognize the importance of AI becoming a critical component in transforming their business model. AI continues to find a home within organizations, including revolutionizing the customer experience with chatbots, leveraging Co-pilot for application development, and powering extended detection and response (XDR) for more efficient incident response.

Cybersecurity engineering talent skilled in leveraging AI consumption will continue to be in demand. However, organization executives quietly also recognize the value of AI in helping reduce headcount, modernize their financial systems and operations, and cut costs in new product development. These dynamics could swing the compensation model back in favor of the employer.

This scenario could become a factor for many engineers wanting to seek a career in cybersecurity. They would be less likely to invest in acquiring various industry credentials and degrees just to be replaced by AI soon. AI could make fewer people available for cybersecurity roles, causing organizations to invest more capital in AI and ML tools.

Note: Even advanced AI and ML tools need the talent to manage these solutions. 

Impact of Cyber Threats on Organizations Without Skilled Professionals

A cybersecurity report projected that cybercrime costs would soar to $9.5 trillion by 2024 and over $10.5 trillion by 2025 globally. In the US, the potential loss from cyberattacks and fraud is estimated to exceed $10.2 billion in 2022, according to an FBI report.

The top five countries and regions with the highest average costs of a data breach globally were the Middle East ($8.07 million), Canada ($5.13 million), Germany ($4.67 million), and Japan ($4.52 million).

Ransomware attacks, data theft, and other cybersecurity attacks force organizations to spend valuable capital on cyber insurance, hiring expensive cybersecurity architects and security incident engineers. The cost for this talent level continues to rise with the global for their skills. Entry-level employees with cybersecurity skills deficits create additional liability by not keeping with responding to various attacks, including insider threats.

Regardless of the organization's size, a cybersecurity talent gap exists. An organization's employees must learn to leverage AI tools, handle thousands of cyberattacks almost daily, and manage their cybersecurity solutions. Otherwise, this will negatively impact the organization's security posture.

Cybersecurity Education Becoming Outdated Faster Than Before

More funding for security training is needed.

“In a recent report published in Dark Reading, 31% of respondents said a lack of budget is a significant challenge. More money means organizations must work with old technologies and struggle to prioritize employee training. This challenge puts critical systems and data at risk of being breached.”

Many advancements in AI and ML for cybersecurity defensive protection are years away from becoming a course within higher education. Many smaller schools and vendors need more educational offerings relating to AI and ML. Data scientists, a critical component within an AI strategy, have a head start regarding formal education curricula in many universities and private institutions.

With continuous education that aligns with the constant change in the threat landscape, employees and employers must keep up with knowledge and certifications. Many cybersecurity engineers who work in the security operations center (SecOps) become burnt out from handling the increased complexity and velocity of cyberattacks.

Meeting Compliance Regulations With Limited Cybersecurity Resources

Organizations in the EU specifically have several compliance and privacy mandates. These mandates include:

  • “General Data Protection Regulation: GDPR grants each individual the right to data privacy.” Organizations must deploy and maintain the proper cybersecurity protection layers, including firewalls, data encryption, SecOps incident response, and reporting—failure to protect an individual results in fines.
  • DORA: The Digital Operational Resilience Act aims to establish a comprehensive approach to operational resilience in the financial sector within the EU.” It focuses on security and resilience to ensure stability, especially in the digital age. Like GDPR, organizations must deploy and maintain the proper cybersecurity protection layers. Failure to do so results in fines and lawsuits.
  • The German Commercial Code (GCC) is the leading accounting standard for German businesses' financial statements. Protecting your organization's financial records with cybersecurity protection layers is crucial to ensure accurate record-keeping and reporting.

Note: Organizations evaluating the cost of retaining value cybersecurity talent must consider the financial implications if the firm becomes subject to fines for non-compliance because of a mismanaged security breach.

Solutions to Combat The Lack of Access to Cybersecurity Professionals

Solving the workforce gap for cybersecurity within an organization requires the firm to consider all the factors involved:

  • Experienced and experienced cybersecurity talent is expensive, period.
  • The demand for cyber talent increases as cyberattacks become more prevalent.
  • Organizations struggling with unqualified resources continue to become victims of ransomware, data theft, and inside threats.
  • Organizations failing to meet compliance mandates in the EU and the U.S. face fines, lawsuits, and the possibility of being shut out of new markets.

Organizations driving to close the gap regarding cybersecurity resources continue to research and ultimately develop partnerships with managed service providers (MSP) and managed security service providers (MSSP).

What is the Role of an MSSP/MSP?

MSSP/MSP created managed offerings to help clients adjust to the cybersecurity workforce gap by providing various solutions to align with their client needs.

These offers include:

  • A complete turnkey SecOps offering, including a 24x7x365 global follow-the-sun model.
  • MSSPs often augment their clients' internal security teams with their services, including handling only incident response cases, providing after-hours coverage, or providing resources to help with remediation.
  • MSSP/MSPs are often hired to evaluate new cybersecurity solutions to help clients enable new features and protection capabilities.
  • MSSPs and MSPs have access to global talent, one of their most critical value-adds. The organization can staff its support centers with experienced cybersecurity talent.
  • MSSP/MSPs become an expense instead of a capitalized cost.
  • MSSP/MSPs have global expertise in compliance mandates, including DORA, NIS2, GDPR, PCI-DSS, and HIPAA. Their security engineers have extensive compliance reporting and proven incident response capabilities.

Leveraging an MSSP/MSP helps organizations solve their workforce issues while controlling their SecOps costs, lowering risk, and meeting compliance mandates.

Why Forenova Security for MDR Services?

Forenova's MDR services assist organizations with compliance and privacy regulations, including HIPAA, PCI-DSS, NIS2, DORA, GDPR, and CCPA. These regulations require the organization to prove that it can respond to next-generation AI-powered cyberattacks and their increased velocity.

For organizations seeking a partner to augment their current security operations (SecOps) team or provide complete 24/7 monitoring and response, threat intelligence, and other cyber defense tools, NovaMDR has access to experienced engineers to meet their business and compliance goals.