Trellix Survey Findings: A Closer Look at the Cyber Talent Gap

By Trellix · June 1, 2022

The shortage of cybersecurity professionals puts governments and critical infrastructure and nation’s national security at risk. While this issue has always been a problem, it has grown in prominence given the awareness that nation-state actors have designs to exploit and even harm their citizens, institutions and communities. Solving this problem requires us to not only invest in the talented professionals already within the field, but also recruit and develop talented individuals from underrepresented demographic groups and those in other fields whose talents are transferrable to cybersecurity.

The results of a survey commissioned and release by Trellix this week shows 85% of respondents believe the workforce shortage is impacting their organization’s abilities to secure increasingly complex information systems and networks, while almost a third (30%) of the current workforce plans to change professions in the future.

Research firm Vanson Bourne surveyed 1,000 cybersecurity professionals in Australia, Brazil, Canada, France, Germany, India, Japan, the U.K and the U.S. across a variety of sectors. It gauged the demographics of those in the cybersecurity field, their motivators and frustration in the field, the career development pathways, and ideas for expanding the ranks of the workforce to include those with non-traditional career pathways.

There are frustrations for many of those currently working within cybersecurity. More could also be done to encourage more individuals into cybersecurity, including greater diversity in recruitment in a predominantly white or Caucasian field, and improved support and awareness of cybersecurity careers during education.

On the upside, cybersecurity has not always been the first port of call in respondents’ careers, a significant number of professionals have found success in the field through unorthodox career paths and a commitment to self-educating and learning on the job. Perhaps most encouraging, it’s a career path which is widely found to be soulful, or purposeful and motivating.

Trellix believes these findings suggest opportunities to expand the ranks of cybersecurity professionals.

Journeys to cybersecurity: How did they get there?

Academic background. Surveyed cybersecurity professionals tend to be relatively well-educated, with all having at least one academic qualification or certification, and most having attained a high school diploma or equivalent. A similar proportion report going as far as achieving a Bachelor’s/undergraduate degree or equivalent, demonstrating how those within the field felt (at least at the time), that attaining further education was of value ahead of their professional career.

Vocational qualifications. Respondents are also likely to hold qualifications in a vocational context. Most have reported having one or more qualifications which are work related and designed to give them relevant knowledge and skills required to perform their job, career, or profession. More than half surveyed are most likely to be taught on the job and self-taught alongside their vocational qualifications too. Knowledge from vocational qualifications can be used to add context to training and guidance from employers, so it makes sense respondents are more likely doing both, especially given cybersecurity is an ever-evolving field.

While consumers on their own have limited ways to defend from nation-state and advanced cyber actors, using two-factor authentication and completing software updates on devices as soon as possible are important measures to take. Every connected device introduced into our homes increases the attack surface of our towns, cities and countries.

Of those with vocational qualifications, almost half report attaining the Certified Information Security Manager (CISM) – centered on information security management, risk management and compliance, and security incident management. Given this qualification gives employees opportunity to advance their knowledge in information security, it makes sense this is a qualification respondents are most likely to pursue. The same can be said for certifications relating to information systems and cloud security, demonstrating the relevance of these certifications in the context of cybersecurity professionals’ day to day roles

Yet, despite this focus on qualifications and certifications, and despite respondents’ academic and vocational backgrounds, more than half report people not needing university degrees to have a successful career in cybersecurity.

Learning on the go. If employees learn to adopt the soft skills most useful to a cybersecurity role, they have a good chance of adapting well and making progress within their career. Teamwork and critical thinking/problem solving were reported by at least half of respondents in terms of skills most useful to them in their role. With the vast majority also believing that skills required for cybersecurity-related roles such as critical thinking don’t need to be instinctive, and can in fact be learned and developed over time, this leaves assurances that employees entering a cybersecurity profession can develop them over time.

Experiences within cybersecurity professions

Surveyed respondents are more likely to have only ever worked within cybersecurity, with more than half reporting this to be the case. Despite this however, there is still fair representation in terms of those that have worked in professions other than cybersecurity.

Given the spectrum of job paths within cybersecurity alone, some employees have taken on a “learning on the job” opportunity and others may not, and such career choices are likely to have been shaped by their past experiences and professions.

Representation from other careers and professions. Information technology (IT), computer science, or software development is the likely profession respondents have held before cybersecurity. Around six in ten do also report working across professions in the past other than IT, computer science, or software development–some of which are notably different from cybersecurity. This perhaps shows how the cybersecurity field can be flexible and fluid in terms of attaining employees from non-cyber backgrounds. It also uncovers lots of opportunity to attract employees from other areas into cybersecurity.

Soulful Work. Respondents have worked within a cybersecurity profession for 9 years on average, demonstrating a level of longevity in the field. Given the wide range of eclectic roles available within cybersecurity itself, it makes sense that employees tend to stick around for a while.

Most (92%) agree that cybersecurity is purposeful, soulful work that motivates them. It goes without saying that having a career which is purposeful, gives employees a reason to get up every day and commit to their profession long-term.

More than half of respondents (52%) acknowledged they believe cybersecurity is progressive and evolving. Alongside this, job security is another impactful reason for currently working within cybersecurity. The fact that cybersecurity continuously grows in relevance, and roles always being accessible on this basis is clearly an important factor. Particularly given events since the start of the pandemic in terms of national and international lockdowns, employees being furloughed, and uncertainty across other industries, the appeal of cybersecurity will have only become more prevalent.

Frustrations in the field. Frustrations experienced within cybersecurity vary across the board, demonstrating the importance in addressing several areas as opposed to focusing on just one. Respondents report limited support for the development of skills as a key frustration, alongside a lack of recognition for the good they do for society. Other issues stem from limited support with qualifications, pay gaps between different demographic groups, lack of diversity, and unfriendly environments for both certain ethnic groups and women.

Encouraging employees into cybersecurity careers

Not only are there challenges for those currently working within cybersecurity, but there are also barriers holding people back in terms of transitioning into a cybersecurity career in the first place. Most report there needing to be greater efforts to support employees in terms of developing skills, consulting on what’s required, and a greater understanding of progression routes and opportunities.

More than two fifths rank more efforts in raising awareness within the top three areas which would most encourage greater participation into a cybersecurity career. Further education and funding support are also important, areas which are clearly lacking at the moment. There are also greater diversity efforts needed, as well as wider consideration of different ethnic groups in terms of pay gaps, inclusivity and equality. Without addressing these areas, the cybersecurity field certainly won’t be optimizing its talent opportunities which in turn have a knock-on effect on productivity and progression.

Encouraging a greater recruitment drive of employees into cybersecurity-related roles starts from engagement with students in schools – both areas in which respondents report their own organizations could be doing more in. Openness to considering employees from non-traditional cybersecurity and demographic backgrounds is also key, and could see the industry pave the way for greater innovation, progression and talent.

Here to stay?

While the majority of those surveyed plan to stay within cybersecurity for the remainder of their working career, two in ten do currently have plans to move on within the next two years and may well be planning to jump ship sooner rather than later. Needless to say, this is a 20% cybersecurity cannot afford to lose.

The frustrations felt now such as limited support for skills development, lack of recognition, and unfriendly working environments for women and certain ethnic groups, will certainly be contributing to these planned moves. Addressing frustrations and challenges head on, from both a wider community perspective and from organizations themselves, will help to retain current employees in the industry.

Of those planning to move to a different career or profession in the future, more than half report plans to move to IT, computer science or software development. Others plan to move into business and professional services, financial services, etc.

Again, addressing current frustrations, particularly unclear progression routes, could enable cybersecurity professionals to discover new opportunities within cyber that they perhaps weren’t aware of previously. Such discoveries could be the change required to retain employees.

Acknowledging frustration, retaining employees. For those planning to move on, feeling as though they have or will have accomplished everything they wanted to is a key reason, as well as the fact that respondents have another career or profession in mind which they’re more passionate about. Greater awareness of the diverse paths available within cybersecurity could help with this, and enable employees to uncover new passions they weren’t even aware cybersecurity could provide.

There are several societal and organizational issues which also need addressing though. Experiences of cybersecurity being unfriendly for certain ethnic groups, and for women are significant enough for more than a tenth of respondents planning to leave their profession. Addressing such challenges embedded within cybersecurity is critical, and proactivity from organizations in terms of recognizing and acknowledging these issues is important in encouraging employees to stay.

These findings again draw attention to the fact that the field continuously predominantly male and white or Caucasian. It again raises the specter that the cyber talent gap may not be addressed without expanding workforce ranks beyond this demographic. Simply put, we will not retain or grow the cyber workforce if we fail as a field in diversity, equity and inclusion, as well as non-traditional approaches to talent recruitment, training and development.

These frustrations suggest DEI is an imperative not only for the cybersecurity field, but also the industry and national security postures that increasingly rely upon cyber as a security domain. If the cybersecurity field cannot view DEI issues as opportunities and work to overcome them, the current workforce could become even less capable of protecting us as adversaries and attack vectors continue to outpace defenders and defenses in terms of growth and evolution. In short, DEI is a national security imperative organizations, industry, nations and society overall cannot afford to ignore—and cybersecurity is a critical space where this could be felt most acutely.

Key insights and takeaways

It’s critical that current frustrations are addressed, before cybersecurity professionals jump ship

The majority (89%) note at least one frustration, with the most common focusing on limited support for the development of skills (36%), lack of recognition for the good done for society (36%), and limited support with the qualifications and certifications required (32%). Problems relating to inequality and limited diversity are also relatively common. Addressing these pain points is critical, particularly when thinking about the fact that almost a third (30%) have plans to potentially move to a different career or profession at some point in the future.

There are areas organizations need to address, in the interests of their current employees and prospective ones

Respondents recognize that their own organizations could be making more progressive steps towards encouraging more individuals into cybersecurity. Greater recruitment drives of employees into cybersecurity-related roles (95%), community mentoring programs with a presence in K-12 schools (94%), and openness to considering employees from non-traditional cybersecurity backgrounds (94%), are just a few areas where organizations could be doing more.

There are also areas that societal and government bodies need to address

Greater efforts in raising awareness of cybersecurity careers (43%), encouraging students to pursue STEM-related careers throughout the education process (41%), and further funding support (39%) were most likely to be ranked within the top three areas which would most encourage greater participation of employees into a cybersecurity career. This demonstrates that there’s not one defined quick fix, but potentially many.

Greater efforts are needed to encourage employees into a cybersecurity career

Most (92%) report that there is a current skills gap across the cybersecurity profession and a growing demand to fill security-related roles. The same proportion (92%) also believe that greater mentorship, internships, and apprenticeships would encourage and support participation of workers from diverse backgrounds into cybersecurity-based roles –so more could certainly be done to encourage a greater pool of employees to meet demand.