Trellix logo
Trellix Xpand Live
Register Now

September 27-29, 2022 ARIA Hotel & Casino Save the date and start planning to align with our leadership teams to learn our vision for a new kind of cybersecurity and learn more about our innovations in cyber intelligence and XDR architecture.

Trellix CEO
Our CEO on Living Security

Trellix CEO, Bryan Palma, explains the critical need for security that’s always learning.

Gartner Marketplace Guide (XDR)
Gartner® Report: Market Guide for XDR

As per Gartner, "XDR is an emerging technology that can offer improved threat prevention, detection and response."

The Threat Report - Summer 2022
Latest Report

Our Summer 2022 threat report details the evolution of Russian cybercrime, research into medical devices and access control systems, and includes analysis of email security trends.

Critical Flaws in Widely Used Building Access Control System
Critical Flaws in Widely Used Building Access Control System

At Hardwear.io 2022, Trellix researchers disclosed 8 zero-day vulnerabilities in HID Global Mercury access control panels, allowing them to remotely unlock and lock doors, modify and configure user accounts and subvert detection from management software.

Trellix CEO
Our CEO on Living Security

Trellix CEO, Bryan Palma, explains the critical need for security that’s always learning.

Trellix Xpand Live
Register Now

September 27-29, 2022 ARIA Hotel & Casino Save the date and start planning to align with our leadership teams to learn our vision for a new kind of cybersecurity and learn more about our innovations in cyber intelligence and XDR architecture.

Stories

The latest cybersecurity trends, best practices,
security vulnerabilities, and more

Trellix Survey Findings: A Closer Look at the Cyber Talent Gap

The shortage of cybersecurity professionals puts governments and critical infrastructure and nation’s national security at risk. While this issue has always been a problem, it has grown in prominence given the awareness that nation-state actors have designs to exploit and even harm their citizens, institutions and communities. Solving this problem requires us to not only invest in the talented professionals already within the field, but also recruit and develop talented individuals from underrepresented demographic groups and those in other fields whose talents are transferrable to cybersecurity.

The results of a survey commissioned and release by Trellix this week shows 85% of respondents believe the workforce shortage is impacting their organization’s abilities to secure increasingly complex information systems and networks, while almost a third (30%) of the current workforce plans to change professions in the future.

Research firm Vanson Bourne surveyed 1,000 cybersecurity professionals in Australia, Brazil, Canada, France, Germany, India, Japan, the U.K and the U.S. across a variety of sectors. It gauged the demographics of those in the cybersecurity field, their motivators and frustration in the field, the career development pathways, and ideas for expanding the ranks of the workforce to include those with non-traditional career pathways.

There are frustrations for many of those currently working within cybersecurity. More could also be done to encourage more individuals into cybersecurity, including greater diversity in recruitment in a predominantly white or Caucasian field, and improved support and awareness of cybersecurity careers during education.

On the upside, cybersecurity has not always been the first port of call in respondents’ careers, a significant number of professionals have found success in the field through unorthodox career paths and a commitment to self-educating and learning on the job. Perhaps most encouraging, it’s a career path which is widely found to be soulful, or purposeful and motivating.

Trellix believes these findings suggest opportunities to expand the ranks of cybersecurity professionals.

Journeys to cybersecurity: How did they get there?

Academic background. Surveyed cybersecurity professionals tend to be relatively well-educated, with all having at least one academic qualification or certification, and most having attained a high school diploma or equivalent. A similar proportion report going as far as achieving a Bachelor’s/undergraduate degree or equivalent, demonstrating how those within the field felt (at least at the time), that attaining further education was of value ahead of their professional career.

Survey on  achieving a Bachelor’s/undergraduate degree or equivalent
Which of the following academic qualifications/certifications have you attained to date? [1000]

Vocational qualifications. Respondents are also likely to hold qualifications in a vocational context. Most have reported having one or more qualifications which are work related and designed to give them relevant knowledge and skills required to perform their job, career, or profession. More than half surveyed are most likely to be taught on the job and self-taught alongside their vocational qualifications too. Knowledge from vocational qualifications can be used to add context to training and guidance from employers, so it makes sense respondents are more likely doing both, especially given cybersecurity is an ever-evolving field.

While consumers on their own have limited ways to defend from nation-state and advanced cyber actors, using two-factor authentication and completing software updates on devices as soon as possible are important measures to take. Every connected device introduced into our homes increases the attack surface of our towns, cities and countries.

Trellix Survey on Vocational Qualifications/Certifications
Which of the following best describes your vocational qualifications/certifications to date? [1000]

Of those with vocational qualifications, almost half report attaining the Certified Information Security Manager (CISM) – centered on information security management, risk management and compliance, and security incident management. Given this qualification gives employees opportunity to advance their knowledge in information security, it makes sense this is a qualification respondents are most likely to pursue. The same can be said for certifications relating to information systems and cloud security, demonstrating the relevance of these certifications in the context of cybersecurity professionals’ day to day roles

Yet, despite this focus on qualifications and certifications, and despite respondents’ academic and vocational backgrounds, more than half report people not needing university degrees to have a successful career in cybersecurity.

Trellix Survey on vocational qualifications/certifications based on others' vocational qualifications/certifications
Which of the following best describes your vocational qualifications/certifications to date? [830], based on those with your vocational qualifications/certifications
To what extent do you agree or disagree with following statements? [1000]

Learning on the go. If employees learn to adopt the soft skills most useful to a cybersecurity role, they have a good chance of adapting well and making progress within their career. Teamwork and critical thinking/problem solving were reported by at least half of respondents in terms of skills most useful to them in their role. With the vast majority also believing that skills required for cybersecurity-related roles such as critical thinking don’t need to be instinctive, and can in fact be learned and developed over time, this leaves assurances that employees entering a cybersecurity profession can develop them over time.

Trellix Survey on soft skills which are most useful in a cybersecurity role
Which of the following soft skills do you believe are most useful to you in a cybersecurity role? [1000], omitting an answer option
To what extent do you agree or disagree with the following statements [1000]

Experiences within cybersecurity professions

Surveyed respondents are more likely to have only ever worked within cybersecurity, with more than half reporting this to be the case. Despite this however, there is still fair representation in terms of those that have worked in professions other than cybersecurity.

Given the spectrum of job paths within cybersecurity alone, some employees have taken on a “learning on the job” opportunity and others may not, and such career choices are likely to have been shaped by their past experiences and professions.

Trellix Survey on career/occupation hose in the career beginning other than cybersecurity
Since your working career began, have you worked in any other career/occupation other than cybersecurity? [1000], omitting an answer option

Representation from other careers and professions. Information technology (IT), computer science, or software development is the likely profession respondents have held before cybersecurity. Around six in ten do also report working across professions in the past other than IT, computer science, or software development–some of which are notably different from cybersecurity. This perhaps shows how the cybersecurity field can be flexible and fluid in terms of attaining employees from non-cyber backgrounds. It also uncovers lots of opportunity to attract employees from other areas into cybersecurity.

Trellix Survey Findings: A Closer Look at the Cyber Talent Gap Image 6
Which other career(s)/profession(s) did you work in before cybersecurity? [451], based on those who have worked in professions other than cybersecurity in the past, omitting some answer options

Soulful Work. Respondents have worked within a cybersecurity profession for 9 years on average, demonstrating a level of longevity in the field. Given the wide range of eclectic roles available within cybersecurity itself, it makes sense that employees tend to stick around for a while.

Trellix Survey Findings: A Closer Look at the Cyber Talent Gap Image 7
For how long have you worked within a cybersecurity-related career/profession? [1000]

Most (92%) agree that cybersecurity is purposeful, soulful work that motivates them. It goes without saying that having a career which is purposeful, gives employees a reason to get up every day and commit to their profession long-term.

Trellix Survey on what extent do professionals agree or disagree with above questions
To what extent do you agree or disagree with the following statements? [1000]

More than half of respondents (52%) acknowledged they believe cybersecurity is progressive and evolving. Alongside this, job security is another impactful reason for currently working within cybersecurity. The fact that cybersecurity continuously grows in relevance, and roles always being accessible on this basis is clearly an important factor. Particularly given events since the start of the pandemic in terms of national and international lockdowns, employees being furloughed, and uncertainty across other industries, the appeal of cybersecurity will have only become more prevalent.

Trellix Survey which of them best describes the reason behind choosing cybersecurity career/profession
Which of the following best describes why you currently work in a cybersecurity career/profession? [1000], omitting some answer options

Frustrations in the field. Frustrations experienced within cybersecurity vary across the board, demonstrating the importance in addressing several areas as opposed to focusing on just one. Respondents report limited support for the development of skills as a key frustration, alongside a lack of recognition for the good they do for society. Other issues stem from limited support with qualifications, pay gaps between different demographic groups, lack of diversity, and unfriendly environments for both certain ethnic groups and women.

Trellix Survey on reason of frustration working within a cybersecurity career/profession
Which of the following are frustrations working within a cybersecurity career/profession? [1000], omitting some answer options

Encouraging employees into cybersecurity careers

Not only are there challenges for those currently working within cybersecurity, but there are also barriers holding people back in terms of transitioning into a cybersecurity career in the first place. Most report there needing to be greater efforts to support employees in terms of developing skills, consulting on what’s required, and a greater understanding of progression routes and opportunities.

Trellix Survey on how important to improve depicted factors in terms of encouraging people
In terms of encouraging more people into a cybersecurity career/profession, how important is it that the following are improved upon? [1000], scores shown are a combination of "Extremely important" and "Highly important", omitting some answer options

More than two fifths rank more efforts in raising awareness within the top three areas which would most encourage greater participation into a cybersecurity career. Further education and funding support are also important, areas which are clearly lacking at the moment. There are also greater diversity efforts needed, as well as wider consideration of different ethnic groups in terms of pay gaps, inclusivity and equality. Without addressing these areas, the cybersecurity field certainly won’t be optimizing its talent opportunities which in turn have a knock-on effect on productivity and progression.

Trellix Survey on which factors would encourage greater participation of employees into a cybersecurity career/profession
Which of the following do you believe would most encourage greater participation of employees into a cybersecurity career/profession? Combination of responses ranked first, second and third [1000], omitting an answer option

Encouraging a greater recruitment drive of employees into cybersecurity-related roles starts from engagement with students in schools – both areas in which respondents report their own organizations could be doing more in. Openness to considering employees from non-traditional cybersecurity and demographic backgrounds is also key, and could see the industry pave the way for greater innovation, progression and talent.

Trellix Survey on how organization could be doing more to encourage
To what extent do you believe your organization could be doing more to encourage the following? [1000], sores shown are a combination of "They could be doing a lot more" and "They could be doing a bit more", omitting some answer options

Here to stay?

While the majority of those surveyed plan to stay within cybersecurity for the remainder of their working career, two in ten do currently have plans to move on within the next two years and may well be planning to jump ship sooner rather than later. Needless to say, this is a 20% cybersecurity cannot afford to lose.

The frustrations felt now such as limited support for skills development, lack of recognition, and unfriendly working environments for women and certain ethnic groups, will certainly be contributing to these planned moves. Addressing frustrations and challenges head on, from both a wider community perspective and from organizations themselves, will help to retain current employees in the industry.

Trellix Survey on how the professionals would anticipate that they will stay within a cybersecurity career/profession
Thinking about the future of your working career, do you anticipate that you will stay within a cybersecurity career/profession? [1000], omitting an answer opinion

Of those planning to move to a different career or profession in the future, more than half report plans to move to IT, computer science or software development. Others plan to move into business and professional services, financial services, etc.

Trellix Survey on which career/profession are people planning to move to in the future
Which career/profession are you planning to move to in the future? [304], based on those with plans to move to other career/profession in the future, omitting some answer options

Again, addressing current frustrations, particularly unclear progression routes, could enable cybersecurity professionals to discover new opportunities within cyber that they perhaps weren’t aware of previously. Such discoveries could be the change required to retain employees.

Acknowledging frustration, retaining employees. For those planning to move on, feeling as though they have or will have accomplished everything they wanted to is a key reason, as well as the fact that respondents have another career or profession in mind which they’re more passionate about. Greater awareness of the diverse paths available within cybersecurity could help with this, and enable employees to uncover new passions they weren’t even aware cybersecurity could provide.

There are several societal and organizational issues which also need addressing though. Experiences of cybersecurity being unfriendly for certain ethnic groups, and for women are significant enough for more than a tenth of respondents planning to leave their profession. Addressing such challenges embedded within cybersecurity is critical, and proactivity from organizations in terms of recognizing and acknowledging these issues is important in encouraging employees to stay.

Trellix Survey on reasons why professionals are planning to move to a different career/profession in the future
Which of the following are reasons why you're planning to move to a different career/profession in the future? [304], based on those with plans to move to other career/profession in the future, omitting some answer options

These findings again draw attention to the fact that the field continuously predominantly male and white or Caucasian. It again raises the specter that the cyber talent gap may not be addressed without expanding workforce ranks beyond this demographic. Simply put, we will not retain or grow the cyber workforce if we fail as a field in diversity, equity and inclusion, as well as non-traditional approaches to talent recruitment, training and development.

What is your ethnic group?
What is your ethnic group? [1000]

These frustrations suggest DEI is an imperative not only for the cybersecurity field, but also the industry and national security postures that increasingly rely upon cyber as a security domain. If the cybersecurity field cannot view DEI issues as opportunities and work to overcome them, the current workforce could become even less capable of protecting us as adversaries and attack vectors continue to outpace defenders and defenses in terms of growth and evolution. In short, DEI is a national security imperative organizations, industry, nations and society overall cannot afford to ignore—and cybersecurity is a critical space where this could be felt most acutely.

Key insights and takeaways

It’s critical that current frustrations are addressed, before cybersecurity professionals jump ship

The majority (89%) note at least one frustration, with the most common focusing on limited support for the development of skills (36%), lack of recognition for the good done for society (36%), and limited support with the qualifications and certifications required (32%). Problems relating to inequality and limited diversity are also relatively common. Addressing these pain points is critical, particularly when thinking about the fact that almost a third (30%) have plans to potentially move to a different career or profession at some point in the future.

There are areas organizations need to address, in the interests of their current employees and prospective ones

Respondents recognize that their own organizations could be making more progressive steps towards encouraging more individuals into cybersecurity. Greater recruitment drives of employees into cybersecurity-related roles (95%), community mentoring programs with a presence in K-12 schools (94%), and openness to considering employees from non-traditional cybersecurity backgrounds (94%), are just a few areas where organizations could be doing more.

There are also areas that societal and government bodies need to address

Greater efforts in raising awareness of cybersecurity careers (43%), encouraging students to pursue STEM-related careers throughout the education process (41%), and further funding support (39%) were most likely to be ranked within the top three areas which would most encourage greater participation of employees into a cybersecurity career. This demonstrates that there’s not one defined quick fix, but potentially many.

Greater efforts are needed to encourage employees into a cybersecurity career

Most (92%) report that there is a current skills gap across the cybersecurity profession and a growing demand to fill security-related roles. The same proportion (92%) also believe that greater mentorship, internships, and apprenticeships would encourage and support participation of workers from diverse backgrounds into cybersecurity-based roles –so more could certainly be done to encourage a greater pool of employees to meet demand.

Featured Content

Get the latest

We’re no strangers to cybersecurity. But we are a new company.
Stay up to date as we evolve.

Please enter a valid email address.
Zero spam. Unsubscribe at any time.