Navigating the Cybersecurity Skills Gap

By Jim Johnson, Senior Vice President, Technology, Robert Half

The FBI’s Internet Crime Complaint Center (IC3) reports that total cybercrime losses in the U.S. exceeded $10 billion last year — rising significantly from 2021’s total of $6.9 billion. And according to research from IBM, the average cost of a data breach is $4.45 million. So, it is certainly no surprise that nearly half (42%) of the C-suite executives in the U.S. recently surveyed by Robert Half said that concerns about cyberattacks and cybersecurity threats keep them awake at night.

There’s another factor likely contributing to their insomnia: Their companies’ struggles to recruit skilled cybersecurity talent. In a separate survey, we learned that 90% of technology hiring managers in the United States are struggling to hire skilled candidates for technology roles. Many cited security as an area where they are facing particular difficulty staffing positions.

The cybersecurity talent shortage isn’t new — nor is the skills gap in IT, generally. But the already limited supply of available talent is dwindling further, and faster, as more companies across industries seek to:

Fortify their defenses against today’s increasingly sophisticated and persistent cyber threats.
Pursue digital transformation with an aim to infuse security into every new initiative and modernization effort. (Note that 41% of C-suite executives told us that security concerns were the most pressing challenge during their latest digital transformation project.)
Meet complex and stringent compliance demands related to data privacy and security.
Prepare for the future of work by embracing new technologies, such as generative artificial intelligence (AI) and other forms of AI.

These business goals and pressures are driving demand for security architects, network security engineers, data security analysts and other specialists with cybersecurity skills. And because many companies are moving fast to adopt and innovate with AI, including bringing AI capabilities into their cybersecurity operations, there is an increasing need for new AI-centric roles, too, like AI security analysts, AI data scientists and AI cybersecurity specialists.

Since attending the recent Microsoft Inspire conference for Microsoft’s partner community,* it has only become clearer to me just how critical it is for businesses to step up their efforts to recruit standout cybersecurity talent, prepare their existing staff for an AI-powered future, and invest in technology that can make security investigations faster and easier.

New tools entering the market, like Microsoft Security Copilot, are designed to help address the talent gap in cybersecurity. They are not a replacement for human workers, though. As this Microsoft blog explains, generative AI tools like Security Copilot are designed to augment the work of security teams — and “creativity and knowledge will always be imperative for defense.”

Security Copilot is not yet generally available, but it is an example of the dramatic, technological change that the cybersecurity profession needs to get ready for now. Generative AI is going to be a critical teammate in many security operation centers soon. Human cybersecurity professionals are needed to make the most of these nascent tools. But these tools, which are continually learning, also need the human element to reach their full potential.

So, what can companies do to ease their current cybersecurity skills gap and build a team that’s prepared to work with AI? Here are a few strategies that can help.

Prioritize upskilling and professional development

Recruiting top talent for your security team is one challenge. Retaining that talent is another, especially in today’s competitive hiring landscape. And one of the most effective strategies for retention is to invest in employees’ professional development and advancement.

Meaningful opportunities for learning and skill-building can keep top performers challenged and satisfied in their work. Prioritizing internal promotions also gives valued employees more reason to stay with your organization. Investing in programs for upskilling is also critical for boosting employee engagement — as well as keeping your security operations agile and future-forward.

Your business could:

Participate in upskilling programs offered by third parties or technology companies. Companies like AWS, Oracle and Microsoft are among the many reputable resources that offer security training and certification programs. Microsoft also offers generative AI training for businesses.
Subsidizing costs for IT certifications and training. Helping to cover the costs for employees to gain in-demand credentials and skills is a win-win. Your workers will feel valued and invested in while your business deepens its cybersecurity skills bench.
Identifying common upskilling needs. Assess the skill sets of entry-level and other highpotential cybersecurity and IT talent in your organization and build internal programs that can help everyone to level up their abilities.

Also, be sure to ask your employees about their career goals and use that information to create upskilling initiatives that add value to your operations and increase employee morale.

Hire for potential, not credentials

Seventy-percent of technology hiring managers surveyed by Robert Half said certifications are a must for security professionals. While it’s true that some credentials, such as the Certified Information Systems Security Professional (CISSP), are genuine markers of an applicant’s cybersecurity expertise, savvy employers recognize that it’s just as important to hire for experience and soft skills.

You can train new employees on the job for many cybersecurity skills and tools. Drive, determination, time management, adaptability and a genuine passion for the industry? Not so much. Considering that, it might be a mistake to pack your job descriptions with an extensive list of necessary skills and experience and potentially deter otherwise strong candidates. Start with a handful of truly essential qualifications and place the rest under a nice-to-have header.

Also, emphasize that entry-level roles are open to entry-level candidates. This should be obvious, but not all job posts make that clear. And underscore that interest in the field and a learning mindset are important. Additionally, consider job seekers who’ve taken a less conventional path to earn their skills, such as through technical training programs and apprenticeships.

Pay well and be flexible

Starting salaries for cybersecurity professionals remain strong as vacancies outpace the number of available candidates. To help combat the cybersecurity talent shortage, 55% of technology hiring managers we surveyed said they’re willing to offer a higher salary to contend for top security talent. So, you need to make sure that your offers are competitive.

It also pays to think beyond starting salary. When Robert Half recently surveyed technology workers in the U.S., we learned that 64% are either looking or plan to look for a new job by the end of the year. For 51% of those pros, the quest for a higher salary was a motivator for their job search. Another 42% of respondents cited better benefits and perks, while 31% said they were seeking remote work options.

To stay on top of the latest hiring and compensation trends in the technology profession and others, consult Robert Half’s latest Salary Guide.

Tap into all available talent pools

Today, fewer than one in four cybersecurity professionals are women. But things are changing: To build the workforce they need to succeed today and for the future, many leading employers are making a concerted effort to provide more career paths for women in tech. This is one trend in the cybersecurity profession that can go a long way toward closing the skills gap, so make sure your business is part of it.

Also, when hiring cybersecurity talent, don’t overlook people from underrepresented groups. These individuals may have lacked access to educational resources through no fault of their own. But with the right training and development opportunities, they could become your security team members of the future.

Finally, don’t forget about skilled contract professionals. Sixty-two percent of technology hiring managers we surveyed said they plan to hire more contract professionals before 2024 — and more than one-third (36%) intend to hire security professionals on a contract basis. This flexible approach to staffing helps keep work moving forward — and often leads to full-time hires.

The cybersecurity skills gap, like the IT skills gap itself, will take time to close. But it’s important for businesses to meet this challenge head-on, especially as AI is poised to change the profession soon and drive demand for a host of new jobs and skills. Your cybersecurity teams need to be ready to work effectively with AI — and manage new threats that will emerge. After all, cybercriminals can use AI for innovation, too.

Jim Johnson is senior vice president, technology, at Robert Half. In this role, Jim drives operational effectiveness for our company’s North American technology talent solutions teams through training and development programs.

Follow Jim Johnson on LinkedIn.

*Robert Half and Protiviti, a global consulting firm and Robert Half subsidiary, are members of the Microsoft AI Cloud Partner Program.