In this era of digitalisation, the world is witnessing exponential growth in incidents that compromise the security of information owned by businesses or governments. Recently the Royal Mail’s overseas deliveries suffered severe disruption due to a ransomware attack linked to Russian criminals. In 2022, around 50 Indian government websites were hacked and eight data breaches were reported. These included a ransomware attack on some servers at the All India Institute of Medical Science (AIIMS) that paralysed operations of the premier medical institute in India for many weeks.
The tremendous increase in such incidents has fuelled the demand for qualified IT professionals who could prevent cyber attacks on critical government and business IT assets. But there exists a considerable mismatch in the supply-demand situation of qualified cyber security professionals. To complicate this further, professionals entering this field face difficulty in deciding what skills they should acquire. This article explores what paths are available in cyber security training by analysing reports released by two eminent associations in the field of information security.
The first report discussed is the latest edition of the annual report on the cyber security workforce released by (ISC)2 titled 2022 Cyber Security Workforce Study. This report presents insights into the challenges and opportunities faced by cyber security professionals around the world. The report was prepared after conducting a survey among 11,779 cyber security professionals. The study estimates that the size of the global cyber security workforce in 2022 was 4.7 million people and the gap in the global cyber security workforce stood at 3.4 million people, which is an increase of 26.6% at the year-over-year (YoY) level.
Clearly, there exists a wide gap between the supply and demand of cyber security professionals, and the shortage is more evident in the EMEA and APAC regions where the YoY increase is greater than 50%. Half of the cyber security professionals under age 30 who participated in the survey started their careers in IT and then moved to cyber security. Both vendor-neutral certifications (e.g., (ISC)2, ISACA or CompTIA) and vendor-specific certifications (e.g., Microsoft, Amazon or Cisco) were popular among the respondents. Most of the organisations (55%) preferred their employees to acquire a vendor-neutral certification.
The second report examined was released by ISACA, entitled State of Cyber Security 2022. In this study, ISACA conducted a survey among 2,031 cyber security professionals from around the globe on seven major aspects of cyber security, covering areas such as staffing and skills. The main findings of this study are discussed below:
Cyber security staffing: Only 34% of the respondents felt that their organization’s cyber security team was appropriately staffed, and 60% replied affirmatively to the question if they had difficulty in retaining qualified cyber security professionals. Regarding their expectations of future demand for individual contributors in a technical cyber security role, 82 percent of respondents expected an increase in demand.
Skills gaps: A notable finding of this survey is the topmost skills gap among cyber security professionals. 54% of the respondents were of the view that cyber security professionals lacked soft skills like communication, flexibility and leadership. The (ISC)2 study also came out with a similar finding. To the question of the most important qualifications required for cyber security professionals seeking employment, 44% responded with strong problem-solving abilities and 27% responded with strong strategic thinking skills.
The mismatch of competency and social skills gap among cyber security professionals is highlighted by the World Economic Forum (WEF). The authors of an article on workforce gaps note that cyber security goes beyond the realms of the traditional physical and logical layers of cyberspace—since it involves human and societal dimensions, a social layer has to be included in the management of cyber security.
To address the needs of the social layers, cyber security professionals should be trained in acquiring soft skills. Apart from acquiring soft skills, the ISACA study found the following skill gaps in the technical front of cyber security: cloud computing (52%), security controls (34%) and coding skills (30%). According to the ISACA study respondents, the top five most important security skills needed in their organizations currently are cloud computing (52%), data protection (47%), identity and access management (IAM) (46%), incident response (46%) and DevSecOps (36%).
The survey reports published by ISACA and (ISC)2 provide very useful insights into the current state of the cyber security workforce situation and future possibilities. It may be noted that the supply-demand gap in cyber security workforce requirements is not seeing any decline in the coming few years. There is huge potential for adequately skilled professionals to enter this very exciting domain of cyber security, but the main challenge for is in acquiring the right skill sets. Both studies highlight the need for acquiring the appropriate type of soft skills along with learning the needed technical capabilities.
Sudeep Subramanian is an associate professor in the area of international business at the FORE School of Management in New Delhi, India. He has over two decades of experience in information technology and management education. His teaching experience in management courses extends over 12 years and he spent eight years in the IT industry before joining academia. His IT industry experience includes software development, project management, information systems audit, and information security consulting. He is a Certified Information Systems Auditor (CISA) and ISO 27001 Lead Auditor.