This year, the cybersecurity market in the United States is projected to exceed $68 Billion in revenue, led by the security services segment. According to data collected by Statista, the U.S. will generate the majority of global revenue of $162 Billion (USD) in 2023. In different terms, this year the U.S. will spend an average of $407.70 per cybersecurity employee, as compared to an average spend of $46.54 worldwide.
On the surface these projections suggest a robust cybersecurity market, especially in the U.S. However, additional data regarding cybersecurity jobs, open positions, and an ongoing employment gap suggest otherwise. And the picture becomes bleaker when the state of the Chief Information Security Officer, or CISO, is added to the mix. All in all, organizations are seriously challenged to fill their open cybersecurity positions with qualified staff, and this is impacting the effectiveness of their cybersecurity and compliance programs.
A March 2023 article in Forbes indicated there are “more than 700,000 unfilled cybersecurity positions across the U.S.” which will cause serious losses among businesses if solutions are not found soon. The problem includes open CISO positions.
According to the study, the global cybersecurity workforce grew in all four regions in 2022. Worldwide, almost 4.7 million individuals were working in cybersecurity in 2022—an increase of 11% over the previous year. The Asia Pacific region reported the most significant growth in employment, at 15.6% over 2021, while North America recorded the lowest growth at 6.2% year-over-year. Latin America and Europe/Middle East/Africa each recorded growth of slightly more than 12%.
Clearly, the cybersecurity workforce is expanding all over the world, which is not surprising considering the relentless nature of cybercrime and the demand for crimefighters. However, the shortage of professionals needed to implement and maintain cybersecurity programs is also growing. Although the size of the global cybersecurity workforce in 2022 is the highest number ever recorded by the organization, at nearly 4.7 million individuals, the report indicates that the “cybersecurity field is still critically in need of more professionals.”
That’s because organizations are trying to fill an employment gap of 3.4 million cybersecurity workers worldwide. In other words, on a global basis, the cybersecurity industry has a current demand for 8.1 million employees but only employs 4.7 million, representing an alarming 42% shortage.
Adding to concern about the employment gap, the U.S. Bureau of Labor Statistics has projected a 35% growth in cybersecurity jobs by 2031. While this sounds positive on the surface, how many of those positions will be filled? Where will qualified candidates be found? And what security elements will suffer as a result of the expected ongoing workforce gap?
The ongoing workforce gap is jeopardizing even the most fundamental aspects of cybersecurity, from regular risk assessments and audit log monitoring to critical system patching and penetration testing, as a few examples. Organizations with chronic or substantial workforce shortages report that they are at moderate or extreme risk of cyberattack as a result. In fact, more than half of individuals in those organizations (54%) believe they face a moderate risk of a cyberattack, and 20% rank that risk as extreme.
In its analysis of the 2022 cybersecurity workforce gap, ISC2 noted that despite the growth of the cybersecurity workforce in 2022, the employment gap has grown even more. The workforce gap has increased more than twice as much as the workforce itself has grown—with a 26% year-over-year increase from 2021 to 2022. This disparity makes cybersecurity “a profession in dire need of more people,” according to the study.
Other means of narrowing the gap are emerging out of necessity. As one example, ISC2 has launched a free online program called Certified in Cybersecurity to help entry-level cybersecurity candidates learn the basics to determine whether a career in cybersecurity is right for them. Cybersecurity basics in the program include security principles, business continuity, disaster recovery, incident response, access controls, network security, and security operations. In its first three months, more than 110,000 candidates have registered for the program.
With similar intentions, Microsoft Security has committed to partnering with community colleges to train 250,000 individuals in cybersecurity by 2025, including attracting more women and minority candidates to the field. In addition, numerous colleges and universities throughout the U.S. have developed extensive cybersecurity curricula, leveraging local, regional, and national cybersecurity and information technology resources for all types of assistance.
Finally, many organizations are addressing shortages among cybersecurity executives by engaging virtual CISOs. These experienced information security officers serve on a part-time or as-needed basis to guide organizations in developing and maintaining effective cybersecurity programs that meet industry compliance requirements. Using the services of a virtual CISO is an ideal way to achieve and maintain a robust security posture without the expense of recruiting, hiring, and compensating a permanent, full-time security executive.
For cybersecurity professionals who are overworked and stretched thin due to chronic staffing shortages, burnout is a common complaint. It is a problem among CISOs as well as for pen testers, system admins, and other members of the cybersecurity workforce.
In its 2022 Global CISO Survey, executive search firm Heidrick & Struggles asked CISOs about the personal risks they face in the field of cybersecurity today. CISOs in the U.S. cited the stress of their jobs (60%) and burnout (53%) as their greatest personal risks. The pressures of keeping their organizations safe from cyberattacks and effectively deploying personnel, budget, equipment, and technology are unrelenting, and burnout is a logical consequence of those pressures.
On the upside, only 28% of CISOs were concerned about losing their jobs as a result of a data breach. This sense of job security is not surprising, given that nearly every organization has already experienced a security incident of some kind and remains at risk as attack vectors become ever more sophisticated.
Unfortunately, due to the pressures of the job, CISOs are generally in the office full-time and unable to take advantage of most of these burnout-reducing activities.
Productivity Perception Gap. Despite these special freedoms, things are not all hunky dory in the remote home office. According to ISC2, suspicions about the productivity of remote workers continues to be widespread among management. Almost two-thirds (62%) of non-management cybersecurity professionals say they are more productive when working from home. Conversely, just one-third (35%) of cybersecurity managers believe that their remote workers are as productive as onsite staff. This perception gap has resulted in many organizations requiring employees to work onsite most of the time.
Compensation Is Up. While CISOs are among those who generally work in the office each day, seeing and being seen, collaborating with peers, and managing employees, they are well-compensated for that expected corporate behavior. For example, in the U.S. the reported median cash compensation for CISOs increased to $509,000 in 2022, up 15% from 2021 and 23% from 2020.
IT Continues to Foster CISOs. As in previous CISO studies conducted by Heidrick & Struggles, the 2022 study found the majority of CISOs continue to rise up through the information technology ranks, although 10% made the jump from software engineering (up from 7% in 2021). In addition, three-quarters of CISOs (77%) have been in their role for at least three years, which points to a stable work environment. Of CISOs on the job for less than a year, almost two-thirds came from a previous CISO role. By comparison, those in their current role for five years or longer are more likely to have come from a role other than CISO. In all cases, new CISOs are under the corporate microscope for a minimum of 90 days with strong pressure to prove themselves quickly.
Boardroom Seats Remain Scarce. In the U.S., although 56% of CISOs aspire to a seat on the corporate board, only 14% have achieved that goal. It appears that many boards still prefer directors with prior board experience, with more than half of directors (57%) having previously served on a public company board. Unfortunately, this tradition prevails despite the fact that executive-level cybersecurity experience is “desperately needed in boardrooms amid heightened cyber risks,” according to the 2022 CISO Survey.
As with the workforce gap, the absence of CISO representation on boards of directors has serious consequences for an organization’s cybersecurity and compliance programs.
The current and continuing cybersecurity staffing shortage consists of 3.4 million open positions worldwide, constituting a 42% shortage of positions at the present time. This gap grew more than 26% from 2021 to 2022. Non-profit cybersecurity association ISC2, Microsoft Security, and innumerable educational institutions have led the way in creating learning programs to help narrow this gap over time. Proactive initiatives to diversify the workforce have made these resources available to all who are interested in potential careers in cybersecurity.
CISOs are affected by the workforce gap in several ways. Not only is there a shortage of CISOs across the U.S., but those holding CISO positions face sustained pressures that can lead to burnout, including the pressure to accomplish more with fewer staff. Many organizations are effectively addressing unfilled CISO positions by engaging the services of a virtual CISO to help guide their cybersecurity and compliance programs on a part-time or interim basis.