Evolve Security, a full-scale technical services firm dedicated to the human element of cybersecurity, recently published the Cybersecurity Skills Report: State of the Cybersecurity Workforce. This first in a series of talent industry reports serves as a guide to help C-suite and other cybersecurity leaders (execs) as well as current and future cybersecurity professionals (pros), understand and identify the cybersecurity skills gap. The findings are based on survey data gathered from industry leaders from C-suite directors, to hiring managers, and current pros across the cybersecurity spectrum.
The report takes a broad approach, focusing on high-level skill sets, as presented in job descriptions, rather than individual cybersecurity tools. This provides a starting point to name the gap and shed light on the market supply and demand. Overall, the survey data provides an initial roadmap for execs looking for talent and pros looking for the most crucial or in-demand types of training.
“Cybersecurity leaders looking at these findings may realize that the talent they need is available in different areas than they expected. Pros may find that many of the skill sets valued by the C-Suite, from mastering Government Risk Compliance (GRC) to leading crisis response and change, are great points of entry for a cybersecurity career,” explained Dr. Faisal Abdullah, Evolve Academy’s Vice President of Products & Strategy. “Cloud savvy app developers with sharp network security skills should review this report to help target their next specialization, and sector-switchers with great analytical and communication skills should review the skills that are most in-demand.”
Recognizing the talent shortfall in cybersecurity, Evolve experts in enterprise services, staffing augmentation, and cybersecurity advisory services asked execs and pros questions to provide a baseline of the top skills that exist on cybersecurity teams today as well as the domains where pros are currently up-skilling or planning to do so. This report focuses on five key areas: Cloud Security, Security Engineering, Penetration Testing, Government Risk Compliance (GRC), and Cyberthreat Intelligence.
The execs were asked to identify the areas of expertise they most value now, and whether they believe that the current skills of the pros match up. They were also asked about training, including whether they prefer to train in-house or look in the marketplace, how much certifications matter, and which certifications they value most.
The pros were asked about their current cybersecurity skills, how they would rank the importance of these skills, what skills they are improving, what new skills they feel they need, and what certifications they planned to pursue. Evolve used their findings to show any gaps between the skills that pros are currently using and the skills that execs are looking for when hiring
Top 5 Most Valued Cybersecurity Skills
When it comes to the most valued cybersecurity skills for those responsible for protecting business assets and systems, both execs and pros appear to agree that skills in the following five areas are most critical for success:
1. Networking and data communications
2. Multi-platform cybersecurity controls
3. Programming languages
4. Vulnerability and Threat Security
5. Infrastructure as-a-Service (IaaS), Platform-as-a-Service (PaaS), Cloud Access Security Broker (CASB) Technology
Biggest Gaps: Execs vs. Pros
The biggest gaps between execs and pros are seen, not in the areas of skill, but in the domains where these skills are most needed, and the importance that each group places on specializations and certifications related to the five key areas above.
GRC for example, requires specialized skills in U.S. regulations, frameworks, cybersecurity risk management, vendor risk management, and GRC technology. Yet, the demand for talent seemed to be much greater than the availability of trained pros.
- 65% of execs described the need for specialized GRC skills as critical compared to 34% of pros. Further, only 23% of current GRC pros reported plans to up-skill within the next six months.
In general, one of the largest skills gaps was in Security Administration.
- Just 26% of execs ranked security administration skills as “crucial,” compared to 45% of pros.
In Cloud Security the gaps were complex. The percentage of pros with general Cloud skills was greater than the percentage that execs needed. However, when it came to Cloud skills specifically for security audits to manage access control, execs reported being unable to find the talent necessary to support this market.
- Execs reported a significant need for Cloud security audit skills yet only 16% of current pros reported having them, and 17% reported plans to pursue training in the next few months.
In Penetration Testing (Pentesting), Security Engineering, and Cyber Threat Intelligence there appeared to be an oversaturation of pros. Execs reported little difficulty finding the talent they need, and they seemed to place less value on having these skills in-house than the pros. Pentesting skills were viewed as critical by 85% of execs but many reported relying on outsourcing for their talent.
- 66% of pros reported having Security Engineering skills and 44% reported actively up-skilling; 70% of pros considered Cyber Threat Intelligence skills highly valuable versus just 59% of execs.
On certifications, the data revealed major differences in the types of certifications that execs want and those that pros currently have in all of the critical areas noted. For example, most Cloud pros were actively pursuing AWS and Azure skills and certifications. Yet, neither AWS or Azure ranked in the top five skills sought after by the C-Suite.
- Pros highly valued AWS skills while certifications only represented 12% of all Cloud hires.
In terms of training in all disciplines:
50% of execs reported being willing to support up-skilling in-house, 75% preferred to outsource training off-site, and 75% were willing and happy to encourage certification.
Take Action to Improve Your Security Posture
Cybersecurity staff shortages are putting organizations at risk. COVID-19 and the rapid shift to remote work have added more dimensions of pressures, forcing pros to adapt and up-skill quickly. And despite economic uncertainty, 48% of organizations plan to increase cybersecurity staffing over the next 12 months, consistent with hiring plans from previous years.
This report is just one part of Evolve’s efforts to bring together the best and brightest in Cybersecurity through Corporate Training, Bootcamps, meetups, and other networking, leadership, and talent development activities to support the industry with more strategic hiring practices. To learn more about how Evolve can strengthen your organization’s security posture, get in touch.