The global cybersecurity workforce gap has increased by 12.6% since 2022, reaching four million people, and 92% of cybersecurity professionals said they had skills gaps in their organization.

The study by ISC2 revealed the top three skills gaps at an organization are cloud computing security (35%), artificial intelligence/machine learning (32%) and zero trust implementation (29%).

The report also found nearly half (47%) of respondents experienced cybersecurity-related cutbacks in the past year, including layoffs, budget cuts and hiring or promotion freezes. Of that group, 22% were impacted by layoffs, both first- and second-hand.

Furthermore, 47% of respondents admitted they have no or minimal knowledge of AI and associated risks.

AI and emerging technologies were cited as the biggest challenges facing cybersecurity professionals over the next two years (45%), followed by worker/skill shortages (43%).

However, the majority (52%) of cybersecurity professionals said their organizations are encouraging the use of AI internally and that advancements in AI have the third most positive impact on their ability to secure their organization, behind zero-trust (34%) and automation (40%).

Purpose-Built Talent Acquisition

Mika Aalto, co-founder and CEO at Hoxhunt, said organizations would do well to have a purpose-built talent acquisition function that promises on-the-job mentoring and offers to pay for certification courses to promising candidates, both internal and external.

“During the early stages of the digital and mobile revolutions, we went through similar talent shortages as the need for IT professionals and developers exploded overnight, and the talent gap was filled by a massive youth movement and by drawing smart people from non-traditional backgrounds,” he said.

From his perspective, the cybersecurity talent gap, like every big problem, is really an “excellent opportunity.”

“We have a huge pool of long-overlooked talent that can be tapped with better diversity and inclusion hiring practices,” he pointed out. “Cybersecurity is an excellent career for women and minorities to enter, particularly for those who’ve felt blocked from entering other tech sectors.”

Tony Goulding, cybersecurity evangelist at Delinea, said organizations will likely need to hire for skill sets they don’t possess.

“However, larger organizations should invest to grow their existing workforce in parallel to hiring new talent,” he says. “Train internally and provide compelling career advancement. Identify your strongest talent and reskill those employees to nurture your in-house talent pool.”

He also advised organizations to keep up with new and emerging tech to keep workers current with skills that are not yet widely available, as well as cultivate skills and potential future employees through internships.

“AI, ransomware, complex hybrid IT infrastructures and geopolitical threats are examples of areas that require the kinds of skills organizations are struggling to obtain,” Goulding says. “Organizations must revisit their cybersecurity programs to ensure they’re as strong as they can be and set up for future requirements.”

This involves regular risk assessment reviews to ensure they’re accounting for all these emerging threats, updating controls accordingly, tools and feeds that keep them abreast of the threat landscape, and frequent testing to ensure those controls are doing their jobs.

Balancing Prevention and Resilience

Dave Ratner, CEO of HYAS, explained that many organizations still don’t have the visibility and observability solutions required to detect anomalies and breaches inside their environments and shut down attacks before damage occurs.

“As we shift into a brave new world that is focused on operational resiliency, this visibility is no longer a nice-to-have but becomes mission critical for any organization to properly handle the onslaught of cyberattacks,” he said.

Ratner said organizations must ensure their capabilities are appropriately balanced between prevention and resiliency.

“Keeping bad actors out of the environment is clearly necessary, but it’s clear that in today’s age, it is no longer sufficient,” he said.

He noted that organizational alignment around appropriate levels of internal visibility and resiliency capabilities is required so that they can not only keep bad actors out but can quickly detect and react when they breach and break in.

“Part of this is how the organization’s various solutions work together in a security-in-layers approach,” Ratner said. “Often organizations have multiple tools, but if they aren’t all integrated, it is more difficult for the lesser-skilled individuals to see what is happening in real-time, and more difficult for them to understand what actions need to be taken.”