The cybersecurity skills gap: No end in sight?

We all know how hard it is for companies to fill open cybersecurity positions. But is the situation improving? What are the root causes of the problem? And most importantly—what can be done about it? 

A persistent problem

People have been talking about staffing issues in cybersecurity for years now. But unfortunately, things don’t seem to be getting much better.

A recent piece in Fortune reports that there are now about 700,000 unfilled cybersecurity positions in the United States alone. Globally, the number of open roles is estimated at around 3.5 million. And worryingly, analysts predict that in five years’ time, there will still be 3.5 million vacant cybersecurity positions worldwide.

Yet at the same time, we see cybersecurity touted (by the media and guidance counselors alike) as one of the hottest career paths around. A growing number of universities have CS or IT degrees with a focus on cybersecurity—and some even offer a dedicated BS in Cybersecurity.

But if there’s such a need to hire cybersecurity professionals, and so big a push to get more people into the field, why are companies having such a tough time filling these positions?

The answer is simple, if somewhat unsatisfying. There just aren’t enough qualified individuals for all of the open jobs: hence the “cybersecurity skills gap.” But what are the root causes of this gap? That, it turns out, is a little less straightforward. 

Getting to the bottom of the skills gap

It would be convenient if there was a single, easily identifiable reason for the cybersecurity skills gap. Alas, as with any complex economic phenomenon, it’s not that simple. Still, we can identify the main contributing factors that have gotten us into this situation:

A rapidly changing threat landscape. What counts as an essential “cybersecurity skill” can change very quickly. These shifts are often driven by market changes that (at least initially) have very little to do with cybersecurity. For example, in Fortinet’s 2022 Cybersecurity Skills Gap report, the most in-demand cybersecurity position among the companies surveyed was cloud security specialist—a sign of the massive and ongoing enterprise move to the cloud. But even five years ago, how many people were training, specifically, to be cloud security specialists? Hard to say, but clearly not enough to meet the 2022 demand!

Difficulty gaining hands-on experience with cybersecurity tools. We’ve written before about cybersecurity vendors who make it difficult for security teams to access their proprietary tools. But this culture of vendor secrecy has another negative effect: one that impacts people looking to break into the cybersecurity field. After all, it’s hard to apply for a role that requires familiarity with an EDR or SIEM you’ve never actually trained on! 

A lack of representation. Cybersecurity in the US suffers from the same general lack of diversity as STEM. To be blunt, the field is still overwhelmingly white and male. Women, minorities, and other groups are severely underrepresented. And when you’re pulling the majority of your workforce from a group that only accounts for 30% of the total population, that’s a problem (a 700,000 open jobs kind of problem). The silver lining is that there is a ton of untapped potential out there—if the industry can find ways to engage underrepresented groups. 

Roadblocks to innovation and growth. The cybersecurity industry is still dominated by large legacy vendors. This makes it challenging for newer/smaller companies to build their own tools or expand their service offerings. This contributes to the cybersecurity skills gap, because it’s exactly those forward-thinking, more agile companies who are likelier to downplay formal qualifications and offer on-the-job training to new hires. This is changing, but for now the large vendor model of cybersecurity makes it harder for aspiring infosec workers to break into the field.

How to fix the cybersecurity skills gap

The cybersecurity skills gap is not going away any time soon. But there is some good news. Within the industry, more and more leaders are stepping up to address the root causes of the problem. Here are some ways they are helping:

Free or low-cost training

To help make training more accessible, companies and individuals in cybersecurity are finding ways to offer high-quality training for free or at a reduced cost.

To offer just a few examples:

John Strand, a senior SANS instructor and owner of Black Hills Information Security, regularly offers a “pay what you can” SOC skills course through Antisyphon Training (an organization dedicated to affordable and accessible infosec training).

Heath Adams, a veteran and the founder of TCM Security, has argued that many of the big name training providers are too costly to be a realistic way into the industry for everyone. He has created a number of low-cost training courses aimed at people who want to get started in cybersecurity (and in particular, in red teaming and pentesting). 

For people who are a bit further along in their learning, it’s possible to create a self-study lab using open-source, professional-grade cybersecurity tools. There are plenty of setup guides and tutorials online that explain how to do this. Stefan Waldvogel, a SIEM engineer at Graylog, offered a great and very accessible example in a recent LinkedIn post. 

Product specific to LimaCharlie, we offer a series of free online courses that go over all aspects of the platform. You can sign up for free at edu.limacharlie.io

Diversity and inclusion

Industry leaders are also starting to take steps to bring underrepresented groups into the industry—absolutely crucial if we want to close the cybersecurity skills gap.

At times, this takes the form of high-profile institutional advocacy. Jen Easterly, Director of the Cybersecurity and Infrastructure Security Agency (CISA), recently announced that she wants to see women comprise 50% of the cyber workforce by 2030, and called on public and private sector executives to help make this vision a reality.

There are also formal communities with missions centered around diversity and inclusion. Organizations like Black Girls Hack and Blacks in Cybersecurity provide the kind of formal training, community, and support needed to increase diversity in infosec. 

And individuals are doing excellent work in this regard as well. DFIR expert Kimber Dowsett, Director at Krebs Stamos Group, founded the Mock Interview and Resume Review (MIRR) workshop to help future cybersecurity professionals write resumes and prepare for job interviews. Aimed at people from underrepresented and marginalized communities, MIRR offers mentorship and practical, hands-on guidance to those looking to get their foot in the door in cybersecurity. Notably, the workshop relies on the participation of individual volunteers: hiring managers and executives at cybersecurity companies who want to support greater diversity and inclusion in their industry.

A shift to SIaaS

This last one is close to our hearts at LimaCharlie! Security Infrastructure as a Service (SIaaS), an approach we’ve helped to pioneer, offers access to cybersecurity technologies as interoperable cloud primitives.

SIaaS makes it easier for growing cybersecurity companies to build their own tools and infrastructure, rather than always having to rely on large vendors. That makes it easier for them to scale—and to retain control over their client relationships.

The hope is that SIaaS will help to level the playing field, fostering innovation and healthy competition within infosec. This will be a good thing for people trying to break into an industry that is, at present, filled with big (and fairly traditional) tech companies. 

How to use LimaCharlie to build cybersecurity skills

If you’re a student or career changer who wants to set up a home lab to practice your cybersecurity skills, we’re here to help!

Getting started with LimaCharlie is simple. It’s easy to sign up, and we have a full-featured free tier that lets you deploy two sensors in any environment you choose. In addition, we have an ever-growing YouTube channel full of learning resources: webinars, tutorials, and walk-throughs.

Whether you want to train for an SOC role, build a pentesting lab, learn DFIR, or see how an EDR or SASE works under the hood, LimaCharlie has cybersecurity tools to help you develop your skills.