How are infosec leaders thinking about cybersecurity training going into 2023? We surveyed over 100 IT and security leaders across multiple industries to understand whether — and if so, how — they plan to prioritize workforce development as part of their overall cybersecurity strategy.
Next, we compared those results against a similar survey we took at the height of the pandemic in 2020 to map how sentiments have evolved over time. (The data from our latest survey was collected in Q3 and Q4 of 2022.)
Drivers for cybersecurity market growth
When Cyberseek analyzed the last decade of cybersecurity job postings by volume, nine of the ten highest-ranked months fell in 2022 alone, with 769,736 openings posted by employers. Even amidst the turbulence of layoffs within the tech industry, it’s clear that the need for cybersecurity professionals is stronger than ever.
In addition to a constant need for talent, Gartner estimates that 2023 will see 11.3% growth in cybersecurity investments overall. There are several factors that contribute to this growth:
Never-Ending Attacks & Breaches
- IBM reports the steep cost of data breaches averages $9.44M in the US per breach, the highest across the globe.
- The same report found that ransomware attacks increased by 41% in 2022, contributing approximately $430K per breach.
- New AI technologies such as chatGPT are opening new avenues for attacks and novel attack types.
New Federal Regulations
- The US Securities and Exchange Commission (SEC) is proposing new rules for cybersecurity disclosures and expertise requirements of board members.
Technology to Support Business Resilience
- Hybrid cloud adoption can help optimize operations and support hybrid work, but this architecture expands the attack surface if not properly configured.
- Machine learning and AI integration provide support to security staff but may require already overstretched staff to go through additional or specialized training to manage, repeating the cycle for skills gaps.
And the survey says…
Leaders are going full [work]force in 2023.
Today’s leaders are prioritizing ways to grow and develop their cybersecurity teams with the goal of creating mature, long-standing programs, increasing retention, and allowing for lateral growth across the organization. That means security leaders need to know their teams, those teams need to know their stuff, and everyone has to stay on top of the threat landscape.
Our latest survey indicated 80% of cybersecurity leaders stated that filling skills gaps within their cyber teams is a top priority in 2023, compared with 65% in 2020. This may seem obvious, but when economic uncertainty looms and belts tighten, training and L&D are usually the first to be cut. This finding tells us that most organizations embrace the idea of investing in the people they already have and creating an environment of long-term growth, especially when external, experienced talent may be hard to come by.
While the percentage of respondents interested in increasing the skills of their cyber talent jumped 15% since 2020, it’s worth noting the level of confidence in employers’ current training solutions. While confidence is up overall, there’s a wider overall gap between their desire for increased cyber skills and their confidence in current training solutions. Leaders have yet to find an all-in-one solution that meets their needs. (More on that later in the article.)
Companies need more heads in the cloud.
It comes as no surprise that cloud security tops our list of most in-demand skills by employers for 2023 at 65%. According to Flexera, nearly all organizations, or 89%, have implemented a multi-cloud strategy to optimize their existing use of the cloud. However, the expansion of hybrid cloud and multi-cloud environments greatly increases the risk of breaches, namely due to misconfiguration.
While there has been some improvement in recent years, the onus is typically on the end users to regularly secure cloud platforms with patches or updates. For this reason, upskilling employees with the necessary cloud security and vulnerability management skills is critical to upholding the enterprise’s digital infrastructure.
Bigger focus on better role definition and career pathways.
Organizations are also creating more opportunities for internal career mobility in order to retain talent. We’ve seen the number of organizations focusing on internal career growth jump from 18% in 2020 to 42% in 2022.
The problem of how to standardize job roles and career paths has been a thorn in the side of leaders for years. Many of today’s cybersecurity professions and technology didn’t exist five, ten, or fifteen years ago, so defining and developing technical skill sets are always a moving target. For example, the competencies and duties required of a security analyst can vary between organizations—even industries—which makes it challenging for CISOs to categorize roles and the skills needed for a job-ready workforce.
Add in the additional challenge of how to train and advance the next generation of cyber leaders with the skills to understand how to lead, manage, and prioritize a cybersecurity program, you can see how difficult it is to figure out a streamlined way to effectively develop and prepare cyber talent across the organization.
Creating clear career paths, training, and other development opportunities is critical for organizations that want to retain younger employees, who are known for job hopping at faster rates than other generations. 47% of responders to an ISACA report say the lack of career development opportunities is a top factor in their decision to leave a company.
Employers are juggling multiple training solutions.
For smart cybersecurity leaders, it should be a given to invest in a mechanism to develop talent from within. The challenge becomes how to acquire a baseline understanding of the skills needed relative to the organization’s goals, and implementing a comprehensive training and development plan based on specific roles.
At the beginning of the pandemic, the distribution between internal training, external training, and a combination of the two were more or less evenly weighted. That has since shifted dramatically. More companies are bringing training in-house and increasing the number of training options offered to employees. In 2022, 87% of survey respondents reported using two or more training methods—nearly twice as many as in 2020 (43%).
Internal training makes sense for organizations that want to reduce costs or provide specialized training, but there can be some limitations. In-house training minimizes opportunities for the new perspectives that could be gained from outside training specialists, potentially enabling the “we’ve always done it this way” mentality. And if the majority of internal training is provided “on the job”, as noted in the survey, then senior practitioners spend more time in oversight and less performing their actual job duties.
External training has its advantages as well, since it transfers the development and upkeep of curriculum and administration to a third-party provider. But when provided to teams without a framework to achieve organizational goals (having more job-ready analysts, creating a path to upskill talent from other roles, etc), it can become underutilized “shelfware” that doesn’t get organizations where they ultimately want, or need, to go.
Final Thoughts
Our guess? Cybersecurity skills gaps will continue to widen as new technologies and attacks outpace the rate of new knowledge acquisition. But organizations can prepare for and tackle these challenges head-on by taking the steps to create a strategic cyber workforce development plan, understand their own skills gaps, and effectively build the talent they need internally.
For organizations who need help getting their workforce development strategy off the ground, building their teams’ cloud security skills, or clearing paths for new and existing employees to advance within cyber, our team can help you get started.