For cybersecurity professionals, 2023 was a mixed bag of opportunities and concerns. The good news is that the number of people in cybersecurity jobs has reached its highest number ever: 5.5 million, according to the 2023 ISC2 Global Workforce Study. However, the same study reported that there is still a serious shortfall. To best address threat landscape challenges, the workforce needs to grow at a rate of 12.6 percent a year. In the 2023 study, it only grew by 8.7 percent.
More troubling than the shortfall of approximately 4 million cybersecurity professionals is the slowdown in hiring and the rise of cutbacks. As the ISC2 study found, nearly half of those surveyed said their companies have dealt with layoffs, reduced budgets and/or hiring freezes — with more slowdown expected to come in 2024.
It’s quite a paradox. The need for a skilled cybersecurity workforce is greater than ever due to the rise in cyber threats, new attackers and attack vectors. Positions are available. Yet the looming threat of an economic downturn has made employers overly cautious about filling out their security team, and part of the reason could be because having a warm body in the position isn’t enough; potential employees don’t have the right skill sets to effectively guard against today’s biggest risks.
So, what are the demands on the cybersecurity workforce as we head into 2024? What skills are in demand and what are the obstacles that potential cyber professionals face?
A Google search of cybersecurity jobs came up with hundreds of hits. On the very first page, there were ads for a cybersecurity administrator, a cybersecurity analyst, a cyber intelligence analyst and a cybersecurity engineer.
Asking a generative AI tool for the top skills that employers are looking for in a cybersecurity workforce, the top results, which used information from job sites like Indeed, LinkedIn and Coursera, included:
These descriptions highlight one of the biggest issues cybersecurity professionals face when looking for new jobs or starting their careers. There are no standards for job titles, and the job requirements are fairly generic. Entry-level positions often require multiple years of experience along with certifications like CISSP, Security+ and CISA.
As government agencies, contractors and the military ramp up their cybersecurity defenses, one key requirement often stands in the way of hiring qualified applicants: security clearances.
“There are many cybersecurity jobs that need clearance, which means the main pipeline is from the military for these roles, often with no actual technical expertise,” Joseph Yang, Information Technology Administrator for Summit Public Schools, Redwood City, Calif., said in a LinkedIn message.
Getting security clearance is a complicated process that starts after the job offer is accepted. It can take upwards of a year or more for clearance to be approved, and there are disqualifiers for approval, like citizenship and poor credit scores.
Every business, no matter the industry or the size, needs to think about cybersecurity. But some industries are more at risk than others. The industries that require strong cybersecurity policies and practices are finance, healthcare and energy. All three are highly regulated industries that must follow strict compliance guidelines to protect customer data. Healthcare and finance have long been popular for attackers because of the treasure trove of information and monetary benefits. Energy may seem like an outlier here, but the energy and utility infrastructure has become a target for ransomware attacks in recent years.
But as the threat landscape changes and new technologies boost new industries, risk levels are shifting toward different industries. According to Cyber Degrees, industries now in near critical need of cybersecurity are digital assets, e-sports and those developing AI technology. Those industries seeing an increase in risks include manufacturing, professional services and education.
Sometimes, your best cybersecurity employees have been inside the company all along. In fact, Robert Fitzgerald, Field CISO with Blue Mantis, recommended training new cybersecurity professionals. During a phone conversation, Fitzgerald pointed out that training someone specifically for your organization means you ensure you have a cyber professional who knows your organization’s security needs and they aren’t bringing in any bad habits from past jobs.
Upskilling is something large enterprises and government agencies have been doing for a while, as research finds that training employees for new tasks improves overall retention. SMBs that might already be using MSSPs for most of their cybersecurity needs can also take advantage of upskilling to ensure that they have some in-house experience, even to help other employees with security awareness training and improving overall cyber hygiene. Many cybersecurity vendors offer training programs specific to their products, while others offer vendor-neutral training that can build on skill sets. Organizations like the Cybersecurity and Infrastructure Security Agency (CISA) and ISC2 offer training options, as well.
There are some basic hard skills that every cybersecurity professional needs to know. Technical skills in operating systems, building infrastructure and databases, coding languages and understanding the fundamentals of computer networking are a must.
But cybersecurity is becoming more specialized. There is a greater need for those who understand cloud computing and the differences between cloud security and information security. AI is going to present new challenges in cybersecurity, so those who can implement AI as well as defend against new threats are required. Data analysts, white hat hackers for penetration testing and app development are also skills in increasing demand.
Organizations need cybersecurity professionals with experience with governance frameworks. Nearly every industry is now required to meet at least one government compliance standard, and new laws are being introduced each year. While a CompTIA study found that governance isn’t a high-ranking skill needed among its respondents, the changing nature of compliance means that companies will need someone with this skillset to build strategy and ensure security measures meet regulations to avoid penalties and hefty fines.
Soft skills may be just as important as technical ones. Cybersecurity requires communication, so cybersecurity professionals need good verbal and written communication skills and the ability to work with people face-to-face. ISC2’s survey listed communication skills as the second most in demand, immediately behind cloud computing security. Good networking skills are vital. If interacting with the security team intimidates the rest of the organization’s employees, cybersecurity efforts will fail.
Be aware that skills do become dated and fall out of favor. The ISC2 report found that formal cybersecurity education is less in demand, especially advanced degrees and knowledge of advanced cybersecurity concepts. Hands-on experience is becoming more important.
The most important requirement for a career in cybersecurity is interest. Technology can be learned. Soft skills can be practiced. But no matter your background, if building knowledge around threat actor behaviors and putting together the strategy to protect data and networks is something that interests you, you’ve already taken the first step toward becoming a cybersecurity professional.
8 min read – In the realm of cybersecurity, both information technology (IT) and operational technology (OT) present distinct challenges that organizations must navigate. Ensuring the security of these distinct domains is paramount to bolstering your overall cyber resilience. By following the best practices…
8 min read – Web injections, a favored technique employed by various banking trojans, have been a persistent threat in the realm of cyberattacks. These malicious injections enable cyber criminals to manipulate data exchanges between users and web browsers, potentially compromising sensitive information. In…
3 min read – As 2023 draws to a close, it’s time to look back on our top five federal cyber stories of the year: a compilation of pivotal moments and key developments that have significantly shaped the landscape of cybersecurity at the federal…
6 min read – From world events to the economy, 2023 was an unpredictable year. Cybersecurity didn’t stray far from this theme, delivering some unexpected twists. As organizations begin planning their security strategies for 2024, now is the time to look back on the year before and extrapolate what the future may hold.The year kicked off with Generative Artificial Intelligence (GenAI) hitting the headlines and dominating the conversation unexpectedly. The impact of the many new uses for GenAI rippled the cybersecurity world and was…
8 min read – In the realm of cybersecurity, both information technology (IT) and operational technology (OT) present distinct challenges that organizations must navigate. Ensuring the security of these distinct domains is paramount to bolstering your overall cyber resilience. By following the best practices outlined in this article, you can minimize potential vulnerabilities and keep your security posture strong.Differences between IT and OTIT encompasses digital systems that facilitate data management and communication within organizations. In comparison, OT refers to the specialized systems that control…
4 min read – From May 7 to 12, 2021, the massive Colonial Pipeline refined oil product delivery system ground to a halt. It was the victim of a DarkSide ransomware cyberattack. The Colonial Pipeline delivers about 45% of fuel for the East Coast, including gasoline, diesel fuel, heating oil, jet fuel and fuel used by the military.When Colonial security teams detected the malware, it had already infected the company’s IT network, which they shut down. The pipeline operators also shut down OT systems…
4 min read – Organizations constantly face new tactics from cyber criminals who aim to compromise their most valuable assets. Yet despite evolving techniques, many security leaders still rely on subjective terms, such as low, medium and high, to communicate and manage cyber risk. These vague terms do not convey the necessary detail or insight to produce actionable outcomes that accurately identify, measure, manage and communicate cyber risks. As a result, executives and board members remain uninformed and ill-prepared to manage organizational risk effectively.…
Analysis and insights from hundreds of the brightest minds in the cybersecurity industry to help you prove compliance, grow business and stop threats.

source