Hello friends,

I hope you had an absolutely fantastic Thanksgiving. We did a road trip next door to Utah and spent the holiday hiking and enjoying the incredible beauty around Moab.

In this issue, we’ll be unpacking the latest research from ISC2, which publishes the seminal report on the state of the global cybersecurity workforce.

This piece, as well as some stats for Cybersecurity Ventures, are commonly cited to raise the alarm on the talent gap. We’ll take a deeper look at the figures and unpack the highlights from the rest of the research.

We are all vested in building a robust cybersecurity workforce. Please take a read and let me know your thoughts.

In other news, I’ll be doing a Linkedin Live discussion with Christophe Foulon on Tuesday Dec. 5 at 11 am MT. Join for a great discussion as part of his Breaking into Cybersecurity podcast!

Enjoy,

Brad

State of the global cybersecurity workforce

Every year, ISC2 publishes a report on the global cybersecurity workforce. They recently published their 2023 edition, which, in addition to the normal survey stats, also covers timely topics around the impact of AI and the impact of the cooling economy on workplaces.

The workforce ‘gap’

Each year, ISC2 reports a headline stat on the size of the global cybersecurity workforce and the ‘gap.’ Lots of people take this statistic and the headline of 3.5M open jobs from cybersecurity ventures. ISC2’s own figure is 4M (actually 3,999,964 which, by the way, is an absurd level of precision). Of this 4M, 520K are in the US (cited as a 20% YOY increase). Interestingly, ~2.5M of the gap is in Asia- presumably driven by extrapolations based on population.

I, personally, call BS on these stats. 

I run a job board that does not proport to have a universal perspective on open jobs, but I do look at data scraped from 150 applicant tracking systems on cybersecurity job openings and then curate the jobs that show up on our site. Each week, we see a couple hundred new jobs populate and a few hundred leave, with an average time to fill of about 2-3 months.

Even if you assume coverage gaps in the data (which there are), this gets nowhere near a persistent gap of 500K jobs. Searching for cyber openings on Indeed, Linkedin, and aggregation sites such as google jobs yield quality results most in the low thousands (and many more jobs that are way wide of the mark). And since 500K is a ‘stock’ or run rate number, you’d expect to see roughly that balance of jobs open at any given time, with a much larger number ‘flowing’ through each year (as some jobs do get filled). 

My sense is that ISC2 is coming under some degree of pressure for the stats, as this year they published this disclaimer in the body of the report:

It’s important to note what this year’s workforce gap represents. The workforce gap calculates the difference between the number of cybersecurity professionals that organizations require to properly secure themselves and the number of cybersecurity professionals available for hire. The workforce gap does not aim to estimate the actual current job market for cybersecurity professionals.  

In previous years, the definition of demand was: Demand is defined as the number of cybersecurity jobs organizations would like to employ over the next year minus the number of current workers. 

So, what we have is an estimate of what it would take to actually adequately secure the world. This raises the obvious question of how you define ‘properly secure.’ Additionally, it seems foolish to invalidate the choices that companies are actually making about their risk tolerance. Choosing not to post security roles is, explicitly or implicitly, a business decision. 

So, I think we can definitively say that the gap is something much less than 500K jobs. 

Nevertheless, we do operate in an industry where there are significant demand and supply imbalances. One of the best thinkers on this topic is Ben Rothke, who has written several pieces on Medium unpacking the topic. 

He recently posted The big lie of millions of information security jobs (gated), which does a great job unpacking the issue. Previously, he posted Is there really an information security jobs crisis? Ben’s main points, which I agree with and I think we can definitively state:

• Demand for highly experienced information security professionals exceeds supply (particularly at rates that companies are willing to pay)

• Advanced technical disciplines are where the biggest discrepancies exist, particularly areas like cloud security and application security

• Much of this is self-inflicted with poorly written job descriptions that do not thoughtfully link up screening criteria (certs, years of experience, tech experience) with the skills that are actually required to be successful in role. 

The ISC2 report does have good data on where these skill gaps are most prominent:

Impact of the economic environment

Clearly, 2023 has been the most challenging year for the infosec space in probably the past two decades. On the tech vendor side, as companies and their backers (most often VCs) have sought to reduce cash burn and extend runway (most are unprofitable), employees got hit hard with layoffs.

On the practitioner side, you can divide that camp into services companies and enterprise. Many cybersecurity services business saw declines of 5-25% YOY in 2023, and had layoffs in line with that. In enterprise, the picture was more muted, with employees more likely to feel the impact of hiring freezes, slow rolling new hires, and caps on technology budgets. Relatively few security teams in enterprise were directly hit by layoffs this year. 

Here’s the data from ISC2:

Security impact of being short on talent

Regardless of the size of the talent shortfall, it is clear that there are important enterprise security tasks that are simply not getting done because the people aren’t there to do it. The data above shows just how overburdened many security teams are. 

The things that tend not to get done are often the ones that are most proactive in nature, such as: regularly re-assessing risks and quantifying them, documenting process and procedure, clearing out backlogs of vulnerabilities, and team training and development. 

Here’s what ISC2 found about what is not getting done:

Other takeaways

 Here are other stats from the report that are particularly interesting:

•  45% of hiring managers agree that their organizations rely too heavily on educational requirements when hiring cybersecurity workers

• 57% of respondents indicate that a shortage of cybersecurity staff is putting their organization at moderate to extreme risk

• 70% of respondents are somewhat or very satisfied with their current job (down 4% from last year)

• 59% indicate that they are seeing an increase in applicants with technical backgrounds that are seeking to enter cybersecurity from adjacent technical domains

• The top 3 reasons people entered security: 1) Career advancement opportunities, 2) High demand for skills, 3) They thought they would enjoy the work

• The age of new entrants is skewing older- indicating that re-skilling and upskilling is happening (which we need!)

• Top skills hiring managers are looking for: 1) Cloud computing, 2) Communication skills, 3) Risk assessment, analysis and management

You can read the full report here. I’d love to hear your takeaways!

Tools, resources, and useful things from the internet

⚙️Griffin Glynn posted an update to his awesome collection of OSINT tools- which compile news, tools, resources, podcasts etc that are helpful for anyone trying to take advantage of all the open source intel that’s out there.

🧲Korn Ferry released their 2024 top talent acquisition trends. It’s (actually) pretty good. They are on point with a focus on skills-based hiring, and note trends in increased relocation with RTO, candidate use of AI, and the criticality of empathy.

🔈BlueHat (Microsoft con) keynotes are live

📙Directory of GPTs (Chat GPT bots for a specific use case)

News

📦Amazon is entering the cyber insurance game by being a lead provider for insurance quotes for AWS customers. Here’s my question- if they claim they have enough info to actuarially price risk, then why can’t they go the extra step and make sure that everything is actually properly configured? And does visibility into AWS controls really give you a full perspective on security posture? I’m suspicious. (WSJ)

📩Is Okta the new Wordpress? News came out this week that the latest breach was wider (though, not necessarily deeper) than previously disclosed. The company is shifting resources to focus on security for 3 months (WSJ)

🩹Google patches sixth Chrome 0-day this year (Bleeping Computer)

🪓This was entirely foreseen but Broadcom has sharpened the axes with their VMware acquisition. 1,300 employees impacted at least (San Francisco Standard)

Jobs

We’ve had a big drop of new posts recently on the Crux job board. Check it out! This week we are featuring entry level roles (yes, they do exist!)

💼United Airlines. Associate- Cybersecurity (Chicago)

💼Crowdstrike. Threat Hunter Intern, Summer 2024 (Remote)

💼RKON. Junior SOC Analyst (Chicago)

💼Select Quote. IT Intern- Security Operations (Remote)

💼Heartland Business Systems. SOC analyst associate- summer 2024 internship (Des Moines, IA)

💼Poet. Information Security Intern (Sioux Falls, SD)

💼Agco. Cybersecurity analyst. (Duluth, GA)

Events

One of the (awesome) features of our new website is a comprehensive list of upcoming conferences. It’s one of the largest collections of cybersecurity conferences available. Check it out! 

A few of the exciting ones in store over the next few months:

🤝Gartner IAM. Grapevine, TX. Dec 9-11.

🤝NetDiligence. Miami, FL. Feb 12-14.

🤝CactusCon. Phoenix, AZ. Feb 16-17.

🤝Rocky Mountain Cyberspace Symposium. Colorado Springs, CO. Feb 19-20.

🤝FS-ISAC Americas Spring Summit. San Diego, CA. March 3-6.

Thinking about your next move? Join our network

Looking for awesome talent? Post a need for free.

Crux is the talent platform for cybersecurity. Check us out.