Marsh & McLennan Advantage Insights logo
Conversations and insights from the edge of global business
Menu Search

BRINK News is transitioning to This Moment platform on as of March 31, 2023. Read the update here.


A Global Shortage of Cybersecurity Professionals Leaves Businesses at Risk

As data and operations become even more closely intertwined, the demand for skilled cybersecurity professionals to manage strategic IT security is growing rapidly. 

The recently published 2019 (ISC)² Cybersecurity Workforce Study pointed to a severe shortage of cybersecurity professionals. The study estimated, for the first time, that there are 2.8 million skilled professionals worldwide currently working in the field and that an additional 4.07 million more are needed to defend organizations. 

Four Million Professionals Needed

The study, which covered 11 major economies including the United States, United Kingdom, Canada, Germany, France, Australia, Singapore, Brazil, Mexico, Japan and South Korea, took a closer look at the state of cybersecurity employment to better understand the mindset and concerns of cybersecurity practitioners and revealed prescriptive solutions for alleviating the shortage of skilled professionals. 

Source: (ISC)2 Cybersecurity Workforce Study, 2019

According to the findings, U.S. organizations currently employ 804,700 cybersecurity professionals, and it would take a 62% increase to fill the current shortage of 498,480 needed workers. 

The gap in Asia Pacific is much larger at 2.6 million and somewhat narrower in Europe at 291,000. Overall, it would take an increase of 145% to overcome the shortage, which is no small task. 

A Career Path with Zero Unemployment

Clearly, we must retain the professionals we do have, while increasing the pool of interested and talented individuals that employers can draw from. As an industry, we’ve done a terrible job of promoting what a rewarding career this is. 

The most common image that comes to mind when one mentions cybersecurity is a hoodie-clad figure hunched over a keyboard in a dark room. This is not great marketing. 

One of the key motivators that cybersecurity professionals revealed in the study was that they become a go-to resource for colleagues and can raise their profile within their organizations. That coupled with high average salaries, which only grow when they become certified, and 0% unemployment, make this a very attractive career path. 

But where will these skilled professionals come from? It will require some creative approaches in order to attract people who haven’t traditionally been interested in cybersecurity. 

The industry will need to look at new ways to cast a wider net if we are to grow the talent pool and attract career changers into the cybersecurity industry.

Consider Nontechnical Applicants

Traditional technical skills, while always important, are just one aspect of cybersecurity, especially as it evolves into a more prominent place within every organization. One of the strategies for hiring managers is not to search for too narrow of a skill set. 

Determining the traits that are truly needed for a role enables hiring managers to be creative in their recruitment efforts and look at a broad spectrum of backgrounds. They shouldn’t be afraid to go outside the technical landscape of traditional candidates. Not every position requires a Certified Information Systems Security Professional with five years of experience. They need to hire for what they actually need. 

Hiring managers should be screening for backgrounds in areas such as risk management, legal, communications, accounting and other science, technology, engineering, arts and math (STEAM) majors to build more well-rounded teams that can function alongside all departments of a company. 

Companies should start in their own backyard by looking at their current employee base to identify who may be ready for a change. They should invest in reskilling employees who already know the specific business, technology and processes.  

Foster Gender Diversity

While 30% of study participants were women and 23% were women with security-specific titles, there is considerably more to be done to deliver gender equality.

That is best done by bringing more women into cybersecurity roles, both in frontline and leadership positions, by encouraging women through mentoring and scholarships and training through career-changing opportunities.

Encourage Age Diversity and Flexible Work Schedules

Only 5% of the current workforce is under 25 years old. This Gen Z population is going to be a critical segment to bring into the fold as the baby boomers and Gen Xers begin to retire. We need to make the next generation aware of how great this career is and put it in terms that they understand and find appealing and rewarding.

We should be providing this type of awareness at the high school level, if not even earlier, as this is when students begin to decide on their college paths and future careers. However, on-the-job training, apprenticeships and mentoring for existing workers, along with encouraging certifications that confirm a high degree of competence, are also essential for growing a qualified workforce. 

Additionally, more middle ground needs to be found by employers to tap into employees for whom the regular working day isn’t possible or practical, such as parents, caregivers, those retraining and those with long or impractical commutes. This includes flexible working, along with leveraging new technology so that cybersecurity practitioners are not tied to a single location to do their work.

Be Creative

The global cybersecurity workforce gap is substantial, and we need to be creative in filling the gap. All of these strategies are based on two core concepts: Set reasonable expectations and be open-minded about who qualifies for cybersecurity positions. In many cases, organizations’ search parameters are too restrictive and cut and dry, which has obstructed the building of their cyber teams. 

There’s no sugar-coating it. We’ll see more harmful cyberattacks if we don’t start to shrink the gap soon. Using some of the approaches above may just help us to do that.  

Wesley Simpson

COO of (ISC)2

As COO of (ISC)2, Wesley Simpson oversees the operational aspects of contracts with all business partners. Wesley has been responsible for leading the development of IT organizations and global services, while also working in the field of software development and digital asset management for various Fortune 500 companies.

Get ahead in a rapidly changing world. Sign up for our daily newsletter. Subscribe