For years, the business world has bemoaned a persistent gap between the number of cybersecurity jobs that need to be filled and the much fewer number of skilled and credentialed cybersecurity professionals to fill them.

According to the most recent report by Cyberseek, the demand continues to outstrip supply, with only enough workers to fill 85% of the cybersecurity jobs in the United States. Essentially, for every 100 such jobs, only 85 people are available to fill them. About 225,200 more cybersecurity pros are needed to close the talent gap in a U.S. cybersecurity workforce that now includes more than 1.2 million people and which has expanded steadily over the past several years, the report said.

From May 2023 and through April 2024, employers listed 469,930 cybersecurity jobs, according to the Cyberseek numbers. Cybersecurity engineers, cybersecurity analysts, and information systems security officers are among the most in demand.

“Although demand for cybersecurity jobs is beginning to normalize to pre-pandemic levels, the longstanding cyber talent gap persists,” Will Markow, vice president of applied research at Lightcast, said in a statement. “At the same time, new threats and technologies are causing cybersecurity skill requirements to evolve at a breakneck pace, forcing employers, educators, and individuals to proactively anticipate and prepare for an ever-changing cyber landscape.”

Cyberseek is a joint effort between NICE (a NIST framework that describes cybersecurity work and the skills and knowledge needed to do the work), IT certification and training firm CompTIA, and market analytics company Lightcast. Cyberseek’s latest report was presented at the annual NICE Conference and Expo this week.

Things are Improving – Somewhat

The numbers this year weren’t as bad as NICE presented in 2023, when it was estimated that 466,225 cybersecurity workers were needed to meet the demand, with only enough workers to fill 69% of the U.S. cyber jobs. A year ago, there were 1.1 million people employed in cybersecurity jobs.

Still, IT is becoming more cloud-based and is stretching further out to the edge – and now is quickly being infused with generative AI and all the promise and risk that come with it.  The need for cybersecurity workers will only grow. AI itself brings its own pros and cons. The technology will help cybersecurity workers in their jobs, giving them more powerful tools to identify and remediate threats and to automate many of the repetitive tasks in their work. That said, it also will give threat groups similar expanded capabilities.

The demand will continue to exist in the expanding tech sector. According to market research firm Statista, the global cybersecurity market will grow from $183 billion this year – just more than half going to security services – to $273.6 billion by 2028.

Layoffs Raise Eyebrows

Layoffs by cybersecurity vendors including Trend Micro, Orca, Sophos, Zscaler, Secureworks, Proofpoint and Rapid7 in the first few months of the year drew attention. However, the numbers weren’t as bad as the IT industry in general. Between May 2023 and April, the number of employer job listings for all tech occupations dropped 37%, while in cybersecurity, that number was 29%, according to Cyberseek.

Not all layoffs are equal, said Ira Winkler, CISO and vice president at CYE, a risk optimization company. In a column in February, Winkler wrote that layoffs are a fact of life in the modern workplace. Some companies – even cybersecurity vendors – will let workers go to improve their balance sheets, shed duplicate jobs after acquisitions, or adapt to declining sales. Some are the result of just terrible managers “whose incompetence and sociopathy deserve nothing but scorn,” he wrote. “However in most cases, there are legitimate business drivers that cause the termination even the best employees.”

Expanding the Talent Pool

There are steps organizations can take to find cybersecurity talent. As far back as 2019, CISA in a report noted that the gap between demand and supply wasn’t solely because the lack of talent but also was an issue of identification. Candidates were being turned away for not having the strict, education, training, and credentials companies were seeking. That could be bridged by identifying people with the right skills and experience who could transfer into cybersecurity.

It’s an idea that Bugcrowd CEO Dave Gerry agrees with.

“Employers need to take a more active approach to recruiting from non-traditional backgrounds, which, in turn, significantly expands the candidate pool from just those with formal degrees to individuals who, with the right training, have incredibly high-potential,” Gerry said. “Additionally, this provides the opportunity for folks from diverse backgrounds, who otherwise wouldn’t be able to receive formal training, to break into the cybersecurity industry providing income, career, and wealth-creation opportunities that they otherwise may not have access to.”

Organizations also need to account for bias that exists in cyber-recruiting and offer apprenticeships, internships, and on-the-job training to create the next generation of talent, he said.

Let the Fish Grow

Ontinue CISO Garth Lindahl-Wise added sabbaticals and job shares to that list, putting some of the onus on enterprise organizations to spend the time and money to help build talent rather than just look for it.

“We must incentivize the hours people put into training,” Lindahl-Wise said. “If it is worth it, it is worth rewarding: Think small financial benefits, additional time off for study, etc. Encourage and enable job shadowing and sharing.” He added, “Technical qualifications are not necessarily the issue. We are fishing in a pool for fish that haven’t had the time to grow to the size we want.”

Such training can also open employees to opportunities available in a cybersecurity career, said Omri Weinberg, co-founder and chief revenue officer at DoControl. Too often the hiring process involves trying to find someone who has all the required skills for a particular position.

“The HR process still isn’t quite there yet when it comes to finding talent in the cybersecurity industry,” Weinberg said. “The gap can be minimized when hiring managers and HR representatives work closely together to understand when a candidate is qualified for a role and is also a fit for the companies’ culture.

Organizations also need to consider what they can do to encourage the cybersecurity pros already in place to stay, said Time Callan, chief experience officer at Sectigo. “They can provide better environments by embracing modern architectures, implementing new tools like AI, and automating the routine work that takes up too much of IT professionals’ days,” Callan said. “Platforms such as ITSM and CLM can take away mind-numbing repetitive tasks, reduce stress, and give tech-savvy employees more reason to stick with their current careers.”