The world faces a shortfall of between 3.4 million and 4 million skilled cybersecurity professionals in the next few years, according to the World Economic Forum and the International Information System Security Certification Consortium, or ISC2.
That's despite rapid growth in the cybersecurity field. ISC2 said the global cybersecurity workforce grew by 8.7% from 2022 to 2023 to reach an all-time total of 5.5 million people — and yet the demand for cybersecurity professionals grew even faster at 13% year over year, according to the ISC2's 2023 Cybersecurity Workforce Study.
"The profession needs to almost double to be at full capacity," the ISC2 report said.
Meanwhile, thousands of local governments and government agencies, medical facilities and non-profit organizations are unable to fill cybersecurity positions due to lack of budget and available personnel.
This has created a perfect storm for ransomware attackers and other cybercriminals who prey upon the weaknesses of under-protected organizations, resulting in millions of dollars in damages and other costs.
"Organizations are having a difficult time finding people with the skills that they're looking for, or they're struggling to keep people with these-in demand skills, because they either simply can't afford to or aren't able to adequately invest in their ongoing skills development," said Victor Cordon, Director of Social Impact at identity-security provider Okta.
Clearly, there aren't enough people going into cybersecurity, despite it being a rapidly growing field that pays well.
Commonly cited reasons for the cybersecurity skills gap are employers who require college degrees and certifications plus years of experience in newly emerging fields like cloud security or AI; underfunded security teams that are perceived as budget drains; a lack of resources to prepare in-house IT staffers for cybersecurity roles; and the fact that there's no commonly recognized educational path to a cybersecurity career.
At the same time, a substantial number of seasoned cybersecurity practitioners are leaving for other fields, citing burnout and constant stress as factors in their decisions to change to a less nerve-wracking career.
Building up the cybersecurity workforce
To help close the cybersecurity skills gap, Okta and its Okta for Good philanthropic arm have, as part of the company's Cybersecurity Workforce Development Initiative, pledged $20 million over the next five years toward "accelerating digital transformation and cybersecurity for the social sector and strengthening the cybersecurity posture of civil society organizations."
"Cyber insecurity remains one of the top 10 global risks over the next 10 years and has implications for every organization across every sector while having a significant impact on society's most vulnerable communities," wrote Okta Vice President of Social Impact and Sustainability Erin Baudo Felter in a blog post announcing the pledge.
"Nonprofits are the second-most-attacked sector, behind only governments, when it comes to cyberthreats," she added, "with 65% of large NGOs lacking confidence in their own security posture due to insufficient resources to protect themselves and those they serve."
To this end, Okta has partnered with several groups that provide free cybersecurity assistance to non-profit organizations or train young people, often from underprivileged backgrounds, for potential careers in cybersecurity.
One organization that does both is the Consortium of Cybersecurity Clinics, which sends college students studying cybersecurity across the United States to, as the website puts it, "strengthen the digital defenses of non-profits, hospitals, municipalities, small businesses, and other under-resourced organizations in our communities, while also developing a talent pipeline for cyber civil defense."
The consortium's mission "not only helps bolster the cyber capacity of that nonprofit organization that the students are working with," Cordon told us. "It also provides the student this tangible experience in cyber, which we know is incredibly valuable when folks are looking to enter the profession."
The consortium's 30-odd member colleges and universities include Spelman College in Atlanta; the University of California, Berkeley; Columbia University; the Massachusetts Institute of Technology; the University of Texas at Austin and its sister campus in El Paso; Indiana University; Rochester Institute of Technology; the University of Alabama; and the University of Georgia.
Another group that provides free cybersecurity assistance is the CyberPeace Institute, based in Geneva, which helps protect the digital assets of non-governmental organizations around the world.
"They connect those organizations with cyber professionals from the private sector to do bespoke projects like risk assessment or incident response, support or threat analysis," Cordon explained.
We mentioned that a lot of cybersecurity professionals come out of the U.S. military, and Cordon pointed us to NPower, a Brooklyn-based group that offers free technology training to military veterans over age 21, and adults 18-26, from underserved communities in a dozen locations nationwide.
"In 2023, they reached about 120 students through their cyber[security] program," Cordon said. "Nearly 80% of them actually got into roles following program completion."
A similar organization is Genesys Works, which places high-school seniors in year-long, half-time information-technology paid internships with more than 200 companies in the Bay Area, New York, Washington, D.C., Minneapolis/St. Paul, Chicago and Houston. Okta is one of just a few cybersecurity companies that participate in the Genesys Works internship program.
"These young people get a front-row seat into what it's like to work at a leading cybersecurity company," Cordon said. "Hopefully, through this experience, they're helping to change the trajectory of their careers in the near future. And this is one among many ways that we can get more cybersecurity talent for the next generation."
Lowering the barriers — and lowering stress
Many cybersecurity professionals we know never went to college, and some didn't finish high school. For them, an early aptitude for computers and hacking resulted in careers that required more experience than formal education.
Cordon said that "as the demand for cybersecurity professionals grows, it's important to make the profession as accessible as possible."
He pointed out that in the Biden Administration's National Cyber Workforce and Education Strategy, "there is a call to help fill these vacancies by implementing hiring practices like the removal of the four-year degree requirements, as well as expanding talent pipelines through internships and apprenticeships or certifications, community-college recruitment."
As for the talent drain that comes with burnout and constant stress, Cordon suggests it might best be addressed on an organization-wide level by educating all staffers about what a security team does.
"I think it's important for organizations to implement and invest in training and upskilling their current workforce," he told us. "Expanding basic cybersecurity training to everyone in the organization becomes really important as well."
We asked if maybe cybersecurity recruiters might consider reaching out to "script kiddies" and videogame modders who might be receptive to a well-paying job that does more good than harm.
Cordon said that wasn't something Okta for Good had yet explored, but agreed that "there's already an interest, I think, in hacker culture and coding and playing around with technology, or through gaming."
His message to anyone considering a cybersecurity career was simple.
"This is an interesting kind of world, there's an opportunity for you to kind of fight the bad guys and help the good guys win," Cordon said. "There's a really cool opportunity for you to get into this profession now, knowing that it is something that's going to be ever-present, ever needed in the decades to come."