The Great Resignation comes up in every conversation VMware President Sumit Dhawan has with every CIO, he said at a recent technology conference: “The talent shortage is severe.” And while it’s not a new pain within the cybersecurity industry, it remains particularly acute.
In fact, the cybersecurity skills gap is growing, according to the U.S. Commerce Department. It reported about 600,000 unfilled positions in December 2021, up 29% from 465,000 at the end of 2020, according to Cybersecurity Ventures. This means not only are companies struggling to hire enough security professionals, they are also putting even more stress on their existing cyber staff.
The Great Resignation “is probably the top problem right now in the security industry,” Trellix CEO Bryan Palma said, adding it’s much worse for his company’s customers. “Most customers do something different. They make planes, they make soda, they deliver an online marketplace, but they’re not inherently a security company and the best talent in the security industry wants to work at a security company.”
Plus, as with most things in life, the COVID-19 pandemic made the ongoing cybersecurity talent shortage even worse.
As businesses moved their workloads to the cloud and sent their employees to work from home, security teams were tasked with protecting globally distributed and remote workforces across a massively bigger threat landscape. This drove some to leave the industry altogether, and placed a higher premium on available jobs as companies struggled to fill vacant positions.
In another big shift from previous years, 2021 saw ransomware and other major cyberthreats pulling more cybersecurity teams into work over long weekends and holiday breaks.
Great Resignation Intensifies Cybersecurity Competition“There’s just that much more competition for talent, that much more opportunity for people who are unhappy or frustrated or burnt out to go somewhere else,” said Palo Alto Networks VP John Morello.
This underscores the need for DevSecOps and automation, he added. The vendor’s State of Cloud Security Report 2022 found investing in these technologies not only strengthens an organization’s security posture, but also provides other workforce benefits including better productivity and job satisfaction.
“Not only do you help your organization operationally by adopting these things, but you create a better place to grow and nurture security talent so that you don’t have to deal with that constant turnover,” Morello added.
A recent SANS survey found 62% of organizations struggle with staffing cybersecurity roles. Most (57%) cite challenges in cybersecurity complexity, and slightly over 50% of respondents reported difficulties in cost.
“What I’m hearing anecdotally is: Yes, the Great Resignation has played a role in cybersecurity,” said Jon Oltsik, an ESG senior principal analyst and founder of the firm’s cybersecurity service. ESG, along with the Information Systems Security Association, also conducts research for the annual Life and Times of Cybersecurity Professionals report.
Biggest Impact at CISO LevelOltsik said he’s seen the biggest impact at the CISO level, and this may be because chief security executives can find more lucrative CISO jobs at other, larger companies. But there’s a couple more universal factors adding to all levels of security professionals leaving, he added.
“One is the workload just continues to go up,” Oltsik said. “People are willing to resign. Typically they don’t leave the industry, but there is a small percentage that is burning out and leaving security. But most just try to find better jobs or pay, or a company that puts a greater emphasis on training and mentoring.”
Additionally, some organizations haven’t done a good job accommodating remote security teams, he said. “And that’s leading to an increase in resignations. What I’m hearing from progressive companies is that they’re looking at just redesigning their security teams to be remote-work friendly.”
This benefits existing staff, and it also opens up the possibility of hiring security professionals outside of a particular geographic area. “That’s a best practice right now, but not all companies are doing that,” Oltsik said.
Why Cybersecurity Training Matters“We still see entry-level [security] people struggling to find jobs and get their foot in the door,” he said. “But once they have two- or three-years’ experience, they get a million offers. That creativity and thinking outside the box is very important. When we counsel CISOs, we say to them: You really need to think about the skills shortage in every decision you make.”
Some companies are already doing this. Amazon Web Services this month announced a new security training series, The Safe Room, to help intermediate-level security professionals continue building their skills.
AT&T Cybersecurity uses paid internships, which Chief Security Office Bill O’Hern calls the “best tools for onboarding new talent.”
Cisco’s Networking Academy, which the vendor says has reached 15.1 million learners across 180 countries in its 24-year history, this year aligned its Skills for All Cybersecurity Learning Pathway to the new Certiport Information Technology (IT) Specialist Cybersecurity Certification. Participants can earn the certification to help land roles cybersecurity technician, junior cybersecurity analyst, and help desk support.
In the fall, Fortinet pledged to train 1 million people globally over the next five years through its security training, certification, career-growth, and employment-assistance programs, after extending its free security training courses earlier in the year.
Around the same time Exabeam kicked off its Cyberversity, meant to increase diversity and help close the skills gap in the cybersecurity industry.
Can Cybersecurity Be a Net Importer?While training enough professionals to fill the skills gap isn’t going to happen overnight, the Great Resignation presents an opportunity for the cybersecurity industry, according to Palma.
“What we do is noble, and it has an amazing purpose,” he said. “It’s to make the world safer, and make sure those processes really work. We have purpose and mission on our side.”
So while employees leave other industries en masse, the security industry needs to talk about this mission and sell its story to attract new blood — workers who want to be part of an organization with a sense of purpose. “As the market goes through this Great Resignation, we have to double down on that,” Palma said, noting the exodus of social-media company employees.
“One of my directives is: We need to go recruit those people and tell them listen, if you’re worried about purpose, if you want to get up in the morning feeling good about what you do, then you want to be in cybersecurity,” he said.
“There’s a real opportunity for us as an industry to be a net importer as opposed to a net exporter during the Great Resignation and go steal great technology talent from other markets," Palma continued. “We’ve got a great mission and purpose, and in today’s world that’s really resonating with a lot of people.”