Features 12.11.2024
With many skilled cybersecurity professionals scrabbling around for work, it’s no wonder ISC2’s wild workforce gap claim is jarring to many. Assured Intelligence wades through the controversy
These days, many folk (although not all) seem to visit LinkedIn for three reasons: to find a job, to find someone to fill a job, or to make cringe-worthy faux-inspirational social media posts. At the end of October, cybersecurity expert Ira Winkler bucked this trend by saying something that actually sparked debate. He fired off a volley of posts attacking the International Information System Security Certification Consortium ISC2.
Winkler, field CISO at cybersecurity optimisation company CYE and the founder of floating cybersecurity conference CruiseCon, is an early member of ISC2. He was grandfathered in with his CISSP certificate because there wasn’t even a test at the time, he says. Today, he doesn’t feel that the 35-year-old non-profit association is what it used to be.
According to Wrinkler, the sticking point is the annual Cybersecurity Workforce Study. The report, which originated in 2004, has tracked a metric it identifies as ‘the workforce gap’ since 2018. This gap increases each year, with the latest report (released in October 2024) putting it at 4.8 million.
Winkler criticises the report for “pushing a false narrative of a plentiful job market” at a time when he sees plenty of people struggling to get a job in cybersecurity after a spate of layoffs. “It’s not uncommon for people who are laid off to be looking for jobs for six months to more than a year,” Winkler says in one of his posts. “This is why the comments by ISC2 are very painful for people to hear.”
ISC2’s report states (although less loudly than Winkler would like) that the workforce gap figure doesn’t describe the number of available jobs on the market. Instead, it reflects the gap between the total workforce that the Consortium believes companies need to secure themselves and the number of suitably skilled professionals available worldwide.
The study articulates an equation for that gap in Appendix B: demand minus supply. Demand equates to total demand minus the current workforce, while the Consortium calculates supply using the number of new cybersecurity workers less the number of workers leaving the cybersecurity industry. Beyond its survey base of 15,852 industry professionals, the data underpinning these components comes from a variety of third-party sources, including some that ISC2 reveals (such as U.S. Bureau of Labor Statistics data) and some that it doesn’t.
To satisfy Winkler’s demand for more immediate job numbers, perhaps it would be more appropriate to report separately on the actual number of jobs available. This isn’t in ISC2’s remit, states Andy Woolnaugh, EVP of corporate affairs for ISC2. “There is no need for us to do that,” he says, arguing that other organisations tackle cybersecurity job numbers already (and that ISC2 draws on some of their data). “What we are trying to do is keep the conversation on growth.”
That growth-oriented conversation is harder this year because ISC2 data highlights a stagnating cybersecurity hiring market. A quarter of all companies laid off cybersecurity staff in 2024, up 3% from last year. And 37% faced budget cuts, up 7% on 2023, while 38% froze cybersecurity hires. In a separate blog post, it said that the active workforce had risen just 0.1% in the last year, compared to an 8.7% increase in the previous year.
“It appears that ISC2’s own data shows that there are a large number of layoffs and expectations of a declining employment base”
This is a first for ISC2 since it began using its workforce gap statistic in 2018, says its CISO Jon France. “This is the first time we’ve actually seen stagnation while the need continues to grow,” he says. The active workforce is static even as the number of people companies tell ISC2 they need to keep themselves secure rises. The 4.8m figure is up 19% from last year. “So it does feel a little jarring.”
With that grim picture facing the industry, Winkler’s dissatisfaction with ISC2 rests on what he believes the Consortium should be emphasising.
“It appears that ISC2’s own data shows that there are a large number of layoffs and expectations of a declining employment base for cybersecurity professionals, while their strategic focus is on bringing in more people to a currently stagnating profession,” he complains. In short, why keep emphasising the strategic need for more workers if companies aren’t hiring today?
Opinions on the debate are mixed. Jonathan Care, a former Gartner research director and now an analyst at Lionfish Tech Advisors, worries that the concentration on a workforce gap might bring people into an industry with fewer jobs than they expect. “The inference being made is that the problem is not enough people with the appropriate industry badge,” he says. “And if only more people had an ISC2 certificate, then this workforce gap problem would be solved.” He’s not the only one to point out the self-serving nature of such research.
“Both sides are right,” counters one CISSP holder who has been working continuously in cybersecurity since the mid-nineties and did not want us to use his name. On one hand, there’s a clear sign that growth is needed. “Every time we do a measurement, we are lacking headcount,” says the two-time CISO who now manages business information security within a large e-commerce company. “We need a lot more people in cyber working towards these goals.” However, senior management still sees this as a low priority. “While my company recognises this need, there’s no funding for it, no opening for positions, and no intent,” he adds.
This executive feels the pinch personally as he continues to try to change employers with little success. “Since October, I’ve applied for a dozen positions and haven’t heard anything from any of them,” he complains. Not even an auto-reply.”
Some commentators believe that many of the jobs talked about might not actually exist. In a LinkedIn post, Michael Figueroa, technology services and information security services practice lead at freelancing platform Toptal, asserts that many jobs are not real.
“I believe that ‘ghost postings’ significantly inflate those indicators,” he argues in his LinkedIn post, while adding that both the quality of roles posted “and the motivation to hire is way down.” He argues that needless job reposting – probably due to poor talent verification by hiring managers – is a problem. So are duplicate posts for the same job at multiple levels of seniority and across multiple geographies, he says. Ghost posting could be inflating job numbers.
“I believe that ‘ghost postings’ significantly inflate those indicators” Michael Figueroa
“I’ve talked to recruiters who have used that as basically a way to keep the company in the collective consciousness of job seekers,” said Eric Mann, a former CISO who searched for months to find his present position at a stealth cryptocurrency startup. “If a company has not hired for a long time and then suddenly opens a bunch of roles, they don’t get traction. So recruiters will post roles, even if they’re ghost jobs, to make it look like the company is actively recruiting on a consistent basis.”
When job hunting, Mann applied for 20 positions each week for around nine months. He would handcraft a cover letter for each specific job, ensure that his resume reflected the job description, and sometimes answer extensive questions about what he saw as the value of the company’s product and why he was excited to work there. He often wouldn’t even get a reply.
“When you do 20 of those a week, to then receive no feedback whatsoever because the job didn’t exist in the first place, is insanely demoralising,” he says. When he did get replies, they would sometimes be ridiculously late. Speaking to Assured Intelligence in November, he said he had just received a rejection from a company he applied to in February.
Lionfish’s Care believes that there could also be financial reasons to inflate job numbers. He cites the posting of “hyper-specialised” jobs, which are often short-lived even though they are filled. He explains that analysts usually use hiring numbers as secondary data to assess company growth.
“One very plausible reason could be that investors will look at industry analyst reports and see that their properties are being favourably reported and are then minded to release further investment or allow for increased drawdown,” he says. In short, inflating hiring numbers could be a route to more funding. Others have suggested that it’s a way to build a case for resource allocation internally.
Filling other jobs is simply unrealistic when you look behind the curtain, warns Mann. He recalls a CISO position advertised at $300k. After he interviewed, the company offered him the job but at a salary of $162,000 and said that it was just an infrastructure job with security as an add-on. It also transpired that the position, which was also advertised as location-independent, required him to be in the office regularly, making it untenable.
“It is the anecdotal ‘I want somebody with a decade of experience in a very senior role, but I’m only willing to pay an entry-level salary'” Eric Mann
“In many cases, it is not a skills gap,” he says. “It is the anecdotal ‘I want somebody with a decade of experience in a very senior role, but I’m only willing to pay an entry-level salary’ because organisations as a whole treat security as a bolt-on.”
Mann warns that unrealistic—or simply unreal—jobs are difficult to identify on paper. That makes it even harder to tell exactly how much demand there is. However, anecdotal evidence, along with ISC2’s report about depressed hiring, tells us a lot about the state of play.
The above accounts are just some of those we received, suggesting that it’s tough out there for cybersecurity job seekers. ISC2 is also disturbed by the hiring figures in its report. That said, the workforce gap is a different measurement. For folks like Winkler and many LinkedIn commentators who supported him, an industry metric that might have been palatable in more plentiful times suddenly feels much harder to swallow.
Blogs & Opinions 14.11.2024
Conor O’Neill highlights the true cost of a data breach to your company and how businesses can minimise future risks.
Blogs & Opinions 07.11.2024
These blogs will focus on making a tangible difference in a language the business understands. The points are drawn from experience delivering cybersecurity transformation programmes in multiple industries.
Features 05.11.2024
Can reputation damage after a breach be mitigated with smarter crisis comms?