cybersecurity skills gapThe cyber workforce shortage has been the talk of the industry for the past few years. Many jobs remain unfilled, and experts predict that will only grow. The reason for this gap is the result of many different factors. At the heart of the problem are root causes. The field can attract and retain workers by identifying these and working to overcome them.

In this post, we’ll look at the data, diagnose the root causes, and define how to close the gap.

The Data on the Cyber Workforce Shortage

There is a lot of data on the cybersecurity workforce landscape. It’s a pervasive issue, so developing reports and surveys is in high demand to uncover the why. We’ll look at the ISC 2022 Cybersecurity Workforce Study and the ISACA State of Cybersecurity 2022 Report.

The workforce study detailed that the global cybersecurity workforce grew to over 4.6 million, which was an 11% year-over-year increase. Even with this increase, there are still 3.4 million jobs that are vacant. It’s something that’s keeping cyber leaders up at night. Survey respondents had this to say:

  • Organizations with a significant staff shortage had more concerns about risk, with 74% stating it was extreme or moderate.
  • 60% of organizations said they are struggling to keep up with turnover.
  • 70% of companies have challenges with retention.
  • It takes, on average, three to six months to fill an empty role.
  • There is a correlation between cyber professionals not feeling their input is welcome and valued and low employee experience ratings.
  • Younger generations have new expectations in work, with this group more concerned about emotional health, Diversity, Equity, and Inclusion (DEI), and having a voice.

What Conclusions About the Workforce Gap Can We Make Based on the Data?

So, why does this gap exist? It’s complicated, and many things driving it are outside your control. We can draw some conclusions from the data that diagnose what’s happening.

More Threats Drive Demand for Cyber Professionals

First, the demand for more cyber professionals would, of course, increase as cyber threats do. Cybersecurity is about identifying and mitigating risk, so it doesn’t exist without the threat landscape. It keeps us all gainfully employed but consider how much it has evolved in the past few years.

Ransomware is more prevalent than ever. The means to carry these out have become much more sophisticated. It’s a favorite tactic for hackers, mainly involving financial gain as the desired outcome. Cybercriminals are using old and new weaknesses to attempt to seize control of applications, data, and systems.

Cybercrime-as-a-service enables a new group of criminals to hire hackers on the dark web to do their bidding. You can now choose from a “menu” of attacks, from phishing to ransomware to AI-enabled cybercrimes. No one has to be a cyber genius to launch these attacks. Hacking is now more accessible—a commodity even. As a result, the threat landscape broadens.

Hacktivism is another emerging trend that’s increasing risk. For the first half of 2022, DDoS (distributed denial of service) attacks increased by 203% over 2021, with many of these fitting the hacktivism label. It’s a different motivation for these cyber criminals and impacts businesses even if they don’t have social or political ties.

Then you have all the advancements that AI brings to the hacker toolbox. It enables them to improve phishing campaigns and send them out more quickly. It can help them gather data for attacks, create deepfakes, hide malware, and break passwords and CAPTCHAs.

These are just some highlights, but they represent all the risks and threats that cyber professionals must defend against every day. For organizations, it’s a driving need to hire more people and keep them.

Retention Is a Concern, and Burnout Plays a Role

The job of a cyber professional can have moments of high pressure and stress. Without a healthy culture to balance this and consistent communication, this can lead to burnout. If you don’t have enough people, then those you do have to end up with more and more on their plate. Many technical folks further disconnect from the job, considering it their biggest stressor. Being overwhelmed in this manner often ends in attrition.

Without focusing on evening workload, communication, collaboration, and a healthy culture, burnout will grow and play out repeatedly.

Burnout isn’t the only cause of poor retention. It’s also the environment. If it’s toxic, more people will leave. They have options with so many jobs available. Other things that contribute to this are compensation that’s not competitive, lack of promotion opportunities, no management support, and inflexible work policies. Regarding financial incentives, only 31% of organizations said they pay a competitive wage.

In short, you can’t attract or keep good employees if you don’t address burnout and retention.

Cyber Professionals Need More Acknowledgement and Connectedness

Your current and future employees have a lot of knowledge and expertise. Failure to acknowledge this or ask for their contributions to a challenge creates low morale. It isolates people who are often introverts worried about saying the wrong thing. If they keep this close to the vest, you also can’t understand their motivations and what they need to succeed.

The Workforce Study found that lack of support from leadership contributed to a lower employee experience. Improving this is something within your control. When workers feel valued for their input and part of something bigger, they are more engaged and open to learning and growing. Creating such a culture ensures that you can attract and retain great workers.

Younger Generations Have Apprehension About the Industry

Cybersecurity has a branding problem, as younger generations have new expectations about work and for whom they work. Currently, only 12% of the cyber workforce is 34 or younger. It’s one of the most consequential drivers for the cybersecurity workforce shortage.

Cybersecurity needs a rebrand to attract these people. It should include things like improving culture, eliminating gatekeeping and blustering, being more communicative, embracing diversity, valuing the employee voice, and helping them grow professionally and personally.

One of the best ways to do this is with the Secure Methodology™. It’s a seven-step guide to transforming technical folks into excellent communicators and collaborators. It can be a key way to address many of the challenges related to the workforce gap.

Using the Secure Methodology to Improve the Cybersecurity Workforce Shortage

Here’s a preview of each step of the Secure Methodology, which I defined and designed in my book, The Smartest Person in the Room. The title refers to how many cybersecurity professionals see themselves and how that can be a downfall.


In this first step, people become aware of themselves and others. Through the exercises in the book, technical people can begin to understand their behavior and its effect on others. It can be a struggle for anyone, especially cyber professionals. Once they achieve awareness, they can let go of fears about uncertainty and their place in the organization, which can counter burnout and improve the employee experience.


Individuals have a growth or fixed mindset. When it’s fixed, they do not change. They accept their perspective and won’t work to evolve it. It’s a problem that will hamper recruitment, retention, and job satisfaction. If your culture presents a place to grow and adapt through a broader mindset, you can attract and keep people on staff.


We talked about acknowledgment earlier and how it feeds into the employee experience. By practicing acknowledgment, your team understands their importance and gets the feedback they crave. Involving your people in big decisions is another form of acknowledgment, and it can go a long way in positioning your company as a great place to work and thrive.


The fourth step is communication, and it’s really the core of the Secure Methodology. We cannot fix the workforce shortage issue without clear, consistent, and meaningful communication. Communication starts in the recruitment phase with being transparent and open about cybersecurity. It also has to be a central part of everything you do with employees.

When it’s part of your culture, you’re building a collaborative and cooperative team. They’ll be able to engage better with each other and the business side. As a result, everyone can be on the same page and reduce the ambiguity that drives dissatisfaction and churn.


Monotasking is essential to supporting the overworked, which cyber professionals tend to be. It’s even more so with so many companies short-staffed. It’s the principle of concentrating on one task without any disruptions. It gives them time to focus and use critical thinking and problem-solving skills. The result of this could include improving stress levels and people being more comfortable in asking for help.


Empathy within your cybersecurity culture means the ability to understand another’s perspectives and feelings. Developing this skill in technical people can encourage them to feel less frustrated with their customers (users). With attention toward empathy, people can learn to let go of blame and resentment, which often festers and creates burnout and attrition.


The last step is Kaizen, which means “change for the better.” It’s the ultimate objective of the Secure Methodology. It’s all about continuous improvement. A culture that embraces this will attract excellent candidates and keep them. There is no perfect in Kaizen, which the smartest people in the room are attempting to achieve. There is only the motto of constant improvement.

You can learn more about each step and how to use it to transform your organization and solve the workforce shortage problem by reading my bookCheck out the Secure Methodology course, too.