Despite concerns from some quarters about tech layoffs and a possible recession, hiring cybersecurity workers remains a top priority for many organizations as infrastructure and network threats remain a constant cause of concern.
This demand for cybersecurity talent, in turn, has tech workers looking to upskill their knowledge base to keep up with these needs, as well as to take advantage of a market that is creating lucrative and career-changing opportunities for those with a range of security skills. An August report published by Pluralsight confirms this trend and finds that cybersecurity has replaced cloud computing as the area with the largest tech skills gap.
The study of 700 tech pros in the U.S., Europe, Australia and India found that about 43 percent of respondents ranked cybersecurity as their top skill concern in 2022, compared to 39 percent who ranked cloud as first. The researchers also found that 44 percent of those surveyed listed cybersecurity as the one skills gap that poses the greatest threat to their organization.
“Cybersecurity is a hot field to be in right now and there is no shortage of interest in learning and participating in cybersecurity as a career path,” Casey Ellis, founder and CTO at Bugcrowd, recently told Dice. “The needs in cybersecurity are so rapidly evolving and dynamic that the problem could be better described as a talent-matching problem. Therefore, skills identification and on-the-job training is a logical solution.”
Ellis’ comments dovetail with the survey results, which show nine in 10 respondents want to improve their tech skills to fulfill personal career goals, and another 86 percent want these skills to reflect their organizations' overall strategy. The major issue, however, is that many tech pros don’t see their companies dedicating enough time to improving skills or allowing for upskilling, according to the report.
“This data shows a misalignment between technologists' desire to hone their skills and organizations' willingness to dedicate time for upskilling,” the Pluralsight report noted. “Technologists are eager to gain skills to make their organizations more successful. Business leaders must allocate resources and time to help technologists achieve their upskilling goals.”
A Need for a More Skilled Cybersecurity Workforce
The so-called skills gap in cybersecurity has been well-documented—one report found about 700,000 unfulfilled cyber positions in the U.S. alone. The Pluralsight report and security experts have all emphasized the need for additional skills to help fill these openings.
“Despite the uncertainty in the economy, organizations are not slowing down their innovation and cybersecurity investments to keep their business on cutting edge,” John Yun, vice president for product strategy at security firm ColorTokens, told Dice. “Organizations are putting serious dollars and resources behind initiatives such as zero trust and microsegmentation to combat modern cyber threats. When you couple the accelerated pace of innovations with the new modern security concepts and products, the need for cybersecurity experts shows no sign of slowing down.”
Yun also points out that many organizations lack employees with adequate cloud skills at a time when many of these enterprises are adopting multiple cloud platforms, compounding the two areas of tech—cloud and cybersecurity—with the greatest skills gaps.
“In the past two years, not only have organizations accelerated their cloud adoption, they have fully embraced multi-cloud,” Yun added. “For security professionals, that means he or she must keep up-to-date on the latest vulnerabilities at the application level but also within different public cloud services such as Amazon Web Services, Microsoft Azure and Google Cloud. We haven’t addressed the fundamental shortage of cybersecurity experts, yet we’ve moved the goalpost even further away.”
Stan Black, CISO at security firm Delinea, also sees a lack of cybersecurity and cloud skills at a time when organizations are adopting more of these technologies and attackers are switching their techniques to target vulnerable SaaS-based applications.
“Today’s hybrid security engineer must know how to protect all of the hard targets of the past, plus code scripts and code, and have a handle on Azure, AWS and GCP,” Black told Dice. “They also need expertise hardening Kubernetes and Docker DevOps assets. Being skilled in modern security toolsets for cloud, privileged access and identity management, and real-life implementation of concepts like zero-trust and least privilege, have all become table stakes for operating in today's environment.”
For tech professionals who seek out upskilling opportunities within their organizations (or workers who take time to learn outside of business hours), the potential career rewards remain significant.
“Not only are these skills still in high demand, but skilled individuals in this space continue to command strong compensation packages, even within industries that are hunkering down and becoming conservative on spending in other areas,” Black added. “Having experience and training in these mission-critical areas differentiates the cybersecurity candidate and can move their resume to the top of the list.”
What Cyber Skills Matter?
For those tech and security professionals working for organizations that allow upskilling, several security experts believe learning more about how cloud platforms work can help solidify their knowledge base.
“The key to narrowing the cybersecurity skills gap moving forward is cloud-native engineering knowledge,” John Steven, CTO at security firm ThreatModeler, told Dice. “No, it’s not realistic for organizations to build a team of pro-‘pen testers’ in 12 months, but it is realistic to enhance an engineering team’s awareness of cloud service providers' security controls and enabling security services through cloud providers' training and certification programs. Cloud certifications can guide hiring as well as provide a roadmap for continuing the education of existing staff.”
Other security experts look for even more specific skills. For instance, Grant Kahn, senior director of security intelligence engineering at Lookout, seeks candidates who know specific programming languages, including Python (which he considers mandatory), Go and Java. Other skills include a deep knowledge of Linux as well as some familiarity with Kubernetes.
If a candidate can show they have a deep understanding of how networks work, or detailed knowledge of potential security vulnerabilities within an app, they have a significant advantage over their peers.
“When I hire people, I look for people who were—for example—a network engineer for five years and they found that the most interesting part of the network engineering job was the security part,” Kahn told Dice.
“Or they were an application developer for years, and they figured that the security bits of that were the most interesting and now they want to be an application security person,” Kahn added. “In other words, I look for somebody who's already got the deep technical background and is building security knowledge. That's true in the cloud, too, right? You're going to want to have the understanding of the systems and then the security understanding. Those are separate but related.”