The Most In-Demand Roles Amid a Security Skills Shortage   

All signs indicate that the current cybersecurity skills crunch will worsen in 2023. There are two major flashpoints:

• Cyber risk keeps growing. Companies need to cover an increasing range of issues, from an expanding attack surface due to the proliferation of hybrid work and collaboration tools; to boom times for ransomware-as-a-service; to heightened regulatory penalties for data breaches.
• Cyber skills scarcity compounds risk. The global cybersecurity job gap is growing twice as fast as the cyber workforce, according to the (ISC)² professional association. This lack of cybersecurity specialists — (ISC)² pegs it at a 3.4 million-person shortfall — imperils cyber defenses and may hinder investigations and time-to-remediation.[1] 

Rather than trying to fill every possible opening, companies increasingly focus on hiring for top skills while managing other staff needs creatively or practically, including with training, automation, and managed security services such as Mimecast’s Email Incident Response solution.

In our view, these are five of the most in-demand roles amid the security skills shortage:

• Security operations center (SOC) analysts
• Incident responders
• Data scientists to help automate many aspects of security
• Data engineers
• Cloud security specialists

Looking at it another way, the Information Systems Security Association International (ISSA) says the most significant cybersecurity skills shortages fall in three areas:

• Security analysis and investigations
• Cloud security
• Application security

Searching for Cyber Skills

The most in-demand roles are described in more detail below:

• SOC analysts and incident responders: The persistent threat of ransomware attacks propels interest in staffing these frontline positions, whose day-to-day responsibilities include threat analysis and identification of vulnerabilities, according to the State of Cybersecurity 2022 report from the ISACA IT professional organization.[2] Understanding how to detect, prevent, and respond to ransomware attacks is highly valued.
• Data scientists and engineers: In the big data era, data science is critical to digital operations, particularly for insights from analytics, machine learning, and artificial intelligence (AI). The U.S. Bureau of Labor Statistics says 36% more data scientist jobs will be created by 2031. It’s rare to find someone with the combination of extensive programming skills, statistical knowledge, and cyber domain expertise. Also much in demand are data engineers, whose responsibilities include collecting and preparing raw data to be used by data scientists and others.

Cloud security specialists: As cybersecurity defense tactics shift to protecting cloud-based applications and data, cloud skills become a higher priority. In-demand positions involve designing cloud security architecture and establishing related DevSecOps, based on knowledge of standards, frameworks, and enterprise technology. Some lower-level cloud security positions can be filled via training in administering public cloud platforms.  

Hiring Matters

What's driving the ongoing hiring challenges? Issues include:

• Compensation: An ISSA study of cybersecurity professionals worldwide reports that the “cybersecurity profession remains systemically undervalued.”[3] For example, cybersecurity professionals believe they are underpaid, and higher compensation motivates 33% of CISOs to switch employers. 
• Job expectations: One of the most provocative points in the ISSA study is that HR and cybersecurity teams are “misaligned” about necessary job skills. Recruiters need to be more realistic about the experience levels required to do the work, the study says. ISACA’s State of Cybersecurity 2022 report adds, “The ongoing struggle between employers and employees is influencing staffing levels.” For example, trying to squeeze more effort out of existing workers isn't likely to help with retention. Most security professionals report that they already feel overburdened by their existing work.

Many managers understand these limitations and opt to boost training budgets to deepen the cybersecurity skill set of their current workers. They are also increasing automation to help ease the burden and increase security teams’ operational efficiency. For instance, AI-powered scanners can even detect and block zero-day attacks that have never been seen before by threat researchers, and some of these scanners are designed to identify threats without creating burdensome false alerts. Other companies attempt to fill their cybersecurity skills gaps by employing managed security services.

The Bottom Line  

Given that buying a newspaper ad or holding a (virtual) job fair is unlikely to produce the desired results in hiring cybersecurity specialists, where does this leave employers? Though it helps to have deep pockets, big companies haven't cornered the cybersecurity talent market, and compensation isn't rising as rapidly as one might expect. According to hiring managers, perks such as enabling talent to work remotely can move the needle in hiring and retention. Employing far-flung employees can deliver the added benefit of paying salaries that may lag those in urban centers. 

But clearly, there's no silver bullet to solve the cybersecurity skills shortage, which some observers say is in its sixth year. Prioritizing the most critical skill sets can help companies focus their recruitment and hiring efforts, while they also shore up security teams with training, technology, and managed security services. Read about one option: Mimecast's Email Incident Response service.

^[1] “(ISC)² Research Reveals the Cybersecurity Profession Needs to Grow by 3.4 Million People to Close Global Workforce Gap,” (ISC)²

[2] “State of Cybersecurity 2022,” ISACA

[3]“Cybersecurity Skills Crisis Continues,” Information Systems Security Association International