CyberWire Daily - Solution Spotlight: A first look at ISC2's 2024 Cybersecurity Workforce Study. [Special Edition]
Episode Date: October 14, 2024In this special edition of Solution Spotlight, join us for an exclusive conversation between ISC2's Executive Vice President of Corporate Affairs, Andy Woolnough, and N2K's Simone Petrella. Together, ...they take a deep dive into ISC2's 2024 Cybersecurity Workforce Study, offering a first look at the most pressing findings. Discover insights from a survey of 15,852 cybersecurity professionals and decision-makers across the globe, including the size of the current workforce, the demand for more professionals, and alarming trends around layoffs, budget cuts, and skills shortages. Andy and Simone also explore the growing disconnect between the skills in high demand by hiring managers and those that cybersecurity pros are prioritizing. Learn why organizations must take immediate action to foster talent and bridge these skills gaps to meet the industry's evolving needs. Plus, today marks the start of the ISC2 Security Congress 2024! Whether attending in person or virtually, this event is packed with opportunities to engage with industry experts and further your knowledge in cybersecurity. Tune in for actionable insights and exclusive details on the state of the cybersecurity workforce and how your organization can stay ahead. For more information on ISC2 Security Congress 2024, visit the event page here. Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K.
Air Transat presents two friends traveling in Europe for the first time and feeling some pretty big emotions.
This coffee is so good. How do they make it so rich and tasty?
Those paintings we saw today weren't prints. They were the actual paintings.
I have never seen tomatoes like this.
How are they so red?
With flight deals starting at just $589,
it's time for you to see what Europe has to offer.
Don't worry.
You can handle it.
Visit airtransat.com for details.
Conditions apply.
AirTransat.
Travel moves us.
Hey, everybody.
Dave here.
Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try Delete.me.
I have to say, Delete.me is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners,
today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash n2k code n2k. And now, a message from our sponsor, Zscaler, the leader in cloud security.
Enterprises have spent billions of dollars on firewalls and VPNs, Thank you. that are exploited by bad actors more easily than ever with AI tools.
It's time to rethink your security.
Zscaler Zero Trust Plus AI stops attackers by hiding your attack surface,
making apps and IPs invisible, eliminating lateral movement,
connecting users only to specific apps, not the entire network,
continuously verifying every request based on identity and context, Thank you. organization with Zscaler, Zero Trust, and AI. Learn more for this N2K CyberWire special edition.
On our Solutions Spotlight, N2K President Simone Petrella speaks with Andy Woolnow,
ISC2's Executive Vice President of Corporate Affairs.
They're discussing ISC2's 2024 Cybersecurity Workforce Study.
Well, I am thrilled to be joined today by Andy Volnau.
Thank you so much for joining me today, Andy.
Thanks for having me. I'm looking forward to it.
Yeah, so I want to start because ISE2, just in September, put out your annual workforce study, or at least the first look of it.
And before we dive into it, can you tell me a little bit about the history of ISE2 and doing these workforce studies
and why it's so important for the organization to kind of have a finger on the pulse of global profession like you do today?
Sure, I'm happy to. Thanks for the question. So very briefly, the Workforce study is, I think,
about three or four years old now. It was started by clever people before I joined,
so I can just take the credit of their work. They're not here to defend themselves.
Exactly. So, you know, as you know, IC2 is one of the world's largest membership associations for cybersecurity professionals. certain issues on a regular basis so that we can feed that feedback back into a number of places
within our own organization in some of the professional education and learning and
development tools that we offer our membership. So we can feed it back into governments as they're
thinking about policy, especially around important areas like AI, but also as they think about developing
their workforce in cybersecurity as well. So we can feed it back into organizations who we work
with, who are, you know, in financial services or in energy or government or wherever it is,
so they can understand what's going on with cybersecurity professionals. But also,
it's a really important benchmark for a number of tangential issues that we see in cybersecurity
around things like burnout in the profession and the sorts of things that cybersecurity people are
looking at. Things like investment in cybersecurity teams,
both in career investment, but also skills training and development,
what skills are important to cybersecurity professionals
and hiring managers so we can try and match them up there,
but also important topics like DEI
and what the state of the diversity and inclusion in cybersecurity is.
So it tells us all of these things on an annual basis. of the diversity and inclusion in cybersecurity is.
So it tells us all of these things on an annual basis.
One of the things that I think really struck me this year was that the study indicated that this was the first year
that the cybersecurity workforce growth has stalled
with a relatively modest, if almost insignificant,
growth of like 0.1%.
So we're kind of stuck at 5.5 million global professionals.
What do you think are some of the reasons for that stagnation this year?
Well, so what the recipients told us was for the first year,
it wasn't so much a lack of talent that they were seeing was stalling the workforce,
but a lack of talent that they were seeing was stalling the workforce, but a lack of investment. And they thought that it was attributable mainly to economic conditions that
we're seeing around the world. Now, it's important to note there was nuance within that. We didn't
see stagnation throughout the globe. We measure a number of different countries and we look at
sort of recipients from Australia all the way through Europe into Africa and to the
United States. And yes, large markets like the US, the UK were fairly stagnant. And that's important
to know that that's probably off quite a high base as well. You know, those are quite developed
markets when it comes to cybersecurity in relative terms.
Where we see a lot of growth was in some parts of Europe
and places like the Netherlands and Germany,
but also in Australia.
But big, big growth in places like Saudi Arabia and South Africa.
And we think that that's down to the stance that governments and organizations are sort of taking in those markets to try and grow and develop their workforces.
In Australia's case, it could be that they're part of the Five Eyes.
They're quite close to China and other places like that.
And so that could be playing a role there.
But the stagnation was, yes, you're right, very much sort of in the more developed markets in the U.S. in particular.
And I want to get back to some of the global perspective that you all have captured in this study because I think it is fairly unique.
I don't know if I've seen many that do it really truly kind of as a far as the U.S., of cybersecurity talent at the entry level.
But then when you get to the mid and senior levels, that's actually where the gap continues to either hold steady or even increase slightly.
So we're not doing a great job of pulling people through, which to me indicates sort of some of that,
what you're hearing from some of the respondents around maybe a lack of investment or some budget constraints or things like that.
Yeah, I think that's right. And I think, you know, we talk a lot about attracting new talent
into the cybersecurity workforce. And when you think of new talent, it doesn't have to be sort
of graduate level, you know, young 18 to 21 year
olds. We're seeing a lot of, a lot of recipients of our certified and cybersecurity entrance level
certification as being sort of 39, 40. And so that suggests to me that, you know, people are
getting so far in tangential or adjacent professions and then thinking cybersecurity
looks really great.
You know, I might want to try some of that.
But you're right.
I think then, you know, you're experiencing
a lack of investment in the development
of that workforce to retain them.
I think, you know, what we found was
we saw quite a lot of hiring freezes this year.
what we found was we saw quite a lot of hiring freezes this year. So about 38% of our
respondents are reported hiring freezes, 25% layoffs, 32% seeing fewer promotions.
And by promotions, I think that sort of encompasses career development in general.
So once you're in, I think there's a lack of mobility and movement in part due to a lack of investment from organizations. And I think in some respects, that could be down to a lack of
awareness of what cybersecurity's role is in terms of business growth and development.
Somebody once said, if you need a fast car,
you need good brakes.
And we always look at cybersecurity
as being the good brakes to the fast car.
It's an enabler of innovation.
It's an enabler of growth.
But I think a lot of the organizations
see it as more of a compliance function.
And I think the more that cybersecurity
professionals can demonstrate
with their sort of CFOs and the higher-ups
that they are a critical
part of the innovation
cycle, of the revenue cycle,
the better it will become for them
and the easier it will be to be invested
in. But I agree, we're certainly seeing
and what people are reporting back
to us on is that lack
of growth
when they're in the profession.
And I think also, I mean, you would know this better than I would, but I think DEI comes
into this as well in terms of women and people from sort of non-traditional pathways into
cybersecurity getting in and feeling that their pathways may be a little bit blocked
because, you know, cybersecurity doesn't quite know how to grow and develop those kinds of
people as well.
And so I think that plays a big role in everything we're seeing.
Yeah, it, you know, it's impossible for me to not think, especially when we kind of compare
where the US is, where the rest of the globe is, as you did this survey. How much do you think kind of government advocacy, legislation and kind of government just initiatives in kind of driving, putting a priority on this is impacting how we actually view the profession, its evolution versus it kind of self constructing itself?
versus it kind of self-constructing itself.
You know, we put a lot of onus on the profession to be like,
yeah, like, make sure that we know that everyone takes this seriously and it's part of the revenue and we're the good breaks
and everyone can go faster.
But, you know, many times I think that's a hard sell at the boardroom level.
And we tend to have more sticks than we do carrots.
Yeah, I think that's right.
I think partly it's around the skills cybersecurity people want to develop.
So within the study, this shouldn't be interpreted,
what I'm about to say shouldn't be interpreted as a lack of ambition or career development.
But cybersecurity people, a lot of them came back and said, look, we're not necessarily interested in promotion.
We're not necessarily interested in getting that senior title or becoming a CISO or whatever it is.
Our great skill is, our love is the job.
it is. Our great skill is, our love is the job. It's developing, you know, the systems and almost the intellectual kind of cut and thrust of keeping an organization safe, detecting threats,
understanding algorithms, looking at really clever ways to stop very clever people doing very,
very damaging things. And that seems to be what drives a lot of people
coming into cybersecurity.
And then when you say, oh, by the way,
you're stressed, you're burnt out,
you don't have a lot of resources,
now go and manage those 25 people
and write loads of reports and live in Excel.
That doesn't seem to be a particularly high motivator
for a lot of cybersecurity professionals.
And so one of the skills I think
that is lacking within the profession is that ability to contextualize cybersecurity within
the business and as a business driver. And so I think, you know, that's an area that if you want
more investment, you've got to be able to convince the CFO. It's as simple as that.
And if you're not convincing the CFO,
then you're not going to get very far.
And so I think, you know, if there was one area
that I think cybersecurity people could really sort of look at
and demonstrate that they've got an awareness of
is that ability to contextualize what they do,
you know, how it's going to help support revenue growth,
how it's going to, you know to develop a long-term work plan
that can bring more talent in at the right levels,
and then automate systems through AI or whatever it is
so that you can actually reduce the budgets
and do everything you wanted to do,
but on better terms for the business.
So I think it's about having those kinds of conversations
to help support the inward investment
into cybersecurity teams.
We'll be right back.
Do you know the status of your compliance controls right now?
Like, right now.
We know that real-time visibility is critical for security,
but when it comes to our GRC programs, we rely on point-in-time checks. But get this,
more than 8,000 companies like Atlassian and Quora have continuous visibility into their controls
with Vanta. Here's the gist. Vanta brings automation to evidence collection across 30 frameworks,
like SOC 2 and ISO 27001. They also centralize key workflows like policies, access reviews,
and reporting, and helps you get security questionnaires done five times faster with AI.
Now that's a new way to GRC. Get $1,000 off Vanta when you go to vanta.com slash cyber.
That's vanta.com slash cyber for $1,000 off.
And now, a message from Black Cloak.
Did you know the easiest way for cybercriminals to bypass your company's defenses is by targeting your executives and their families at home?
Black Cloak's award-winning digital executive protection platform secures their personal devices, home networks, and connected lives.
Because when executives are compromised at home, your company is at risk.
In fact, over one-third of new members discover they've already been breached.
Protect your executives and their families 24-7, 365, with Black Cloak. Learn more at blackcloak.io. One of the things that I know came out in the first look of the study was around the shortage of key skills, but maybe more interesting was the divergence
between what professionals see
as some of the major skills gaps or shortages
versus maybe what HR departments organizationally view
as the key skill divergences.
Can you highlight maybe a few of those discrepancies?
And then maybe my second part would be,
and for those who are members of ISE2
or who are considering being members,
what are some of the areas that you view being most critical from a skills development perspective for the cyber profession?
Yeah, so I think there was that disparity between what hiring managers and hiring the HR teams wanted and what professionals thought were important.
EHR teams wanted and what professionals thought were important.
The professionals themselves thought that communication skills,
cloud computing skills, AI skills, and GRC were among the most important,
whereas hiring managers prioritized, yes, they prioritized communication skills,
maybe a little bit less, but it was still important.
But cloud computing, AI, and GRC were really, really low.
And so what that says is that the disconnect means that what's coming into the organization
and what's being looked for isn't necessarily going to fit in automatically
with the teams that are receiving those skill sets.
We haven't gone too deeply into why that is happening, because that would involve then
also surveying HR teams and so on.
So we're not doing that at the moment.
But what it demonstrates is there needs to be a much greater alignment
between the hiring functions and talking to the individuals within those teams
and finding out what they're dealing with and the areas they feel that they are lacking
in order to then go and hire the right kinds of mixes.
You know, they're still getting the cloud computing skills in.
It's just maybe not to the right level
or the right volume that they're requiring.
And that's putting more stress on the existing teams
who are having to sort of cover those shortfalls,
while also being told, well, we've hired, you know, what's the problem?
So I think there needs to be that sort of more tight alignment
between what the teams themselves are saying and the HR process.
Totally fair.
I also think we've won the record for going the longest on a cybersecurity podcast
without saying the term AI.
So I'll jump on it now.
I know. Can you believe it took us this long?
I think I've said it.
I think I've said it.
Sorry.
But, you know, while we're on it, how do you view some of the emerging innovations in AI and automation?
And what impacts do you think that they'll have on the cybersecurity workforce over the next few years?
Yeah, we're at the foothills of AI
within our own organization
and also sort of measuring its impact.
And I think that's largely
because I think a lot of organizations are.
You know, we're seeing the full range of organizational stance on AI. You know,
a lot of organizations are really rapidly adopting it, and it's almost like a bit of a free-for-all.
Some organizations are sandboxing it and looking at it within certain environments in order to
sort of control it.
Some are waiting to see.
So the organizational stance
is quite varied and then the cyber teams within
that have to make sense
of that.
I think what
cyber security professionals
are saying to us is that they see
both threat and benefit from AI.
So it is a tool.
As a tool, it has its utility
and it can also be misused and it can be used.
And I think how different groups are using it
and misusing it depends on the situation.
I think what we're being told
by the professionals themselves
is that there needs to be very clear organizational policy.
And if we can start to put some policy ethical use cases and guidelines around the use of AI
that fits the organization and its industry and its risk appetite, then that will make it easier
for the cybersecurity teams to start to administer it.
So I think that they're seeing it very much in the very logical way that cybersecurity people see things.
You know, it is a tool.
It needs policies.
We need to have an ethical use case around it.
And they should be involved in that.
But it's not just their decision.
You know, the business as a whole
needs to have a point of view about AI,
especially around its ethical use. And that needs to be based on its risk appetite and the industry
it's in. And if that's not coming down from the board or from the management team, then it's very,
very difficult for cybersecurity people to manage it. So I think, so those are some of the things
we're sort of hearing back as AI develops. You know, one of the things, and maybe the last question I'll leave us with, because
I think it is related to your answer.
I have been so impressed over the last few years, in particular, ISE2 has been very adamant
about really proclaiming and moving away from the term cybersecurity industry, which is
someone who grew up in the space, is what we kind of refer to ourselves as,
being in the industry,
but now to sort of evolving into we're part of a profession.
And so what you're describing
and kind of like those codes and the ethics
and kind of what governs
as some of these new technologies come out,
I guess my kind of parting question is,
where does ISE2 see itself really sitting in relationship to its membership,
the professionals, and then the organizations and the governments that are grappling with how to
kind of systematically address some of these issues, whether it's with the workforce, the
advent of AI, you know, but anything else that affects our cybersecurity in general?
Wow, great question. I'm leaving you with a big one.
Thank you.
And I've suddenly got agoraphobia
because my answer can go
in all sorts of different directions
and it's probably not even going to cover half of it.
So thank you for that hand grenade at the end.
No problem.
I love that question.
So you're right.
I think it's got to be seen as a profession.
And if you look at risk and compliance at the board level,
you can't move for financial managers, legal managers,
but where are the cybersecurity people?
And data and information is so critical to every organization.
It's more important than anything else.
And there are so many sort of risk points
that it can be misused and leak and what have you.
And so I think, you know, the recognition
that cybersecurity and information security,
you know, plays that critical role in the organization,
I think is slightly lacking.
You know, there's very little cyber experience
at the board level across the industries.
So I think that is a problem.
And also, I was talking today to another conversation I was having,
and it occurred to me that cybersecurity is a little bit like air traffic control in that, you know, it is a high stress. So much relies on cybersecurity
to get it right. And when it goes wrong, it can go really, really wrong. And that comes with
burnout, that comes with stress, that comes with, you know, high degree of training, a high degree of technical expertise, you know, it really does need to be recognized as the profession it is.
And then sort of frameworks put around that in a much more defined way
that controls sort of who can get in, you know, without lowering,
keeping the gate broad without lowering the standards
is something we're all trying to do.
But then help, you know, there is, if you look at the law, legal profession,
there's any number of structures in place, you know,
codes of ethics and training and degrees and, you know, lawyers, barristers, solicitors,
they're very, very supported in their profession.
They have, you know, sort of liability insurance.
They, you know, it's a very, very well-tried
and trusted risk profession that is hundreds of years old.
And I think the sooner we can get to somewhere near that
for cybersecurity professionals, the better.
And that involves organizations like ours,
pushing the agenda and making sure that governments
and other organizations recognize that.
The UK's chartering cybersecurity professionals at the moment,
which is, again, another step in the right direction
of ensuring that cybersecurity professionals at the moment, which is again another step in the right direction of ensuring that cybersecurity professionals
are recognized.
Their work to get to where they got to
is very, very important.
And therefore they have obligations,
but also they have resources
that they can benefit from
and support they can benefit from.
And organizations like ours
that need to pull together things like
Global Codes of Ethics, and we've got all these members wrong um and organizations like ours that need to pull together things like global codes of ethics
and you know we've got all these members who are very willing and able to volunteer for us so
what they think matters and that should all go into into those um you know ethical canons
um and and then you know yes the work the governments are doing. You know, we have a very sort of strong advocacy arm
which works with governments across the world
to try and have these conversations
to help the profession be sort of put up there
with accountancy, with financial services, with legal
as a very high value and very well-respected
professional standard. So sorry, that was a bit of long-winded. And I tried to sort of
pull all the thoughts I had together into one kind of package. No, well done.
I know I threw you out there with the last one. But Andy, thank you so much for joining.
I know I threw you out there with the last one.
But Andy, thank you so much for joining.
If you want to go check it out,
ISC 2's 2024 State of the Cybersecurity Workforce Study is out now.
Do you want to throw a URL
that people can go access the study?
The first look is out on our website.
We're actually releasing the full study after Congress,
which is next week.
So we have our annual Congress in Las Vegas next week, and then the study's being launched after that. So
we'll make sure we send you a copy. Wonderful. Well, looking forward to it. Thank you so much
for joining, Andy. Thanks for having me on. It was great fun.
That's N2K's Simone Petrella, along with Andy Woolnow from ISC2.
He's Executive Vice President for Corporate Affairs.
You can find a link to ISC2's 2024 Cybersecurity Workforce Study in our show notes.
Thanks for listening. We'll see you here next time. ambitious, but also practical and adaptable. That's where Domo's AI and data products platform
comes in. With Domo, you can channel AI and data into innovative uses that deliver measurable
impact. Secure AI agents connect, prepare, and automate your data workflows, helping you gain
insights, receive alerts, and act with ease through guided apps tailored to your role.
Leave alerts and act with ease through guided apps tailored to your role.
Data is hard.
Domo is easy.
Learn more at ai.domo.com.
That's ai.domo.com.