With times of economic uncertainty on the horizon, ongoing talk of the ever-present skills gap and layoffs across many industries, cybersecurity professionals are wondering what to expect in the coming year. Will cybersecurity jobs be cut despite the need to protect our digital lives and secure our information?
ISACA caught up with experts in the field to discuss the trends and outlook for cybersecurity jobs, tips for those who are new to the field, and advice for those who are looking to fill open cybersecurity positions on their teams.
Cybersecurity professionals are key to business success
Cybersecurity is known as the practice of protecting networks, systems, devices, programs, sensitive information and other data from criminal or unauthorized use and digital attacks. Given this definition, as the world continues to advance digitally and people spend more of their lives online, this professional field is essential to the success of virtually any organization. The business world has solidified its presence online, which solidifies the need for cybersecurity. And as businesses grow and expand digitally, so too will the demand for cybersecurity professionals grow and expand.
Survey reports like ISACA’s State of Cybersecurity have revealed that IT and digital trust professionals who have a mix of technical and soft skills, including communication and critical thinking, are in high-demand. Candidates who demonstrate proficiency in both areas of skill will have a competitive advantage among other applicants, as will those who have earned relevant cybersecurity certifications. Common jobs in cybersecurity include cybersecurity engineers, information security analysts, penetration testers and security architects.
What will the cybersecurity job market look like in 2023?
According to the US Bureau of Labor Statistics, cybersecurity employment for positions like information security analysts is predicted to grow 35 percent by 2031, and the average cybersecurity salary for such a position was US$102,600 in May 2021.
Jeff Combs, cybersecurity recruitment expert, career advisor and founder of J. Combs Search Advisors, has a mixed outlook on the coming year for cybersecurity jobs. “Because so many companies tended to over-hire or overreach last year, there’s a lot more scrutiny around headcount budgets,” Combs says. “The budget process and the approval for headcount is taking longer, being scrutinized and requiring more business justifications, because other organizations within the companies need those resources.”
Despite that, Combs and other experts are predicting a year of steady hiring for cybersecurity roles. While high levels of growth are not necessarily expected, Combs says the focus will shift toward hiring for more strategic and critical roles, though he worries what this will mean for recruiting. “Because so many companies have ripped their recruiters from their talent acquisition teams, there is going to be far less touch, and it is going to amplify the disconnection,” he says. “I think there’s going to be a lack of responsiveness, and there’s going to be an increasing frustration in talented people who aren’t getting seen just because there’s a lack of bandwidth.”
With reduced support in the talent acquisition area, companies are going to potentially rely more on automation tools, making it harder for applicants to stand out. Combs and other career strategists are advising that cybersecurity job candidates take more time to prepare for and align themselves with opportunities and interviews to set themselves apart from their competitors.
Advice for new cybersecurity professionals
Cybersecurity is an attractive field for a number of reasons—high salaries, remote work, in-demand jobs, and the chance to make a positive impact on the world—and many people want to break into the industry. As with most worthwhile endeavors, this is easier said than done, but it is certainly possible with the right work ethic, commitment, skills and knowledge.
“Gut check your passion and interest level if you’re going into this field,” Combs says. “It’s going to be a long game, and it’s going to be a hard, long game. You have to be somebody who is willing to invest the time and energy, especially without a lot of gratification, to get to that point where you’re making a difference.”
For someone who is looking to start out in cybersecurity, a direct admit role to security is rare, especially as it bypasses the potential growth and opportunities to learn from other positions. Combs recommends finding a path through systems administration or another foundational area that provides contextual information to build on. “You can’t protect an entity if you don’t understand the systems that comprise the entity,” he says.
Even as professionals become more experienced in cybersecurity, they must remain committed to their specialization with or without constant acknowledgment of their success. “It is an exciting field, but it is a thankless field,” says Combs. “On your best day, nothing happened. And then on your worst day, one shift where something happened, everybody’s like, ‘Why did you let this happen?’ But you’re like, ‘Nothing happened all those other days!’”
With more open-source learning and professional development resources available than ever, Combs advises up-and-coming professionals to take advantage of all of them, but advises against bootcamps that make assertions of guaranteed employment. Instead, he suggests opting for attending networking events, job fairs and conferences and to start developing connections with mentors, peers and other industry connections.
“To be valuable, you have to solve problems, and to solve problems, you have to have people who are willing to give you the opportunity to learn what those problems are,” says Combs.
Tips for filling gaps in cybersecurity teams
Just as new cybersecurity professionals are looking to find their fit into a security team, organizations are always looking to fill the gaps in those teams. The problem is knowing where to look to find the right talent that fits their team. A balance of technical and soft skills is a must, but how can recruiters find an experienced candidate who is perfect for their enterprise? There are several avenues of securing qualified talent, including upskilling current employees, mentorship and transparent hiring practices from partnered recruiters.
“We do not have a shortage of talent and enthusiasm in the field of cybersecurity,” says Michael Argast, co-founder and CEO of Kobalt.io. “We have a resource allocation problem.”
When a gap becomes apparent on a security team, many fall into the trap of immediately looking for a new hire to fill that gap; however, investing in the team by upskilling current talent can help close that gap. Providing team members with the opportunity and resources to earn relevant certifications can grant them the knowledge the knowledge and skills the team is missing. Additionally, supporting attendance of industry conferences and professional development courses, and training them for the position that is needed, takes advantage of the talent that is already present.
Training is key for when it is time to hire new talent that does not yet have the desired experience level. Young professionals are often overlooked in favor of chasing after talent with more experience, but with the proper training program and professional mentorship, newcomers to the field can grow to become the very experienced experts the team desires.
“Hiring managers should open up to young talent,” says Argast, “and managers and supervisors need to be prepared to develop and mentor less experienced hires.”
As for the job descriptions themselves, they need to be of high quality and must articulate the role, responsibilities and opportunities for growth. Realistic expectations as far as experience and education profiles must be set.
“Humanize and calibrate the job description,” Combs says. “Be conscientious in the information you’re putting out there, not because there’s any great risk to the enterprise, but because you’re trying to attract people that matter.”
What also often matters is the relationship with your recruiter, because the value they bring to the security team is indispensable. And that is what the true next step is, if it has not already been done: integrating the internal recruiter into the security team. Recruiters need to be integrated, empowered and educated with contextual information about which candidates are stronger than others and why. Doing so will allow them to become experts in the process and, ultimately, more effective in their role.
“When you go through the interview process, debrief, discuss the feedback,” Combs encourages. “Stop treating recruiters as transactional.”
This emphasis on treating people like people, recognizing their talent and giving them the opportunity to learn and grow will prove to be essential in cybersecurity, regardless of the hiring landscape in a given year. As cybersecurity professionals remain in-demand due to rapid digital transformation and a growing threat landscape, organizations must be willing to take chances on young recruits, value their security teams, and invest in the continued professional development and education of their professionals in order to survive fluctuating economic circumstances.
Editor’s note: For more information about professional development through mentorship, learn about ISACA’s Mentorship Program.