Cyber RangeStrategic ResourcingSecurity Transformation
Article12 minute read

Closing the Cybersecurity Workforce Shortage and Talent Gap

Risk executives are struggling to keep up with an increasingly complex threat environment due to a shortage of cybersecurity professionals and critical skills gaps on existing teams. Discover how creative hiring practices, continuous upskilling and strategic team augmentation can help bridge the talent gap to keep your organization secure and resilient.

In this article

  1. Address the workforce shortage: Think creatively about your hiring and recruiting processes 
  2. Bridge the skills gap: Upskill and retain your current workforce 
  3. Augmenting your cybersecurity team: Use AI and strategic resourcing to overcome workforce shortages and skills gaps
  4. Creating a culture of security
  5. Final thoughts

Our consultants work with security teams at organizations of all sizes, across industries. A persistent and serious challenge we encounter with many of our clients is a gap in critical security personnel, skills and resources. 

Though the cyber workforce is growing each year with more practitioners entering the field, almost half of companies combined have more than 10 unfilled cybersecurity positions; in fact, approximately 4 million additional cybersecurity professionals are needed globally. 

In the midst of growing cyber risks across the board, a majority of cybersecurity professionals reported that their team lacked adequate staff to properly secure their organizations. As a result, cyber employees are often tasked with working outside their proficiency, and using new tools without sufficient training while staying up to date on threats and vulnerabilities that arise daily. 

These workloads leave no time for practitioners to develop the desired skillsets to advance in their careers, leading to high rates of burnout and turnover. As a result, many organizations are scrambling to fill security gaps with limited resources, potentially putting the organization's data and intellectual property at significant risk.

To address these challenges, security leaders must empower their teams with meaningful work, hands-on experience and continuous learning opportunities. By combining creative recruiting and hiring strategies, ongoing upskilling and training, and strategic team augmentation, organizations can build resilient security teams that can effectively navigate the evolving cybersecurity landscape and labor market.

 Address the workforce shortage: Think creatively about your hiring and recruiting processes 

The cybersecurity workforce shortage remains a significant challenge for risk executives. In fact, a staggering 95 percent of cybersecurity leaders have voiced the pressing need for more focused recruiting efforts. So, how can the industry bridge this significant workforce gap? 

It isn't a challenge that any single organization can tackle alone. The answer lies in rethinking how we recruit and hire as an industry by prioritizing diversity, expanding talent pools, and reimagining necessary skills and qualifications.

 Prioritize diversity, equity and inclusion  

We can — and must — do better to promote diversity, equity and inclusion in the industry. For example, according to various industry estimates, women make up approximately 25 percent of the cybersecurity workforce, lagging behind industries like law and accounting. 

At WWT, we believe fostering a diverse, inclusive workforce and culture helps create positive and productive environments for all while positively impacting the communities where we live and work. A diverse team doesn't just bolster internal culture, it also acts as a catalyst for innovation, pushing the boundaries of what's possible in cybersecurity.

As cybersecurity leaders, we have a responsibility — and an incredible opportunity — to shape a more inclusive and secure world. Let's seize it together.

Tapping diverse and underrepresented talent pools

To address the talent shortage effectively, we must look beyond the traditional pipelines that have historically fed the cybersecurity workforce. By tapping into diverse and underrepresented talent pools, the industry can cultivate a wider array of skills and perspectives that reflect the communities and organizations we aim to secure. 

One strategy for broadening our talent pool is building partnerships with nonprofits and educational institutions. These alliances can build a steady pipeline of future cybersecurity professionals from varied backgrounds. For example, WWT collaborates with NPower, a nonprofit organization offering free tech training and job placement services to underrepresented communities, to help encourage individuals from all backgrounds to pursue careers in cybersecurity. Together with other organizations such as Cisco and NightDragon, we are committed to encouraging inclusion, enhancing diversity and raising awareness to close the cybersecurity talent gap — and strengthening the breadth of perspective and talent on our teams.

 Look outside traditional career backgrounds

There's a persistent misconception in the cybersecurity world that all roles require deep technical expertise. However, many cybersecurity positions benefit from skills found outside traditional tech-focused backgrounds. As an industry, we can do a better job of communicating the diverse nature of cybersecurity roles and embracing non-traditional career backgrounds.

Consider mid-career professionals from other fields who show interest in cybersecurity. These individuals can bring unique skills and perspectives that can strengthen specific areas of cyber defense. For example, a lawyer transitioning into cybersecurity might offer valuable insights into policy and compliance processes, enhancing the organization's ability to navigate complex legal landscapes. Veterans can also bring a wealth of leadership, strategic foresight and resilience to cyber teams. Their background in defense operations and their ability to navigate and mitigate complex threats can be highly beneficial in a cybersecurity context. 

 Bridge the skills gap: Upskill and retain your current workforce 

Hiring new talent is only part of the solution. Your cybersecurity team members need opportunities to sharpen their skills, learn new tools and explore specializations to advance their careers. 

However, the current reality is stark. Nearly half of cybersecurity professionals have faced cutbacks at their organizations, which come in various forms including layoffs, budget cuts, hiring freezes or even halts to promotion opportunities. More than one-third reported that these cutbacks included reductions in cyber training programs. Such decisions might provide short-term financial relief but can have long-term repercussions.

Programmatic upskilling will not only make your organization more secure, these efforts will also lead to higher job satisfaction and less turnover for your cyber team while blunting the force of open positions and filling gaps in critical technical skills. 

 Cyber range exercises for skill development

Upskilling doesn't just mean attending webinars or reading the latest industry reports. Hands-on experience is crucial. This is where cyber range exercises come into play. A cyber range is a sophisticated, controlled environment where cybersecurity professionals can practice responding to real-world cyber threats.

These environments offer a holistic educational experience by exposing participants to both offensive (red team) and defensive (blue team) scenarios. By understanding the entire spectrum of cybersecurity operations, professionals can bridge the gap between theoretical knowledge and practical application.

Learn more: See how Oakland County, Michigan, bolstered the cybersecurity skills of employees across its IT department.

One standout feature of cyber ranges is the inclusion of Capture the Flag (CTF) competitions. These events challenge participants to solve complex cybersecurity problems, such as neutralizing emulated ransomware attacks. The competitive nature of CTFs engages participants, testing their skills in dynamic and realistic settings. Post-exercise debriefs and performance assessments aligned with industry standards provide invaluable feedback, pinpointing areas where participants can improve.

Recent surveys indicate that the top three skills gaps in cybersecurity teams are cloud computing security, artificial intelligence/machine learning and zero trust implementation. Cyber ranges offer customizable training environments that target these specific areas, enabling organizations to tailor their upskilling efforts to their unique security challenges and needs.

 Structured and specialized cybersecurity education

WWT Learning Paths 

To upskill effectively, cybersecurity practitioners need a structured approach to professional development that focuses on competencies within specific security domains. WWT built learning paths to provide this hyper-focused, hands-on education and ensure our security consultants, architects and engineers remain at the top of their game. 

Learning paths consist of a series of courses, labs and practical exercises that progress logically from foundational concepts to advanced techniques to help practitioners build a comprehensive understanding of the field. This hands-on practice is essential for learning how to effectively use various cybersecurity tools and techniques, ensuring that skills are not only learned but retained. 

Skill assessments, quizzes and achievement badges are integrated into learning paths to help learners gauge their understanding and track their progress. This feedback loop is vital for continuous improvement, allowing professionals to identify their strengths and areas for further development.

Learn more: Using the ATC and Cyber Range to upskill your security operations team

 Augmenting your cybersecurity team: Use AI and strategic resourcing to overcome workforce shortages and skills gaps

The resource shortage in cybersecurity is nothing new. But the problem often comes down to massive amounts of data and human limitations; in other words, it's not necessarily too few people, but rather too much data. Imagine a tsunami of security alerts, logs and anomalies flooding your network every second. No human team, no matter how skilled, can manually sift through and act on this data with the speed required to stay ahead of cyber threats. That's where artificial intelligence (AI) comes in.

 Overcoming human limitations with AI: Defend at the speed of attack

In today's digital landscape, speed is everything. Cyber adversaries leverage automation and AI to execute attacks faster than ever before. To match this pace, cybersecurity teams must also rely on AI, not just as a tool, but as an essential partner. By automating data processing and threat detection, AI helps organizations defend their networks with the same agility and precision as their attackers. The objective is simple: to overcome human limitations by using AI to analyze, learn and respond in real time, minimizing the time to detect and respond to threats.

AI's capabilities aren't just about reacting to cyber incidents; they're also about predicting and preventing them. AI-powered solutions can detect anomalies and potential threats that might otherwise go unnoticed, allowing cybersecurity teams to focus on higher-priority tasks that require human intuition and expertise. The result is a more effective defense strategy, with AI acting as a digital assistant that continuously monitors, analyzes and alerts human operators to the most critical issues.

 AI in security operations (SecOps): Enhancing efficiency and productivity

Generative AI (GenAI) is becoming a powerful ally for security teams and helps bridge the talent gap by enabling existing cybersecurity staff to be more productive and efficient. GenAI can function as a digital assistant, automating routine tasks such as log analysis, basic threat detection and initial incident triaging. This doesn't just streamline workflows; it frees up human analysts to tackle more complex security challenges and focus their attention on strategic initiatives.

The integration of AI in cybersecurity isn't just a concept. It's happening now, with both custom-made solutions and commercially available tools. Below are some practical use cases where AI is making a tangible difference:

  • Threat hunting: AI can act as a "reader," scanning through news reports, security alerts and global threat intelligence feeds to identify indicators of compromise, vulnerabilities and attack patterns. Once identified, AI can search for these threats within the organization's environment, automating the process of detection and even response.
  • L1/L2 zero-touch helpdesk: AI-based analysts can take on simple yet time-consuming tasks in identity and access management, such as password resets or authentication requests. This helps reduce the burden on human analysts, allowing them to focus on more advanced security threats. This approach not only improves response times but also enhances user satisfaction by providing immediate support.
  • Incident management: AI can rapidly identify the root causes of incidents, especially within critical parts of the network. By analyzing data patterns and correlating them with known attack signatures, AI can quickly isolate the source of a breach, enabling faster containment and remediation.
  • Vulnerability management: AI can automate the process of scanning for vulnerabilities across the network, identifying potential security gaps before they can be exploited.
  • Deepfake and voice clone evaluation: As deepfake technology becomes more sophisticated, detecting these threats becomes increasingly challenging. AI can evaluate deepfake detection tools by simulating real-world scenarios, such as setting up call centers where real and deepfake voices interact. By testing these tools in a controlled environment, organizations can assess their effectiveness and improve their defenses against social engineering attacks.
  • Regulatory response assistance solution (RRAS) framework: Compliance is a critical aspect of cybersecurity, and AI can streamline the process of regulatory response. Using Natural Language Processing (NLP), AI can search through vast data sources to compile the necessary information for audits and regulatory inquiries. Over time, this capability can evolve into continuous compliance monitoring, ensuring that organizations maintain adherence to regulatory standards without the need for manual oversight.

Ultimately, AI doesn't replace the need for skilled cybersecurity professionals; it complements their efforts, allowing them to work smarter and more efficiently. 

 Strategic resourcing

Strategic resourcing plays a crucial role in addressing the cybersecurity skills gap and workforce shortage. Strategic resourcing capabilities are designed to bridge workforce gaps by providing pre-screened IT professionals who can seamlessly integrate into client teams, either on-site or remotely. This approach helps organizations quickly access the necessary expertise to manage and mitigate cybersecurity threats effectively. 

 Creating a culture of security

We believe that building a robust cybersecurity culture throughout the organization, though not easy, is worth the time and investment. A strong cybersecurity posture requires a collective effort. Cybersecurity shouldn't be seen as the sole responsibility of IT or cybersecurity departments. Instead, the most successful security strategies help build a culture that promotes security awareness across all business units. By embedding security into the very fabric of your organization and aligning security with core values, risk executives can foster an environment where every employee feels a sense of responsibility toward protecting company assets.

An innovative strategy to achieve this is to implement a security champion program. Security champions are employees embedded in different departments who understand their unit's specific operational dynamics. They act as the bridge between their teams and the central cybersecurity team, bringing forward unique security needs, concerns and feedback.

This model transforms security from a top-down mandate into a localized initiative. Each business unit gains a tailored security approach, addressing specific risks without compromising operational efficiency. More importantly, this strategy promotes broader buy-in from employees who are more likely to follow security protocols that align with their daily responsibilities and challenges. By making cybersecurity a core element of your organizational culture, you ensure everyone contributes to reducing cyber risks, which helps alleviate some of the strain caused by the cybersecurity workforce shortage.

 Final thoughts

As cyber threats continue to grow in complexity and scale, the cybersecurity workforce shortage presents a significant challenge that organizations can no longer afford to ignore. Addressing this talent gap requires a multifaceted approach that includes innovative hiring strategies, fostering diversity and inclusion, and investing in continuous training and development. By looking beyond traditional recruitment pipelines, embracing non-traditional career backgrounds, and leveraging tools like AI for efficiency, organizations can build a skilled and resilient cybersecurity team. It's not just about filling open positions — it's about cultivating a workforce capable of adapting to and anticipating the evolving threat landscape. 

Secure All Together: 5 Principles for Building a Culture of Cybersecurity
Read More