(ISC)² estimates the global cybersecurity workforce in 2022 to be 4.7 million, an 11.1% increase over last year, representing an additional gap of 464,000 more jobs, according to the fifth annual (ISC)² Cybersecurity Workforce Study.

The study surveyed 11,779 international practitioners and decision-makers to gain insights into working in the modern cybersecurity profession. This report highlights hiring and recruiting trends, corporate culture and job satisfaction, career pathways, certifications, professional development, how the workforce is adapting to current events, and what the future of cybersecurity work looks like.

To calculate a global workforce estimate and gap, (ISC)² uses a proprietary methodology that integrates primary and secondary data sources to extrapolate the number of workers responsible for securing their organizations.

The organization observed growth in cybersecurity positions across all regions, with Asia-Pacific (APAC) registering the most significant growth (15.6%) and North America the least (6.2%).

Addressing the Cybersecurity Workforce Staff Shortage

While the cybersecurity workforce is multiplying, the number of positions to fill is increasing even faster. (ISC)²’s workforce gap analysis indicated that despite adding over 464,000 workers in the past year, the gap has grown twice as much as the workforce, with a 26.2% year-over-year increase.

Approximately 70% of cybersecurity workers feel their organization doesn’t have enough cybersecurity staff to be effective. The shortage is especially severe in the aerospace, government, education, insurance and transportation sectors.

A cybersecurity workforce gap threatens the most foundational functions of the profession, such risk assessment, oversight and critical systems patching, according to the study. More than half of employees at organizations with workforce shortages feel that staff deficits put their organization at a “moderate” or “extreme” risk of cyberattacks. In addition, that risk increases substantially when organizations have a significant staffing shortage.

Compared with last year’s report, more cybersecurity professionals indicated that their organization encountered issues, such as a lack of proper time for assessment and oversight of processes, slow patching of critical systems and inadequate time and resources for training due to staffing shortages.

Addressing the Cyber Workforce Gap

Why does this workforce gap exist? How can organizations best mitigate it? Some factors are out of an organization’s control — demand for cybersecurity employees is bound to increase as the threat landscape continues to grow, and supply can’t always keep up. The inability to find qualified talent was cited most frequently as a challenge by organizations with cybersecurity staff shortages. While this may be the most common challenge, it is not the most impactful.

To better understand what challenges are linked to the biggest staffing shortages, (ISC)² examined what percentage of employees at organizations with those issues had significant staffing shortages. This analysis suggests that the most negatively impactful issues are ones that organizations can control: not prioritizing cybersecurity and not training staff or offering opportunities for growth or promotion. However, finding qualified talent was the least impactful problem based on this analysis.

While organizations attempt to mitigate staff shortages, it’s not always effective. Although almost all initiatives positively impacted staffing, the study found that organizations with initiatives to train internal talent — rotating job assignments, mentorship programs and encouraging employees outside of cybersecurity to join the field — were least likely to have shortages.

These initiatives are particularly impactful for larger companies — only 49% of companies with 1,000 or more employees who had implemented all three internal training initiatives had staffing shortages compared with 77% of those who had implemented none.

However, internal trainings were not the most commonly adopted initiatives. Many of the most effective initiatives had the lowest implementation levels. The initiative with the lowest impact is outsourcing. Respondents at organizations that were outsourcing cybersecurity were slightly more likely to see a shortage in staff.

Automation is becoming more prevalent in cybersecurity as well — 57% have adopted it, and 26% plan to adopt it in the future. While it isn’t likely to replace cybersecurity workers at any time in the foreseeable future, automating consistent and repeatable processes frees workers to focus on higher-level tasks. This may, in turn, reduce staffing shortage issues without requiring additional staff.

The study found that cybersecurity hiring managers with a strong working relationship with their human resources (HR) department were far less likely to have significant staffing shortages at their organizations. However, only 52% of respondents said that hiring managers have a strong working relationship with HR, and 40% of hiring managers said that the HR department at their organization does not add value to the recruiting process.

What the Cyber Workforce Gap Means for Organizations

Combatting staffing shortages is no easy task, but there are three key places where organizations can focus:

1. Understand what your gap is. Senior-level practitioners in the study were more likely than managers or executives to say their organization had a staffing shortage. This suggests that those making decisions may not always fully appreciate what frontline cybersecurity professionals are experiencing. Decision-makers should make sure they are actively listening to employees to understand if and where there are staffing shortages.
2. Emphasize internal training. The most impactful organizational initiatives in reducing worker shortages were those that took advantage of internal talent with programs such as rotational job assignments, mentorship and encouraging non-IT employees at the organization to learn about cybersecurity. The challenges that were most associated with high staffing shortages were a lack of emphasis organization-wide on cybersecurity, insufficient staff training and a lack of pathways for growth.
3. Work with HR, not against them, when hiring for cybersecurity. Hiring is a challenging process. While cybersecurity hiring managers know best what candidates to look for, HR managers are more likely to have the expertise to find and attract those candidates. Therefore, cybersecurity organizations need to build effective working relationships with HR or risk having significant staffing shortages compared with those who have built a strong relationship with HR.

For more information, visit www.isc2.org.

The COVID-19 pandemic demonstrated how emerging biological threats can cause catastrophic loss of life, economic damage, societal instability and global insecurity. As a result, there is a need for an increased priority of monitoring for and warning about the threats  of infectious diseases and other global health risks.

Biological threats can include naturally occurring outbreaks of pathogens, such as Ebola; biotechnology, such as gene modification and genetic data; and bioweapons, such as anthrax. Biological threats are a serious national security challenge that the United States and the international community need to prepare for, according to the U.S. 2018 National Biodefense Strategy.

According to the U.S. Government Accountability Office (GAO), which tracks emerging biological threats, pathogens are often stored in laboratories that can lack appropriate biosafety or biosecurity measures. The lack of proper safety and security measures raises the risk of either an outbreak through an accidental pathogen release or the diversion of a pathogen by actors such as terrorist organizations — which increases the risk that another public health emergency like COVID-19 occurs.

In the future, biological threats can introduce new risks for which federal agencies that have a role in responding to biological threats will need to prepare and respond to, GAO notes. Medical intelligence — which includes the collection, evaluation and analysis of health threats and issues — is crucial in addressing these types of risks of global health threats and plays a vital role in helping the U.S. prepare for this threat.

To ensure preparedness for biological threats in the future, U.S. federal agencies and the international community need to implement a number of actions, including:

• Developing an integrated and comprehensive biodefense strategy.
• Assessing biodefense capabilities and gaps.
• Providing guidance on how biological threats should be incorporated and prioritized in joint exercises.
• Clarifying roles and responsibilities to enhance coordination.
• Reviewing whether additional guidance is required to coordinate the sharing of medical intelligence.
• Establishing procedures for conducting outreach to share medical intelligence.

For more information, visit www.gao.gov.

Enhancing Biological Security Preparedness

In an increasingly complex risk environment, a number of global organizations have insufficient approaches to risk management and immature enterprise risk management (ERM) processes.

The 2022 Global State of Risk Oversight: Managing the Rapidly Evolving Risk Landscape report, commissioned by the AICPA & CIMA and North Carolina State University’s Enterprise Risk Management Initiative, surveyed 747 global senior finance and business leaders in 2022. The survey measured executives’ assessments of the level of maturity in their organization’s proactive management of risks through the adoption of ERM processes, which can help to look at risk management strategically from the entire firm’s perspective.

The report revealed five overarching ERM themes that emerged from the survey data:

1. Business leaders sense that their risks are quickly increasing; however, most do not think their risk management process is mature or robust.

Increased uncertainty and evolving events, including geopolitical shifts, supply chain disruptions, talent competition, increased available data, climate change concerns, and the global pandemic, are continuing to propel the intricacy of risk challenges. Yet, for most regions of the world, only 25% of organizations have complete ERM processes.

2. Most organizations struggle to integrate risk management and strategic decision-making activities, leading to a perception that risk management does not provide a competitive advantage.

Many organizations’ risk oversight and strategic planning efforts seem separate and distinct. For example, less than 50% of respondents believe their risk management approach provides strategic advantages. That percentage is noticeably lower for organizations in Europe, the U.K., and the U.S. Approximately 50% of organizations believe their risk management processes concentrate on emerging strategic, market or industry risks.

3. An organization’s culture may limit progress toward risk management improvements.

Several potential obstacles within organizations limit progress toward improving risk management processes. Most organizations do not incorporate explicit risk management responsibilities in performance compensation plans, and less than 33% of organizations have supplied formal training and guidance on risk management.

4. The need for more advanced risk oversight is becoming clear.

Less than 50% of most organizations have regular and robust reporting of top risks to the board on an ongoing basis. Organizations acknowledge the need to strengthen their business continuity planning processes, particularly those in Asia, Australia, Africa and the Middle East. Calls for enhanced risk oversight are strong between boards and chief executive officers (CEOs)/presidents.

5. Risk management practices may not keep pace with the speed of risk.

Approximately 50% of organizations outside Europe and the U.K. have appointed a senior management executive to lead the risk management process; and more than 33% of organizations in Europe and the U.K. have done so. In addition, less than 50% of organizations maintain risk inventories at an enterprise-wide level.

These five themes highlight several realities of current risk management processes in organizations worldwide. Business and security leaders can ask themselves the following questions to evaluate an organization’s preparedness for addressing the risk landscape, including:

1. Is the organization’s approach to risk management delivering robust risk insights helpful for strategic decision-making?
2. To what extent has the leadership team been blindsided by unanticipated risks that management failed to see in advance?
3. Would most of the leadership team describe the approach to risk management as ad hoc and informal? How would the descrip­tion vary if individual members of the board or senior management are asked to respond?
4. Who among the management team can be viewed as a risk champion — who can help advise and coach the leadership team to oversee future risks? Does a lack of risk leadership impede risk management effectiveness?
5. To what extent does management’s identification of critical risks tend to focus on already known or well-understood risks? To what extent is the risk management process helping management identify unknown risks?
6. Does senior management agree about the top risks most important to the organization?
7. How does the senior management team incorporate risk perspectives into all strategic planning, budgeting, or capital allocation processes? When evaluating strategic alternatives, does the strategic planning process assess the nature and extent of risks identified by the risk management process? Are top risks a critical input to the strategic planning process?
8. How confident is senior management that the organization’s current responses to its top risks are in place and effective? Does senior management understand the root causes of the top risks, and are responses designed to help prevent root causes from emerg­ing? For risks that can’t be deterred, are there responses to mitigate the impact should the risk occur?
9. To what extent does management’s information dashboard include risk metrics that monitor the potential escalation of risks over time?
10. To what extent do the organization’s leaders promote an honest and transparent escalation of risk issues from middle man­agement to senior management and the board of directors? How can training on risk management help key business leaders understand the significance of raising awareness of risk issues?

Business and security leaders who embrace the reality that risk and return are interrelated are likely to increase their investment in enterprise risk oversight to strengthen the organization’s resiliency and agility, the report says. Organizations can enhance enterprise risk oversight on many fronts, building robust processes, competencies and capabilities, and effectively using data to inform those efforts. In doing so, risk management can be transformed into a competitive advantage.

For more findings, visit www.aicpa.org.

Boosting Enterprise Risk Management Processes