Chapter 3. State of InfoSec labor market

Although some companies prefer searching for candidates with formal education in cybersecurity, graduates such as these are not easy to come by. That’s why so many businesses are satisfied with hiring someone outside the field with the basic skills that can be built on. When companies discuss skills shortages and shortfalls in the cybersecurity workforce, they probably mean experienced InfoSec professionals who are ready to perform complex tasks that require certain skills. Clearly, a newly-graduated student will not satisfy this requirement, and this is a hurdle most companies encounter when hiring new InfoSec practitioners.

In this part of the report, we will comprehensively consider the problem of global shortfall of qualified cybersecurity professionals and will try to find a way of narrowing this gap.

Key findings

  • 41% of InfoSec professionals say their organization’s cyber security teams are “somewhat” or “significantly understaffed”.
  • The biggest staff shortage of cybersecurity workers is revealed in Russia, followed by Latin America, APAC and META. The least understaffed regions are Europe and North America.
  • Information security research and malware analysis are the most understaffed roles globally (39%)
  • The biggest challenges to find and employ the right InfoSec professional are discrepancy between certification and practical skills (52%) and lack of experience (49%).
  • Almost half (48%) of InfoSec professionals claim it takes more than six months to fill an information security position

Global shortfall of qualified InfoSec professionals

Studies carried out by cybersecurity companies and international organizations in 2022, already highlighted concerns regarding a lack of cybersecurity professionals. Research undertaken by (ISC) Cybersecurity Workforce Study revealed that, despite a year-on-year increase of 440,000 new InfoSec professionals, globally the workforce gap was almost of 4 million cybersecurity workers required by organizations. A similar shortage was pointed out by the World Economic Forum at the beginning of 2023, when they confirmed the shortfall had already existed in 2021.

These worrying findings continue to be the case, as Kaspersky’s study revealed that globally 41% of InfoSec professionals say their organization’s cyber security teams are “somewhat” or “significantly understaffed”. This lack of staff was felt most keenly among nearly one-third of the respondents (30%), who admitted that their organizations are currently looking to fill more than 20 cyber security positions.

The biggest staff shortage of cybersecurity workers was revealed in Russia, where 67% of respondents admitted they needed more InfoSec professionals, followed by Latin America (48%), APAC (46%) and META (43%). Europe (31%) and North America (14%) were the least understaffed regions.

Countries with the biggest InfoSec staff shortage

Looking at cybersecurity needs across industries, the government sector admitted that nearly half (46%) of the Infosec roles it required remained unfilled. The telecoms / media and entertainment sectors were understaffed by 39% followed by retail & wholesale and healthcare with 37% of its roles remaining understaffed. The hospitality and CME (chemical metals and energy) industries were fourth on the list, lacking employees for 36% of its cybersecurity staff, closely followed by industrial & manufacturing (34%). Industries that had the fewest Infosec vacancies were IT (31%) and financial services (27%), but alarmingly, the figures still hovered close to one third.

Industries with the biggest InfoSec staff shortage

The most and the least understaffed InfoSec roles

In this study, we are highlighting six InfoSec spheres that participants say they are having trouble filling: Threat Intelligence, Network Security, Security Operations Center (SOC), Security Assessment, Malware Analysis, Information Security Research.

Information security research and malware analysis are the most understaffed roles with 39% of professionals claiming their organization’s cybersecurity team is somewhat/significantly understaffed. The roles of SOC, Security Assessment and Network Security professionals are slightly less understaffed at 35% and 33% respectively. The role with the least number of vacancies is threat intelligence (32%).

According to the qualitative interviews conducted within this research, one of the reasons why the roles of information security researcher and malware analyst are among the most understaffed, as mentioned above, is because they are very much in demand. Information security research is at the base of cybersecurity, therefore, almost all companies are searching for professionals in this field, but the quantity of staff trained for this role remains low. The other discipline in high demand is malware analysis, sought after by companies that practice independent coding analysis. Businesses in this predicament – IT and FinTech companies for instance – cannot find the right quality in prospective employees with enough practice or sufficient experience.

Role #1. Malware analyst

Organizations in Russia have difficulties finding malware analysts. In this country, more than half of respondents (57%) said they needed team members specialized in this discipline. Lack of expertise in this topic was also high in Europe (47%), Latin America (41%) and even North America (38%). META is the only region that is not in dire need of malware analysts, according to 23% of their cybersecurity leaders.

“I’ve been talking with peers about the shortage of specialized workers in the cybersecurity field for years, and the consensus is that current university programs cannot produce the number of professionals needed in Latin America. There simply aren’t enough university programs available. Furthermore, because of the language barrier, few Latin Americans are able to enroll in training programs offered in other regions. Given the fact that the professional shortage in Latin America is greater than the worldwide average, the findings of our research are consistent with the real scenario. I do, however, want to point out to one very crucial detail: the survey indicates that the three specializations in high demand among experts are information security analyst, threat intelligence, and malware research. On the other hand, interest in fields like network security, SOC, and security assessment is low. This discrepancy, in my opinion, indicates that the market’s ignorance in the latter areas will be clear in the future,’ – comments Claudio Martinelli, Managing Director, Americas, at Kaspersky.

Role #2. Security Operations Center (SOC) analyst

Security Operations Center (SOC) worker is the most understaffed job in the APAC region (41%) as well as in Russia (50%) while META only had a 20% shortage of people in this role. SOC teams are the backbone of a company’s security infrastructure, as they responsible for managing it. The danger is that when these IT specialists are not available, there is no one to coordinate the help that is needed.

‘The shortage of SOC analysts in Russia, in my opinion, can be explained by the lack of development of SOC services outsourcing. Outsourcing implies the concentration of specialists in the staff of a limited number of service providers, which in terms of the required volume of personnel, is significantly lower than the presence of the same specialists in the staff of each potential customer. Now, we have a situation where every enterprise has realized they need to centralize internal operational security services in the SOC, but they are trying to do this exclusively on their own. Meanwhile a mature offer has long been available on the market, and SOC process effectiveness and efficiency as well as the economies of scale, when it comes to service providers, are usually much higher.
It is quite possible that this explanation is applicable to other information security areas for which a mature proposal on the market is available, however, in Russia they are still preferred to be carried out by internal teams,’- comments Sergey Soldatov, Head of Security Operations Center at Kaspersky.

Role #3. Threat Intelligence analyst

Europe, Latin America and Russia faces a significant shortage of threat intelligence. However, this is not a skill that is lacking in META, where less than a quarter of professionals say they are lacking people in this profession.

Role #4 and 5. Information security researcher and Security Assessment analyst

Security assessment and information security research roles are normally present in the professionals’ wish lists, so employees in this field are highly sought after. InfoSec team leaders in Europe and Russia mentioned these roles as empty, while in the rest of the world, the vacancy was on the minds of more than one quarter of professionals.

Information security research

Security Assessment

Role #6. Network security analyst

The role of Network Security engineer was also not among the most difficult roles to fill. However, geographically, Russia was the region that found it hand the most vacancies at 52%. The European region also revealed that it had a high rate of job vacancies (36%) for this profession. The regions of Latin America, APAC, and North America around one-third found this role was understaffed.

‘Cybersecurity education in schools has only recently become popular, so it is expected that it will take some time before InfoSec graduates are able to play an active role in companies. In general, I think, companies are able to advance their cybersecurity personnel by training them. However, regarding cultural differences, Japanese companies, for example, place more emphasis on recouping the costs of training employees, while western companies tend to spend more on training, even though they understand that employees could leave quickly. Another important point that I’d like to highlight is that despite some companies responding that there is a shortage of human resources, they expect security vendors to fill this gap so they don’t make much efforts to solve the problem themselves,’ – says Tetsuya Sekiba, Presales Manager at Kaspersky Japan

Hiring process. What candidate’s characteristics do companies pay attention to during the interview?

Due to the high demand for InfoSec professionals and higher remuneration offered for those able to perform the role, this sphere is becoming increasingly attractive. This has led many workers to change their profession. And although lots of training courses exist to bring new cybersecurity employees up to scratch, this does not always help companies find relevant candidates, because many positions require employees with experience.

According to company bosses, the biggest challenges to find and employ the right caliber of InfoSec professional are discrepancy between certification and practical skills (52%) and lack of experience (49%). The high cost in hiring these specialists is an obstacle for 48% of bosses, and global competition bothers just over one third (41%). Actual skills shortage is only a problem for one quarter of respondents.

Challenges in finding qualified InfoSec professionals

During interviews with possible candidates for the role companies assess his/her soft and hard skills. Although cybersecurity doesn’t require employees to deal with the public, soft skills are still important. Cybersecurity staff have to deal with sensitive information, and they need to communicate with bosses, sometimes even c-suite professionals. However, the level of information they are dealing with and the complexity of solutions they are managing also require perfect ‘hard’ skills. They are the ones that take the lead during a cybersecurity emergency, so they must remain cool and professional under pressure.

This is likely why 63% of InfoSec specialists feel that both soft and hard skills are equally important in determining whether a cybersecurity candidate is qualified for a job. Less than a third (27%) of respondents said hard skills were important to them. Only 10% believed that new candidates only need soft skills.

Preference of soft/hard skills

The respondents looking for cybersecurity employees are mostly looking for people who have had hands-on training (70%), previous work experience (69%), and relevant certifications 68%. They prefer to see these items on a person’s resumé, as they consider them stronger qualifying criteria than a university degree in cyber security.

Recommendations from a previous employer and membership of specific communities and associations are not as important to InfoSec bosses as hands on training, work experience, certifications, and a university degree.

Factors determining candidate qualification

Level of expertise and career path. Some more interesting findings

Almost half (48%) of InfoSec professionals claim it takes them more than six months to fill a cybersecurity/information security position. As expected, recruitment for senior level positions takes the longest, with 29 % taking six to nine months, and 36 % taking nine months to more than a year. Less than half of respondents (42%) say junior jobs can be filled in one to three months with the majority of mid-level jobs (39%) taking four to six months to fill.

Time taken to fill an InfoSec position by levels

Just over half (52%) of respondents said that InfoSec professionals at junior level have a short tenure, with two to five years’ experience remaining in their role for less than three years. On the opposite side of the spectrum, 49% of those who answered the survey said senior cybersecurity specialists remain in their position for more than five years. Mid-level professionals remain for more than four years, according to just under half (47%) of respondents.

Average tenure of InfoSec professionals with different levels of expertise

InfoSec workforce churn was due to a lack of growth opportunities (59%) and high work stress (54%). In half of the instances (50%), specialists left their jobs because they did not feel supported by management. Other reasons for changing employment were because of monotonous work, poor compensation, inability to work with the latest technology, inflexible working practices, and lack of learning and development. On the opposite side of the spectrum, only 18% of cybersecurity staff departed because they were leaving the cybersecurity industry altogether.

Reasons for leaving current organization

To learn more about cybersecurity skills shortage, read the entire report ‘The portrait of modern information security professional‘.