No Sign of a Cyber Security Experts Surplus

Based on research by jobsite Indeed several news items surfaced last week mentioning a decline in the number of vacancies for cyber security experts. While at the same time the number of people looking for jobs in this field is supposed to be increasing (See for example: 1, 2, 3). This suggests there is a surplus of available talent in the field of cyber security that is unable to find jobs. This is a surprising finding and in contradiction with many other studies and the findings of HSD in the Human Capital Actieagenda.


The statistics according to…

The findings in the research by Indeed are based on the number of vacancies and clicks on the website of Indeed. This pointed out that there was a 28% decline in the total number of published vacancies for cyber security on their website over the past 2 years. The vacancies that declined according to their statistics were for cyber security directors (-5%); auditors (-45%) and jobs related to identity and risk (respectively -19% and -51%).


Despite this decline there were big increases in specific cyber security vacancy postings in 2016 as well. The number of vacancies for ‘Chief Information Security Officers’ increased by 185%; those for hackers increased by 46%; and ‘cyber security administrator’ vacancies increased by 134%. So this suggest that the field of cyber security is changing, for instance from director to c-level (making it more important to the strategy of companies) and from auditing & risk to getting your hands dirty (embedding it more in the core processes of organisations). Another finding was that vacancies for ‘cyber security consultants’, ‘cyber security engineers’ and ‘cyber security director’ were hardly clicked on by visitors of Indeed. So there is a need for this kind of cyber security professionals but they don’t seem to be around on this channel.


Apparently auditing and risk vacancies formed a big part of cyber security related jobs on Indeed’s website. Those declined substantially in the last two years and were not compensated by the big increase in other cyber security vacancy postings.


Reality check

The research by Indeed suggest there seems to be a decrease in auditing- and risk vacancies. But does this mean there are enough cyber security experts? Asking companies and organisations in the Dutch cyber security cluster we found the opposite, many still experience big challenges in finding people to fill their cyber security positions.

The changing landscape shows that cyber security is a multidisciplinary problem, not merely a task for one specific person but more and more a part of jobs across several disciplines. This is reflected in the increase in vacancies for network specialists mentioned by Indeed. This can be considered as a growing need for cyber security professionals too. A network specialist has to take into account the security aspects of a network, now more than ever. We see cyber security becoming a boardroom issue for organisations, this is supported by the increase in the number of vacancies for ‘Chief Information Security Officer’.


In multiple conversations with cyber security companies we were told that they stopped posting vacancies altogether because it is notoriously hard to find skilled people in the cyber security domain. We learned that organisations are increasingly resorting to other ways to attract new personnel in this field. For example through reskilling and upskilling current staff, hiring interns and outsourcing security related tasks to specialised companies that acquire new personnel straight from school.


Human Capital Agenda for Cyber Security

To guarantee a secure digital world and economic growth for the security sector it is important to have a continuous influx of new talent into the cyber security labour market. That is why we keep track of developments in the market and connect partners to join forces in realising the Human Capital Actieagenda Cyber Security.


The changes in job postings shows that the security domain is dynamic and that there are many different roles to fill in cyber security. To help recruiters and people looking for a job it is important to get a clear understanding of what certain job profiles look like. What skills are needed? What core tasks are to be carried out? These are questions organisations are currently struggling with and it is for that reason that one should be aware of the ambiguity of the term cyber security. Organisations do not always ‘speak the same language’ while they are looking for similar people. We should invest in making the job market and educational offerings more attractive, fit for purpose and transparent. Downplaying the challenges the market is currently facing does not help to grow the sector or make the world more secure.