Skip to content
Menu
menu

Illustration by iStock, Security Management

Cyber Practitioners Look to Become More Strategic, Build Non-Technical Skill Sets as Workforce Growth Stalls

The need for cybersecurity professionals continues to grow around the world. But growth of the workforce has slowed for the first time since a major IT security organization began keeping track six years ago.

The cybersecurity workforce held steady in 2024 at 5.5 million people—a 0.1 percent year-on-year increase from 2023, according to the 2024 ISC2 Cybersecurity Workforce Study released in full on Thursday. The finding is based on a survey of 15,852 cybersecurity practitioners and decisionmakers in Africa, Asia-Pacific, Europe, Latin America, the Middle East, and North America, and marks a striking departure from 2023 when the workforce grew 8.7 percent from 2022.

Respondents stressed that a decline in investment in the cybersecurity workforce is affecting them, including a “lack of budget” that is resulting in staffing shortages. Sixty-seven percent of respondents indicated they were experiencing a staffing shortage, and 90 percent said they had skills gaps on their teams—with artificial intelligence (AI) skills being the biggest shortfall.

At the same time, survey respondents stressed that the threat landscape is the most challenging they have experienced in the last five years and fewer are reporting being satisfied with their jobs (66 percent in 2024 compared to 74 percent in 2022).

“As economic conditions continue to impact workforce investment, this year’s Cybersecurity Workforce Study underscores that many organizations are putting their cyber teams under significant strain,” said ISC2 Acting CEO and CFO Debra Taylor in a statement about the study’s findings. “Despite these challenges, AI is viewed by professionals as a solution to strengthen their organizations’ security and create new efficiencies for their teams.

“They also view effectively managing risk associated with AI adoption and its strategic importance to their organization’s future success as career growth opportunities for themselves and their peers,” Taylor continued. “Organizations and cybersecurity leaders must recognize how AI can contribute to creating more resilient security teams, especially while economic challenges persist.”

How Practitioners are Using AI Today

The current environment of stagnant growth of the workforce coupled with an increasingly complex threat environment means cybersecurity teams are going to have “double down to protect Crown Jewels and core assets,” says Jon France, CISSP, CISO of ISC2, in an interview with Security Management.

Many cybersecurity teams—45 percent—said they have already implemented generative AI into their toolsets to assist with this. Applications include augmenting common operational tasks (56 percent), speeding up report writing and incident reporting (49 percent), simplifying threat intelligence (47 percent), accelerating threat hunting (43 percent), improving policy simulations (41 percent), improving privacy risk assessments (39 percent), and improving threat assessments (28 percent).

Vendors are also building AI into their tooling, from security companies integrating it to assist in identifying exploits to business operations leveraging AI to assist with personal productivity.

“Most vendors—security tool vendors—I don’t think I’ve seen one that doesn’t have a claim to AI or at least machine learning, usually to do with that it’ll use the information you feed it through your log files, your situation, or footprint, to contextualize whatever’s coming of it is the most important thing for you in your situation,” France says.

While adopting AI, cybersecurity practitioners are also concerned about how it will affect the future of their roles. Fifty-three percent said in the survey that generative AI will result in some cybersecurity skills becoming obsolete, yet 54 percent said that AI will be more helpful to cybersecurity as a whole.

To future-proof themselves for this workforce evolution, practitioners are bolstering their cybersecurity skills (73 percent), becoming strategic contributors instead of tactical ones (52 percent), learning more about AI or building AI-related skills (48 percent), learning about possible vulnerabilities and exploits in AI solutions (36 percent), and obtaining new AI-related certifications (19 percent).

Outside of security team adoption, 64 percent of respondents indicated that their organizations are using generative AI in other departments. While this can make the business more efficient, it does ultimately create more work for the security team because when integrating this technology, France notes that the security team is likely going to be asked to assess the risks associated with it: Where is my data going? How are we going to protect it? Can I trust the results?

“All of those questions now come to the fore,” France says. “That’s extra work for [cybersecurity practitioners] to consider on procurement.”

The extra workload also carries over after implementation since cybersecurity teams will now have to add the AI tool into their monitoring of the organization’s threat surface area, France adds.

Other Skills the Workforce Needs

Many practitioners in the survey highlighted that they are struggling to retain people with in-demand skills (26 percent) and advancing their cybersecurity staff (22 percent). One of the top challenges practitioners identified for learning new skills was a lack of time to learn them.

The top needed skills at the moment for hiring and non-hiring managers are experience in cloud platform and infrastructure security, cloud data security, and cloud architecture and design. France says that cloud-focused skill sets are top of mind because cloud strategy is an issue that organizations are dealing with right now.

“If you’re going to recruit for something, you’re going to recruit for a problem you currently have or a need you currently have,” France explains. “Cloud is going to factor into that, as some of those other skill sets, like AI, are still a little more speculative at the moment or we may not be using it in our organization.”

Hiring and non-hiring managers also identified skills that they’re looking for now and that will be in demand for practitioners to advance their career, including risk assessment, analysis, and management; application security; security analysis; governance, risk management, and compliance; and AI/machine learning.

Right now, however, there aren’t many programs or certifications that applicants can obtain to show they are a strong AI applicant on résumés. Instead, the survey found that hiring managers favor other skill sets that might demonstrate an applicant’s potential to learn or obtain AI expertise, such as problem-solving (31 percent), teamwork (28 percent), curiosity (26 percent), and communication (25 percent).

“Non-hiring managers also see the value of nontechnical skills: the top skill they believe they need to advance their career is strong communication skills,” the report said. “However, non-hiring managers still place a high value on technical skills for advancement as they also believe cloud computing and AI are necessary for moving up.”

Assessing these softer skills in the hiring process can be difficult, but it is not impossible. France recalls a question he was once asked in an interview: If you have 23 tennis players and you play knockout tennis, how many rounds will it take to declare a winner?

He adds that giving candidates a notional problem and asking them to solve it can be a helpful way to screen people during the interview process.

“It isn’t like asking how many piano tuners are required in New York,” France says. “It’ll be a slightly real-world problem or a real-world pressure that you may be facing, and you’re actually looking at the though process rather than the result.”

France also recommends looking at experiential components of an applicant’s CV, noticing where it’s highlighted that a problem existed and the applicant took a certain action to help solve it.

Assessing these skills, along with a person’s communication abilities, will result in a more well-rounded professional that will pay dividends in the long-run, France adds.

“You know, the more technology gets integrated into business, the closer the technologies have to be to business and to be able to communicate with them,” he says.

How Managers Can Help

The ISC2 report concludes with a reminder organizations acknowledge the challenges cybersecurity teams face and continue to invest in their development to enhance our collective security.

Alongside this effort, there are concrete steps that managers can take to help their cybersecurity teams obtain new skills and prepare to manage the risks of the future.

First, France says that formal training should be part of the generic tool kit that your team uses—such as certification.

Second, France recommends providing learning opportunities for team members. This could include the opportunity to complete research on a new technology or experience on how to use AI that they can bring back to their daily work.

Third, France suggests steering team members towards non-technical disciplines through formal or informal learning opportunities.

“To build a rounded team, you need a rounded skill set,” France says. “And it’s not just the technical skills that you need to develop. It is the business and personal, as well.”

An example of this is inviting a team member to observe management meetings or board meetings where other managers from across the business might be discussing ongoing projects or revenue.

“Some of the best experiences I had when I was younger in my career were sitting as a board observer, and then my manager afterwards said ‘write me up a two-page summary of what you think you heard and then we’ll go deliver that to the team,’” France recalls. “It was hugely eye-opening because what I picked up on wasn’t what another person on the board picked up on.”

Taking these steps will help cybersecurity team members adopt some of the softer skills identified as in need and help them be more strategic as they implement the technologies of the future.

“More strategic means I’m going to have input on a business level, and I’m going to have to understand what the business finds valuable and then protect it,” France explains. “How can I do that without actually understanding what is valuable to the business? That requires me to break out of just the IT team, the security team, and go and experience some of what the business actually does.”

 

arrow_upward