The next time you apply to a cybersecurity job and don’t get selected, there may be a good reason: the company likely can’t afford you. Indeed, according to reports from the Wall Street Journal and (ISC)2, cybersecurity chiefs are struggling to find employees they can afford, as sought-after job seekers ask for higher salaries and better compensation packages.
Currently, the median salary for cybersecurity professionals in the U.S. is $135,000, according to (ISC)2. For context, that’s more than double the national average salary of $54,132 in 2022 according to the US Bureau of Labor Statistics.
If you’re wondering what makes cybersecurity talent so expensive to hire (or lucrative if you’re the employee), it’s largely the labor market supply and demand. A consistent shortage of qualified candidates, and the increasing complexity of cyberattacks have made securing organizational cyber assets and infrastructure paramount.
Increasing regulation such as requiring organizations to report cyberattacks within 24 hours, and any payment to ransomware threat groups within 72 hours to CISA adds additional pressure to business units to hire and retain cybersecurity talent.
At least two dozen other federal cybersecurity mandates already exist for breach reporting and cyber incidents. Certain organizations may even need to comply with the Securities Exchange Commission, who have their own cyber incident reporting requirements. Increasing government regulation can become duplicative and wasteful, forcing a wedge between a business and its customers.
Invest in cyber technology or talent? You need the budget for both
The demand for cybersecurity professionals is growing rapidly, as businesses of all sizes become increasingly reliant on technology. In order to protect their data and systems from cyberattacks, businesses need to hire qualified cybersecurity professionals. But in order to do so, they must have the sufficient budget. Twenty-eight percent of hiring managers cite lack of budget as a reason they can’t hire sufficient talent.
With the average cost of a data breach in the United States now exceeding $9 million, leaving a business network vulnerable is prohibitively expensive. It may even force the business to shut down. In fact, 60% of small and medium-sized businesses close within six months of a cyber incident.
Shortage of qualified cybersecurity candidates
The shortage of qualified candidates is a major problem. According to Cybersecurity Ventures, there are currently 3.4 million unfilled cybersecurity jobs worldwide. In the United States alone, there are over 700,000 unfilled cybersecurity jobs. Seventy percent of cybersecurity professionals feel their organization doesn’t have sufficient cyber staff to respond to incidents, according to an (ISC)2 study.
So, why aren’t these openings filled?
There is a shortage of qualified candidates, as many people do not have the skills and experience that businesses are looking for. Indeed, 40% of hiring managers cite lack of qualifications—the top reason—for not hiring more cybersecurity staff in an (ISC)2 study.
Turnover and attrition are the second top reason hiring managers are not able to hire sufficient cybersecurity staff. Many cybersecurity professionals are being poached by other companies, who are willing to pay higher salaries. As little as six to twelve months of cybersecurity experience with a competing vendor, or similar business may be all it takes to be poached at a premium.
Increase in frequency and complexity of cyberattacks
The increasing frequency and complexity of cyberattacks is also making it more difficult for businesses to find qualified cybersecurity professionals. Cyberattacks are becoming more sophisticated and difficult to defend against, and businesses need to hire professionals who have the skills and experience to protect their systems from these attacks.
Between 2020 and 2021, cyberattack incidents rose 31% to 270 attacks, according to Accenture’s State of Cybersecurity Report. Companies on average fell victim to 29 cyber incidents in 2020. This leads to cybersecurity professionals working in units such as a security operations center (SOC) to experience significant mental health decline, with forced overtime and burnout, among other effects.
Supply chain attacks such as SolarWinds and 3CX are increasingly devastating and far-reaching across the world. Removing advanced persistent threat footprints from network infrastructure requires outside consulting, advanced forensics, and possibly completely replacing compromised equipment or virtual systems—all adding up to millions of dollars.
Is Artificial Intelligence the answer for cybersecurity talent shortage?
The combination of the growing demand for cybersecurity professionals, the shortage of qualified candidates, and the increasing complexity of cyberattacks is creating a perfect storm for businesses. Businesses are struggling to find qualified cybersecurity professionals, and those that do find them are often having to pay top dollar. Inevitably, they will need to find alternative methods to prevent, detect and respond to cybersecurity incidents through sophisticated automated cybersecurity tools and AI.
The runaway success and breakthroughs from OpenAI’s ChatGPT and similar generative AI is worth exploring as a possible next step for the cybersecurity industry. For years, vendors have touted cybersecurity automation capabilities for detecting vulnerabilities and abnormalities, but technical and operational challenges often result in a deployment with a fraction of the advertised capability enabled.
Such automated cybersecurity solutions frequently require multi-year engagements, significant entrenchment into IT architecture, and continuous adjustments to policies that are configured to respond appropriately. Disparate network environments and digital assets across multiple cloud service providers and on-premises increases cost and complexity, or become huge gaps in attack surface.
OpenAI GPT-4 may barely be generally available to the public, but companies with cybersecurity tools that are integrating ChatGPT include Orca, Armo, Logpoint, and Accenture. Other companies such as Coro and Trellix are also currently exploring integrating ChatGPT with some of their offerings.
Researchers at Kaspersky found promising results using ChatGPT for indicators of compromise (IoC) detection, and security researchers Antonio Formato and Zubair Rahim have described how they integrated ChatGPT with the Microsoft Sentinel security analytics and threat intelligence solution for incident management.
For now, AI will take a small step in truly automating repetitive tasks for cybersecurity incident detection and can be useful in analyzing network traffic. It will likely be supplemental to cybersecurity defense and investigation, much as existing cybersecurity tools are today. But it would not be impossible to imagine a partial or full AI solution in the near future—maybe as soon as five years, maybe as long as 10—that can provide the automated cybersecurity defense, reporting, and auditing capabilities that organizations today employ several humans for.
Until then, organizations will need to adapt and continue to operate on lean staff. Investing in training and development programs to upskill their existing employees, and partnering with universities and other organizations to develop new cybersecurity talent are possibilities. Organizations can also offer top salaries and benefits packages to attract and retain top qualified cybersecurity professionals for crucial roles, if possible.
No matter what AI ultimately is capable of, the cybersecurity job market shows no sign of slowing down or drop in compensation. Employment statistics are strong, with plenty of organizations from Series B funded startups to Google are hiring for cybersecurity roles. Apply often, apply to multiple levels of experience, and be open to negotiation. Someone can afford your talent—they may not last without you.
