Indeed Spotlight: The Global Cybersecurity Skills Gap

New research from Indeed provides insight into the cybersecurity skills gap.

Today cybersecurity is constantly in the spotlight. But while it’s the stories about the alleged hacking of elections and huge data breaches that score all the headlines, the fact is that cyber criminals pose a risk to everyone—and every type of organization needs qualified staff with the skills and experience to mitigate against this risk.

The problem is that cybersecurity professionals—who combine broad technical skills with specific security expertise and an understanding of business risk—are hard to find. For instance, Cisco estimates that there are currently one million unfilled cybersecurity jobs worldwide, while industry giant Symantec predicts that by 2019 the number will be 1.5 million. Little wonder that the word “crisis” appears so often in articles on cybersecurity hiring, or that professionals in the field—finding themselves in such high demand—are able to command such high salaries.

And yet these big numbers only show us part of the global picture. Not every country has the same level of demand for cybersecurity professionals, and not every country suffers from the same severity of skills shortage; nor are all fields within cybersecurity in equally short supply.

In this report, based on two years’ worth of Indeed data  (Q32014 to Q32016), we take a look at ten countries to identify where cybersecurity jobs are most in demand; where the field is showing the most growth; and where the talent gap poses the most risk to employers—while offering cybersecurity professionals the most opportunities.

Key Findings:

  • Demand for cybersecurity professionals is strongest in Israel, followed by Ireland and the UK.
  • Severe cyber security skills shortages persist in every country with Israel and UK worst affected—only in the US and Canada does the supply of job seekers exceed 50% of employer demand.
  • However in some countries we see a slight reduction in the skills gap—while in the US and UK interest in ethical hacker jobs actually exceeds employer demand.

I: Global Demand

Cybersecurity professionals are in high demand in all the countries we looked at, but there are significant differences in levels of demand, as we see in the table below.

Israel places first—and by a wide margin. In fact, demand for cybersecurity professionals here is 89.2% higher than in second place Ireland, 118.8% higher than in third place UK and 187.4% higher than in fourth place US.

This strong showing is likely due not only to Israel’s reputation as a tech hub (per capita, the country has more startups and scientists than any other in the world) but also to the emphasis the country places upon security. Veterans of the IDF’s elite cybersecurity Unit 8200 have founded many cybersecurity firms valued at hundreds of millions of dollars. Despite its small population, Israel is second only to the US as an exporter of cybersecurity goods and services worldwide.

Israel is not the only small country where we see high demand for cybersecurity professionals, however. Ireland may be less of a security center (although major cybersecurity firms such as Symantec, Kaspersky and FireEye have their European headquarters in the country) but it is a major tech center. Ireland’s second place position likely reflects the fact that more than 1200 multinationals including tech giants Google, Facebook, Microsoft and Dell have based their European operations in the country.

As for which skills employers are seeking, we see strong demand for network security specialists globally. This is the most wanted skill set in Israel, Ireland, the UK, the US and Germany alike.

To get a sense of just how great that demand is, we can compare it to the second place specialities for each country. For instance, in the UK network security sees 223.1% more demand than mobile security, in Germany it sees 83.1% more demand than Identity and Access management, in the US it sees 210.8% more demand than application security, while in Ireland it sees 175.6% more demand than application security.

Thus, despite the increasing adoption of cloud technology, hiring patterns indicate that much sensitive information remains behind network firewalls—and that professionals who can help secure still have a strong market for their skills.

II: Global Deficit

But demand is only part of the story. The big problem for firms seeking to hire cybersecurity professionals is that supply cannot keep pace — not even close.

The chart above provides an at-a-glance view of the gap between employer demand and job seeker interest in each country. Strikingly, although the interest gap varies across countries, nowhere does job seeker interest outstrip employer demand: everywhere we looked we found a job seeker’s market.

When we compare clicks from job seekers to openings for cybersecurity roles posted by employers we can see just how serious the talent shortage gets, and the scale of the risk it represents for organizations. In the infographic below, a mismatch score of 100% would represent the correct balance between employer demand and job seeker interest. Suddenly the language of “crisis” seems quite justified.

In Israel, for instance, job seeker interest in cybersecurity roles meets 28.4% of employer demand—higher than a quarter, but only just. The UK suffers from the second worst skills shortage: here job seeker interest doesn’t quite hit a third of employer demand. Brazil, Germany and Italy round out the top five for severity of the skills gap. In each of these countries, interest from job seekers barely exceeds a third of employer demand.

In fact, only in two countries does job seeker interest exceed more than 50% of employer demand. Although it may seem like cold comfort for organizations in the US and Canada, the fact that job seeker interest meets 66.7% and 68.1% of employer demand in these respective locations is, comparatively speaking, a good result. Meanwhile for job seekers, cyber security remains a field with very strong career potential.

III: In Some Countries, the Skills Gap is Shrinking

However, in seven of the countries under study we see that the supply of cybersecurity professionals is closer to meeting demand today than it was two years ago.

In Most Markets Cybersecurity Mismatch is Less Severe Today

Share of clicks/share of postings for cybersecurity (2014Q3 and 2016Q3)

Country2014 Q32016 Q3% Point Change in Mismatch Score
Ireland25%39%14%
US60%67%7%
Italy29%36%6%
France32%39%6%
Israel24%28%5%
Germany32%35%3%
Australia41%42%1%
UK37%32%-5%
Brazil44%33%-11%
Canada80%68%-12%

Source: Indeed

Here, Ireland made the largest strides towards closing the skills gap. In 2014 job seeker interest in cybersecurity positions only met 25% of the employer demand and now in 2016 it is meeting 39% of the demand — an improvement of 14 percentage points.

The US also saw some improvement as job seeker interest in cybersecurity roles rose from meeting 60% of employer demand in 2014 to 67% today. Italy, France, Israel, Germany and Australia have also seen the gap shrink, albeit by less dramatic smaller amounts (in Australia it decreased by 1 percentage point).

It would be nice to think that the continued media spotlight on cyber security has boosted awareness of the field and the number of professionals entering it. But it is too soon to say whether these slight improvements represent the beginnings of a turnaround for global cybersecurity hiring.

In fact in some countries, mismatch has grown more severe. Canada experienced this most severely: in 2014 job seeker interest met 80% of the demand and now it only meets 68% of the demand. In the UK it dropped from 37% to 32%. In Brazil, there was an 11 percentage point drop from 44% to 33%.

Meanwhile, even in countries which have seen an overall reduction in the skills gap, severe shortages persist within certain specializations. For instance, jobseeker interest in cloud security in Ireland only meets 9.0% of demand, while in the US the numbers for that specialization look better, but are still daunting at 22.9%.

Likewise, we see severe shortages for application security specialists, as supply only meets 20.6% and 36.5% of demand in Ireland and the US respectively. UK — here the shortage of professionals searching for cloud security roles was most severe, as it only meets 8.5% of employer demand.

IV: The Fields Where There is a Surplus of Job Seeker Interest

So we still have a long way to go to close the skills gap. However, in a handful of specializations in specific countries we actually see a surplus of job seeker interest, acting in the employer’s favor:

If you’re looking for a security administrator in Ireland, or an ethical hacker in the US or the UK then job seeker interest exceeds employer demand—as it does for Chief Information Security Officer (CISO) posts in the US.

In fact, the share of job seeker interest in CISO positions in the US is more than double the share of employer demand for this position. However, this does not necessarily mean that there is a vast pool of highly qualified but chronically underemployed CISOs in the US. More likely, there is a great deal of interest in these positions due to their high salaries and high prestige.

As for ethical hackers and security administrators, the excess of interest in Ireland, the UK and the US suggests that employers in countries suffering a shortage of applicants for these positions could look to these countries as potential sources of talent to help fill the gap.

The way forward?

The cybersecurity talent shortage remains a serious—and global—issue.

For professionals, this imbalance between supply and demand means strong job prospects and high salaries, although even then barriers to entry remain. Cyber security is a demanding profession and many employers ask for advanced certifications. Experts also need to be able to demonstrate an understanding of risk and how their businesses operate.

So with a smaller talent pool, what can be done to help close the skills gap?

One possible approach would be to view the problem from a different angle. Some cybersecurity experts argue that the issue is partly one of perspective, and that treating cybersecurity as a specialization within the computing field rather than as a standalone discipline is a mistake. Instead, by developing programs within organizations that identify qualified professionals and offer them training, employers will be able to make inroads into the supply-demand gap.

Whatever solution employers pursue, however, there can be no doubt that cybercrime will continue to pose a major threat, and that closing the skills gap will remain a matter of critical importance for the foreseeable future.


Contributors:

Daniel Culbertson

Daniel Humphries

GinaMarie Ivy

Jed Kolko

Valerie Rodden


Methodology
The key source for all Indeed Hiring Lab research is the aggregated and anonymized data from job seeker and employer behavior on Indeed. The job posting data on Indeed include millions of jobs from thousands of sources. It is important to note that Indeed job postings do not reflect the precise number of jobs available in the labor market, as an opening may be listed on more than one website and could remain online for a period of time after it has been filled. Moreover, employers sometimes use a single job posting for multiple job openings. However, the data do represent a broad measure of each job title’s share of job openings in the labor market. Job seeker interest is measured by an indeed user clicking on a job posting.
This global report is based on data from July 1, 2014 to Oct 1, 2016 from 10 key markets with a significant number of cyber security job postings. We identified cyber security job postings as those with a job title that includes the term ‘security’ and one of the following terms ‘it, cyber, information, application, network, cloud, iot, mobile, app, data,  or internet’. In non english speaking markets we acquired the equivalent translations for each of these terms.
We discuss job postings and clicks to job postings in terms of a share of all postings or clicks to allow for fair country comparisons. The raw count of job postings or clicks in a country can be influenced by indeed’s time in market, data aggregation issues and larger economic events. By focusing on the share of postings or the share of clicks we are able to isolate trends on the specific topic at hand, cyber security, and hold constant these other extraneous factors.