Between a shortage of candidates, a lack of awareness of career opportunities and the growing needs of companies, recruiting cybersecurity experts has probably never been more difficult. At what point can we speak of a "talent shortage" in cybersecurity? How can we raise awareness of career opportunities in this sector? Here are a number of ways to raise the profile of cybersecurity professions.
The growing importance of cybersecurity for businesses
According to the Baromètre de la cybersécurité des entreprises published in 2023 by CESIN (Club des Experts de la Sécurité de l'Information et du Numérique), 45% of companies were victims of a successful cyber attack in 2022, with strong impacts on business in 60% of cases. In addition to potential financial losses (business disruption, information system reconstruction costs), there are also potential legal consequences (in the event of data leakage, for example). Damage to image and reputation are also among the consequences of cyber attacks for companies.
In addition to the proliferation of threats and the sophistication of cyber-attacks, information systems have also become increasingly complex, with a growing number of layers and overlays to protect, massive use of the cloud, shadow IT, interconnections between different assets, and so on. Developing an effective security policy requires surrounding oneself with experts. And this is precisely where the problem lies. Cybersecurity is a demanding field, requiring, in addition to pure IT skills, knowledge of the notions of physical security, governance, compliance and so on.
Shortage of cybersecurity talent: key figures
Today, the available talent pool is not sufficient to meet the mass of job offers available in cybersecurity. According to Wavestone, more than 15,000 positions are "available but not covered" in the cybersecurity sector (March 2022). Worldwide, Cybersecurity Ventures estimates that the number of unfilled positions is 3.5 million (April 2023).
Which profiles, precisely, are most in short supply? According to a ranking by CSB School and recruitment agency Clémentine, published in March 2023 in Les Echos Startthe most sought-after positions in cybersecurity are: pentester, CISO, cryptology specialist, cybersecurity jursite and industrial cybersecurity expert. And the list could go on: cybersecurity consultant, project manager, SSI architect, SOC analyst, cyber crisis management expert, to name but a few.
3 concrete ways to raise the profile of cybersecurity professions
1. Raise awareness of the variety of jobs and career opportunities in cybersecurity
The lack of interest in the cybersecurity professions is probably due (at least in part) to a lack of understanding of them and the images they convey. Between the CISO, the technical expert who whispers in the ear of the executive, and the SOC analyst, drowning in security alerts on a daily basis, there are dozens of different professions, each responsible for different activities:
- Safety management and steering of safety projects,
- Designing and maintaining a secure information system,
- Security incident and crisis management,
- Consulting, services and research,
- Related professions (DPO, risk manager, internal control manager, etc.).
It's true that cyber threats have reached such a high level that stress, turnover and burn-out are now a fact of life in the cybersecurity professions. In addition to the generally (very) heavy workload, these professions are also highly valued: "useful for society", "innovative", "demanding" (source: 2022 survey on the attractiveness and representation of cybersecurity professions, ANSSI).
2. Strengthen education and training in cybersecurity
While the cybersecurity sector is dynamic and offers interesting career prospects (both in terms of assignments and remuneration), it is clear that it is still poorly known by the general public and students alike. Existing training courses are not yet able to meet companies' needs. As part of its " Stratégie nationale d'accélération pour la cybersécurité ", the French government has set itself the target of creating 37,000 jobs in this sector by 2025. To achieve this goal, substantial training resources will be deployed to train specialists at bac+2 to bac+8 levels.
The creation of synergies between players in the cybersecurity sector and the training of young people in these professions will be decisive. And the task is a vast one: developing and creating new training courses to ensure that they truly meet the new needs of companies, designing training programs in conjunction with companies in the sector, placing a high priority on practical training, establishing exchanges with experienced profiles, etc. Developing partnerships with research institutions is another interesting option. France's CNRS and Europe's ENISA, for example, are working with their partners (universities, schools, organizations and companies) in a number of cyber fields.
3. Encouraging diversity and inclusion
Attracting more women to the cybersecurity sector is also one of its biggest challenges. According to the " Les profils de la cybersécurité " survey published by ANSSI in October 2021, women represented 11% of the workforce in the sector at that date. Also according to ANSSI(Enquête 2022 sur l'attractivité et la représentation des métiers de la cybersécurité), women account for 14% of cybersecurity students, suggesting a (slight) increase in female cybersecurity profiles as these students join the job market.
Several associations are working to promote cybersecurity professions among women. Such is the case of Women4Cyber France, whose aim is to "promote, encourage and support the participation of women" in the sector. Another association, CEFCYS (CErcle des Femmes dans la CYberSécurité) works to "promote and advance the presence and leadership of women" in the cybersecurity professions.
The cybersecurity sector would also have much to gain by promoting greater diversity and inclusion, and opening its doors to profiles that are representative of society: young people who are far from employment, people with disabilities, candidates from very diverse social and geographical backgrounds, profiles undergoing professional retraining, etc. This openness would help to raise the profile of cyber issues within society as a whole, away from the clichés of the hooded geek and the sacrosanct engineering degree, neither of which reflect the reality and diversity of cybersecurity professions.
In concrete terms, what is OverSOC doing to raise the profile of the cybersecurity professions?
Through our mapping software, we enable organizations to regain visibility over their data. We help cybersecurity managers to make their technical work better understood by their staff, to make it more efficient and less tiring. OverSOC aims to go beyond the purely technical aspect of cybersecurity, to provide a clearer vision and a better understanding of cyber issues by all stakeholders.
