The onset of the Covid-19 coronavirus pandemic and the accompanying shift to near-universal remote working in March and April of 2020 left security professionals scrambling to address the transition in record time, according to statistics published by cyber professionals association (ISC)².
With companies making the transition overnight in some cases, and unable to work from the office themselves, (ISC)² said the smooth changeover was a testament to the skill and resilience of security pros at every level.
On a global basis, 30% of respondents to (ISC)²’s Cybersecurity workforce study 2020 said that they had just 24-hours notice to secure the remote workforce, while 47% had up to a week, and just 16% said that they had more than a week’s notice. Asked how long they were given to secure the remote workforce, 22% said less than a day, 47% up to a week, and 16% longer than that.
“Overall, we’re seeing some very positive trends from the cyber security workforce reflected in this new data,” said Clar Rosso, CEO of (ISC)².
“The response to Covid-19 by the community and their ability to help securely migrate entire organisational systems to remote work, almost overnight, has been an unprecedented success and a best-case scenario in a lot of ways. Cyber security professionals rose to the challenge and solidified their value to their organisations.”
(ISC)² said that even in the face of rapidly changing environments, security pros tended to agree their organisations had been well-prepared for the shift to remote working, with 62% rating their overall Covid-19 response as excellent or very good.
Following the transition, (ISC)² found a tendency among security pros to say their ability to function effectively in teams was undiminished, with a quarter saying working remotely had improved their team communications.
One anonymous study participant commented: “Our transition has been mostly seamless. The communications bit has been a learning curve to an extent, but we learned which tools worked and which didn’t.”
Almost 60% of respondent also said their organisations’ cyber security readiness had not been compromised by having a remote security team, while in spite of a significant spike in pandemic-related threat activity, only 18% reported a rise in security incidents in the wake of Covid-19.
Respondents were also positively disposed towards their organisational leadership, with 67% saying their boards tended to understand the heightened importance of security in a remote working environment.
Despite these positive statistics, cyber security professionals said they still faced substantial difficulties. Many of these related to more generalised sources of stress, such as layoffs, furloughs or salary cuts – around 19% said they had had some form of pay cut themselves.
However, 51% were concerned their future security budgets would be affected by revenue losses as a result of Covid-19. As a second anonymous study participant put it: “Cyber security has always been a value-added item in the budget when there was extra money. We were doing good to hold the line within my organisation until Covid-19 came along.”
For the first time in its history, the (ISC)² study reported a year-on-year (YoY) decline in the cyber security workforce gap, noting a mix of increased new talent coming up coupled with uncertain demand due to the pandemic.
The organisation said there were now around 3.5 million individuals working in cyber security, up 700,000, or 25%, on last year’s estimate, with the shortage down by a corresponding amount, although (ISC)² estimated this means there are still as many as 3.12 million security roles that could be filled.
In the UK specifically, the security sector employs around 366,000, with a shortfall of around 27,500. In the US, (ISC)² estimates 879,000 security pros, and a shortfall of 359,000.
In terms of gender diversity in the sector, (ISC)² found that respondents to its survey were more than twice as likely to be men than women, 72% to 25% worldwide. Just over half of respondents perceived the percentage of women in the field to have risen, although women were more likely to say it was declining.
(ISC)² said this disparity showed a clear opportunity for organisations to seek out and work to retain women in security roles. Respondents to the survey tended to think the best way to do this was to encourage wholesale participation in STEM education, followed by additional mentorship and support.
Women tended to argue for other strategies, including promoting more women into leadership positions (45% compared to 34% of men) and eliminating the gender pay gap (42% compared to 35% of men).
Average cyber security salaries in 2020 clocked in at around $83,000 (£62,000/€70,000) worldwide and around $74,000 in Europe and $56,000 in APAC. Those with security certifications are more valued, commanding an $18,000 premium, and older security professionals also earned substantially more – the remaining members of the Baby Boom generation of the 1940s and ‘50s can expect to make around $112,000 on average, but millennials, born from around 1981 to 1995, report an average salary of $67,000.
The most currently in-demand skills in the profession are cloud security, followed by risk assessment and analysis, security analysis, and governance, risk management and compliance.