Easy job for cybercriminals? The shortage of skilled workers in IT security

In today’s digital age, where almost all aspects of our lives are interconnected and dependent on technology, cyber security plays a crucial role. To protect against cyber threats, trained IT security professionals are essential in companies.

However, current trends show that there is a shortage of experts, especially in the field of cyber security. According to McKinsey, federal, state and local governments already lack 39,000 IT professionals. By 2030, this number is expected to rise to 140,000. The Institut für Wirtschaft (IW) confirms this by stating that 68,000 IT positions remained unfilled in 2022. You can read about the reasons for this shortage and its possible consequences below.

The rising demand for cybersecurity experts

The demand for cyber security experts has skyrocketed in the last decade. By now, 9 out of 10 companies state that they have become victims of cybercrime in the form of cyber attacks, but also industrial espionage or sabotage. Companies are therefore required to invest in the cyber security of their own organisation and to give the topic of IT security the highest priority. The following aspects further strengthen this development:

• The ever-evolving threat landscape: cyber threats are becoming more complex and diverse. It is therefore necessary for companies to employ experts who can effectively identify and combat these challenges.
• Legal compliance: Regulations and legal requirements, such as the current NIS-2 directive, stipulate that a certain level of IT security must prevail in companies. In particular, companies from critical sectors, but also from important sectors due to the NIS-2 directive, must comply with these requirements. In addition, strict data protection regulations such as the GDPR require certain measures to ensure data security. More and more specialists are needed for the correct execution and implementation.
• Remote work concepts: The Corona pandemic has moved the workplace of many employees into their own homes. Even after the pandemic, many companies are sticking to the remote work concept. In order to provide employees with a secure workspace and thus not jeopardise their own IT security infrastructure, experts must be constantly on duty to counter threats such as the emergence of shadow IT.
• Internet of Things: As more and more devices connect and communicate as well as interact with each other, the IT infrastructure also becomes more complex. If one device is tampered with or targeted by cybercriminals, the disruption or malfunction can quickly spread to connected devices. Specialised skills are required to ward off threats and protect potential vulnerabilities.

This explains why IT and cybersecurity experts are in such high demand. But how did it come about that the demand for expertise exceeds the supply and therefore the lack of experienced personnel has become such a problem? Again, several factors can be named that have contributed to this:

1. Rapid technological advances: Cyber threats are evolving rapidly, and the skills needed to defend against them must keep pace. Traditional cyber security training programmes often struggle to adapt to these rapid changes.
2. Lack of education and training: According to the Institute of the German Economy, there was a shortage of almost 34,000 skilled workers last year alone. The reason for this was that there were no suitably qualified workers for these jobs. What is worrying is that, according to the experts, there is no improvement in sight for the time being, as the number of students in the fields of mathematics, computer science, natural sciences and technology in the first university semesters has declined in recent years.
3. High turnover rates: The ever-changing landscape and high pressure in cybersecurity positions can lead to burnout and high turnover. This fluctuation makes it difficult for companies to build a constant cybersecurity team.
4. Age-related retirement: Another factor that should not be underestimated is that skilled workers are retiring. The Institut der deutschen Wirtschaft (Institute of the German Economy) has also published figures on this: according to this, it can be assumed that by 2030 more than 1.5 million employees will retire from the public service due to age.
5. Competition for talent: Companies from almost all industries compete for a limited pool of cybersecurity talent. The competition is therefore immense. This also has an impact on salaries. To attract talent is becoming more and more expensive, and especially small and medium-sized companies and non-profit organisations have problems hiring cybersecurity experts because they cannot keep up with the salaries demanded.
6. More professionals are looking at the labour market globally: Globalisation means that young professionals in particular are no longer only considering a job in their home country, but are expanding their search worldwide. Many talented people are looking for a challenge and are willing to work abroad – for a limited time, but also permanently. On the other hand, international companies are explicitly interested in recruiting talent from different parts of the world in order to pool experience, expertise and know-how. Large, global companies in particular exert a certain pull that is attractive and interesting for young talents.

Consequences of the shortage of skilled workers

The lack of qualified cybersecurity experts has far-reaching consequences. For example, companies with inadequately trained cybersecurity teams are at increased risk. This inadequacy makes them more vulnerable to a range of threats, including cyberattacks, data leaks and financial losses. In a cyber emergency, the lack of experienced cybersecurity professionals can also lead to slower response times. These delays provide attackers with a greater window of opportunity to inflict greater and more widespread damage. The consequences of too delayed or inefficient response to a cyber incident can be severe. For one, the cost of remediating the IT security incident can increase dramatically and exceed a company’s resources. In addition, the company might have to face other negative consequences such as business interruptions, data loss, contractual penalties and significant damage to a company’s image and reputation.

The lack of IT and cybersecurity experts can also have a negative impact on technological progress. For example, innovations can be slowed down or the introduction of new technologies can even be hindered. Fear of potential security risks may make companies reluctant to change or update existing structures. In the long run, this can affect a company’s competitiveness in the ever-evolving business landscape.

In the area of legal and regulatory compliance, data protection is a major concern. If companies lack qualified staff and thus sufficient security measures, they expose themselves to the risk of high fines and legal consequences in the event of an IT security incident. Non-compliance with data protection laws adds another layer of potential legal complications. The impact of understaffed and inadequately trained cybersecurity teams thus goes far beyond the immediate threat situation to include financial, operational and legal challenges.

How should the problem be tackled in the future?

The shortage of qualified cybersecurity professionals is an urgent problem that can affect any company. As the digital landscape evolves, companies must invest in education and training programmes, diversify their hiring practices and foster a cybersecurity culture to address this growing challenge. Bridging the skills gap is critical not only for the protection of sensitive data, but also for the overall stability and security of our increasingly connected world.

If it is not possible for companies to train their own talent or build their own IT departments, there are certainly other ways to raise cyber awareness within their own organisation. Third party service providers such as Perseus offer training formats that raise employees’ awareness of the types of attacks and methods used by cyber criminals, helping to prevent attacks and ensuring the right and quick response in the event of a cyber emergency. External IT experts and cyber emergency hotlines also provide support in case of emergency and can thus prevent worse.

In the EU, legislation is currently being drafted at national level to implement the new directive (NIS-2), which was issued to strengthen cyber resilience in Europe. This NIS-2 directive sets out measures that companies from important/essential as well as critical sectors must comply with. In order to subsequently implement these requirements, companies rely on qualified professionals who are specifically and extensively trained in IT and cyber security.

In order to be able to solve this problem in the long term, there is certainly a need for initiatives from politics. Incentives and impulses should be created so that young professionals decide to study or train in the areas of IT and cyber security. Programmes for career changers should also be implemented and the efforts of companies to train IT specialists should be rewarded and promoted.