In today’s digital age, where nearly every aspect of our lives is interconnected and dependent on technology, cybersecurity plays a crucial role. To protect yourself from cyber threats, trained IT security experts are essential in companies.

However, current trends show that there is a shortage of experts, especially in the field of cybersecurity. According to McKinsey, federal, state and local governments are already short of 39,000 IT specialists. By 2030, this number is expected to rise to 140,000. The Institute for Economics confirms this, saying that 68,000 IT jobs remained unfilled in 2022. You can read the reasons for this deficiency and its possible consequences below.

The Increasing Demand for Cybersecurity Professionals

The demand for cybersecurity experts has skyrocketed over the past decade. Meanwhile, 9 out of 10 companies say they have been victims of cybercrime in the form of cyberattacks, but also industrial espionage or sabotage. Companies are therefore called upon to invest in the cybersecurity of their own organization and to give the topic of IT security the highest priority. The following aspects reinforce this development even further:

• The ever-evolving threat landscape: Cyber threats are becoming increasingly complex and diverse. It is therefore necessary for companies to employ experts who can effectively identify and combat these challenges.
• Regulatory Compliance: Regulations and legal requirements, such as the current NIS 2 Directive, stipulate that companies must have a certain level of IT security. In particular, companies from critical sectors, but also from important sectors due to the NIS 2 Directive, must meet these requirements. In addition, strict data protection regulations such as the GDPR require certain measures to ensure data security. More and more specialists are needed for the correct execution and implementation.
• Remote Work Concepts: The Corona pandemic has moved the workplace of many employees into their own four walls. Even after the pandemic, many companies are sticking to the concept of working from home. In order to provide employees with a secure workspace and thus not endanger their own IT security infrastructure, experts must be constantly on duty to counter threats such as the emergence of shadow IT.
• Internet of Things: As more and more devices are connected, communicate and interact, the IT infrastructure is also becoming more complex. If a device is tampered with or targeted by cybercriminals, the disruption or failure can quickly spread to the connected devices. To fend off threats and protect potential vulnerabilities, specialized skills are required.

This explains why IT and cybersecurity professionals are in such demand. But how did the demand for expertise outstrip supply, and how did the shortage of experienced staff become such a problem? Here, too, several factors can be identified that have contributed to this:

1. Rapid technological advancements: Cyber threats are evolving rapidly, and the capabilities needed to defend against them must keep pace. Traditional cybersecurity training programs often struggle to adapt to these rapid changes.
2. Lack of education and training: According to the Institute of the German Economy, there was a shortage of almost 34,000 skilled workers last year alone. The reason for this was that there were no suitably qualified workers for these jobs. It is worrying that, according to the experts, there is no improvement in sight for the time being, as the number of students in the fields of mathematics, computer science, natural sciences and technology in the first semesters of higher education has declined in recent years.
3. High turnover rates: The ever-changing landscape and high pressures in cybersecurity positions can lead to burnout and high turnover. This turnover makes it difficult for organizations to build a consistent cybersecurity team.
4. Retirement: Another factor that should not be underestimated is that skilled workers are retiring. The German Economic Institute has also published figures on this: According to them, it can be assumed that more than 1.5 million employees will retire from the public sector by 2030 due to age.
5. Competition for talent: Companies from almost every industry are competing for a limited pool of cybersecurity talent. Competition is therefore immense. This also has an impact on salaries. Talent is becoming more expensive, and small and medium-sized businesses and nonprofits in particular are struggling to hire cybersecurity experts because they can’t keep up with the salaries demanded.
6. More skilled workers are looking at the labour market globally: Globalization means that young professionals in particular are no longer just considering a job in their home country, but are expanding their search worldwide. Many talented people are looking for a challenge and are willing to work abroad – for a limited time, but also permanently. On the other hand, international companies are explicitly interested in recruiting talent from different parts of the world in order to pool experience, expertise, and know-how. Large, global companies in particular exert a certain attraction that is attractive and interesting for young talents.

Consequences of the shortage of skilled workers

The shortage of qualified cybersecurity experts has far-reaching consequences. For example, companies with inadequately trained cybersecurity teams are at increased risk. This inadequacy makes them more vulnerable to a range of threats, including cyberattacks, data leaks, and financial losses. In a cyber emergency, the lack of experienced cybersecurity professionals can lead to slower response times. These delays provide a larger window of opportunity for attackers to inflict greater and more far-reaching damage. The consequences of too delayed or inefficient response to a cyber incident can be severe. For one, the cost of remediating the IT security incident can increase dramatically and exceed a company’s resources. In addition, there are other negative consequences such as business interruptions, data loss, contractual penalties and significant damage to a company’s image and reputation.

The shortage of IT and cybersecurity experts can also have a negative impact on technological progress. For example, innovation can be slowed down or even the introduction of new technologies can be hindered. For fear of potential security risks, companies may be reluctant to change existing structures. In the long term, this can affect a company’s competitiveness in the ever-evolving business landscape.

In the area of compliance with laws and regulations, data protection is a major concern. If companies lack qualified personnel and thus sufficient security measures, they expose themselves to the risk of high fines and legal consequences in the event of an IT security incident. Failure to comply with data protection laws leads to another layer of potential legal complications. So, the impact of understaffed and undertrained cybersecurity teams goes far beyond the immediate threat landscape and also includes financial, operational, and legal challenges.

How should the problem be treated in the future?

The shortage of qualified cybersecurity experts is an acute problem that can affect any business. As the digital landscape evolves, organizations need to invest in education and training programs, diversify their hiring practices, and foster a cybersecurity culture to address this growing challenge. Bridging the skills gap is critical not only to protecting sensitive data, but also to the overall stability and security of our increasingly connected world.

If it is not possible for companies to train their own talents or build their own IT departments, there are certainly other ways to strengthen cyber awareness within their own organization. Service providers such as Perseus offer training formats that sensitize employees to the types of attacks and methods used by cybercriminals, thus helping to prevent attacks and ensure the correct and rapid response in the event of a cyber emergency. External IT experts and cyber emergency hotlines also provide support in an emergency and can thus prevent worse.

In the EU, legislation is currently being drafted at national level to implement the new Directive (NIS-2), which was adopted to strengthen cyber resilience in Europe. This NIS 2 Directive sets out measures that companies from important/essential and critical sectors must comply with. In order to subsequently implement these requirements, companies are dependent on qualified specialists who are specially and extensively trained in IT and cybersecurity.

In order to be able to solve this problem in the long term, initiatives from politics are certainly needed. The aim was to create incentives and impulses so that young professionals decide to study or train in the fields of IT security and cybersecurity. Programmes for career changers should also be created and companies’ efforts to train IT specialists should be rewarded and promoted.