From the largest multinational corporation to the smallest mom-and-pop shop, organizations must devote more attention and resources to strengthen their cybersecurity readiness. If you think you’ve read this before, you are correct. Warnings about cyber threats have been sounded for decades.
In 2024, the corporate stakes for cybersecurity and the challenges involved in crafting appropriate policies and practices have grown dramatically. From a threat perspective, the number of cybercriminals is skyrocketing. Generative artificial intelligence (AI) is accelerating their capabilities to do harm.
Far more data is being captured today, creating more privacy implications for customers and operational risks for internal workflows. There are increasingly complicated cybersecurity guidelines, laws and regulations in many countries, extending beyond typically highly regulated industries such as healthcare and finance.
Addressing the cybersecurity problem requires a multifaceted approach. Processes throughout the organization must be improved, especially those relating to incident response. The toolbox has to grow, with targeted technology addressing specific activities and dashboards to pull everything together. Most importantly, cybersecurity skill gaps need to shrink — through broad workforce education, dedicated cybersecurity resources, external partners or (often) a combination of all three.
Trends Outpace Traditional Pathways
Employers clearly recognize the importance of cybersecurity skills in their workforce. Approximately 1.18 million people worked as cybersecurity professionals in the U.S. between September 2022 and August 2023, an increase of 59% since 2010. That’s according to CyberSeek™, the most comprehensive source of detailed, actionable data about supply and demand in the U.S. cybersecurity job market. Yet in the same time period, approximately 572,000 cybersecurity jobs opened up. Demand has been steady since May 2023, with roughly 45,000 job postings each month.
So, while the cybersecurity talent gap has narrowed slightly, companies must still shift their thinking to get the talent they need. Many trends in enterprise technology, including the focus on cybersecurity, evolve faster than traditional learning pathways can keep up with. It is a significant challenge, but also a promising opportunity. This is driving employers to look for different avenues for candidates to prove their knowledge, which also has the effect of broadening the candidate pool and improving diversity within the workforce.
States and Metros with Highest Numbers of Cybersecurity Workers
 Metro |
Workers |
|---|---|
| Washington | 116,662 |
| New York | 45,109 |
| Dallas | 35,784 |
| Los Angeles | 34,790 |
| Chicago | 30,425 |
| San Francisco | 25,578 |
| Atlanta | 25,273 |
| Boston | 24,196 |
| Seattle | 21,791 |
| Baltimore | 20,142 |
 State |
Workers |
|---|---|
| California | 125283 |
| Virginia | 106,194 |
| Texas | 96,865 |
| New York | 64,226 |
| Florida | 63,629 |
Source: CompTIA’s CyberSeek heat map
A growing number of companies are bringing in less experienced cybersecurity professionals who can build their skills while becoming familiar with corporate culture and objectives. Many of these teambuilding options focus on newer employees, such as college hires or those with less than five years of experience.
With increased technology usage and technology procurement by business units, stronger security literacy is needed to avoid pitfalls and ensure secure operations. Businesses are also turning to internal training as a way to close skill gaps. According to CompTIA’s “State of Cybersecurity 2024” report, half of survey respondents use internal training to improve cybersecurity skills, with 43% taking the additional step of helping employees pursue professional certifications to validate the knowledge.
The types of training offered run the gamut, from new employee orientation to random security audits. In a rapidly changing environment, simple one-time efforts such as new employee orientation or posting security policies for review will have low efficacy. Instead, businesses must consider comprehensive security training programs; ideally, these programs will assess the level of security awareness and will be customizable for industry and job role.
Closing the security skills gap is no easy task. Companies must determine their overall security posture, ensure a solid technical foundation, and invest wisely in both highly technical measures and basic security hygiene. As time marches on, this difficult undertaking becomes more critical, as businesses find themselves in a race between building skills and becoming the next big cybersecurity headline.
Todd Thibodeaux is president and CEO of CompTIA, the leading non-profit trade association for the global technology industry and workforce. For more information, visit www.comptia.org.