Skip to main content
Opens in a new tab External site

January 2023 / 10 Min Read

Cyber Security Talent Gap: Use These Solutions to Help Rectify Ongoing Issue


A lack of cyber security talent can potentially lead to catastrophic risk results. Use these steps to help strengthen your cyber posture.


Key Takeaways

  1. There are not enough cyber security professionals able to combat threats and keep pace with an increasingly sophisticated group of threat actors.
  2. More than 80 percent of companies have experienced a breach attributable to a lack of cyber security skills or awareness.
  3. There needs to be more cyber security professionals, and they need more skills. Companies can, however, still take steps to build strong cyber posture.

Mitigating cyber risk continues to challenge organizations and their risk leaders, as threat actors become more sophisticated and varying in their threats, tools, targets and locations.

In fact, three in five companies1 aren’t ready to fully navigate exposures associated with digital threats. This exposure concern, is due in part to a talent recruitment issue that has been impacting cyber security for more than a decade:

  • 60 percent of organizations report that they struggle to recruit cyber security talent
  • More than half of business leaders surveyed say they struggle to keep cyber security talent.2

Cyber talent constraints are a familiar problem for companies. There are simply not enough cyber security professionals in the workforce able to combat the threats and keep pace with an increasingly sophisticated group of threat actors. There currently is a shortage of more than 2.7 million cyber professionals3 globally, more than a quarter of which are in the U.S., according to the World Economic Forum.

How can companies successfully defend themselves against these myriad threats while maintaining a motivated and engaged workforce?

The Scope of the Issue

Cyber security remains an enormous challenge, and the current shortage of professionals to combat the threat is having a detrimental effect. More than 80 percent of companies have experienced a breach attributable to a lack of cyber security skills or overall employee cyber awareness.

A hole in cyber security personnel can potentially lead to catastrophic results. About two-thirds of companies say that the lack of cyber security professionals places them at greater risk of a breach.4 This lack of talent leaves many companies vulnerable to a potentially costly breach, especially companies known to maintain sensitive data. Nearly four in 10 companies reported experiencing a breach that cost them more than $1 million.5 Add to that the cost of damage to the company’s reputation, and it’s easy to understand why the cyber security gap is of such importance.

Is it a Talent Gap or a Skills Gap?

There’s a talent gap in cyber security, however, there’s also a lack of skills currently hampering organizations. In fact, 59 percent of businesses reported they would find it challenging to respond to a cyber incident due to shortage of skills on their team.6 Cyber security has always been a race between the threat actors and those trying to prevent attacks. As attackers refine their methods and find new ways to exploit vulnerable systems, cyber security professionals continue to stay up to date to effectively combat the threat. Companies prefer to employ credentialed professionals with specialized certifications. That training is expensive and extensive, some with difficult certification exams.

In reality, the current issue is both a talent gap and a skills gap. There needs to be more cyber security professionals, and they need more skills. How can companies keep up?

Attract, Retain, Sustain

In the current labor market, it can cost three to four times the professional’s salary to hire for an open position,7 meaning an opening for a $75,000 per year job could cost $300,000 to fill. Holding on to the professionals already on board should always be seen as top priority.

1. Do a Skills Audit.

What skills do companies have in place? Where is there greater need? A skills audit may yield better results than looking at headcount or an organizational chart. If current employees can be re-skilled or upskilled into areas of need, it may fill in the gaps without having to do much fishing in the talent “ocean.”

2. Make Sure EVP (Employee Value Proposition) is Relevant.

Companies should be looking at their overall employee value proposition (EVP) to ensure that it is relevant, not just in their industry, but across industries. When considering EVP, it’s important to consider factors that cyber security professionals find important, besides salary, including:

Career path.

One thing that younger workers have repeatedly said they value is a defined career path, the skills they’ll need to get promoted, and the expectation that the company will do what they can to pave the way.


Whether it’s learning to become a people manager or just communicating with clients (internal and external), learning soft skills can go a long way toward keeping talent in house.

Skills distribution. Build from skills, not roles.

Maximize skills. People are different, so a one-size-fits-all approach is unlikely to succeed. Often, professionals in technical fields are promoted to people management positions in which they are less comfortable. Making sure that people are comfortable in the type of role they are in (technical vs. people manager vs. technical manager) goes a long way toward building a sustainable working life.


With many cyber security issues showing up in the news, it’s important that everyone feels as though they are contributing to the part of the job that helps avoid those headlines. It can also help to prevent burnout and ensures that everyone is exposed to the depth of skills needed.

A strong employee retention program that attracts and retains its cyber professionals and builds talent sustainability is vital. However, as we look to strengthen the talent pool, we must also consider other ways we can do more with less. There are measures organizations may take to help strengthen their overall cyber posture, which can assist in mitigating the impact inability to hire or upskill quickly can cause a company’s overall risk posture. As businesses continue to look for ways to enhance their cyber security talent and skills, use these five steps to help build cyber resilience:

5 Recommendations to Build a Model for Sustained Cyber Resilience

1. Identify your business risks and how they may be impacted by cyber risks:

Identifying business risks and their relationship to cyber risks enables an organization to assess its exposure and take steps to protect its operations, reputation and bottom line. For example, a potential business risk may be the loss of sensitive customer data. The corresponding cyber risk may be a data breach caused by a threat actor accessing your network.

2. Assess your exposure:

Assessing your cyber exposure can help you understand how security controls impact balance sheet exposure, and creation of strong strategies to manage cyber risk. Through relevant quantified risk scenarios and assessing control effectiveness against these loss models, businesses can quickly decide how to best allocate budget to maximize resilience. An adversary simulation tool helps drive in-depth analyses of successful vs. blocked attacks, which may determine the success of defensive controls and security monitoring programs and shape a data-driven risk prioritization and remediation strategy.

3. Mitigate your risk:

Risk mitigation includes targeted security controls and measurable industry standards, which enhance security maturity, reduce exposure and minimize financial impact from key cyber risks. Consider reviewing governance, controls, roles and responsibilities, developing protective safeguards to mitigate cyber exposures. Engage in breach simulations and tabletop exercises to test incident preparedness.

4. Implement a risk transfer strategy:

Develop and implement a risk transfer strategy that helps safeguard your balance sheet. Quantifying maximum probable cyber losses enables senior stakeholders to understand the magnitude of potential losses and what those losses might constitute. Armed with this knowledge, your businesses can make decisions around risk-bearing appetite and appropriate levels of risk transfer. Cyber insurance to help mitigate the financial impact of a cyber attack and provide access to incident response services.

5. Implement recovery plan:

After an incident the road to recovery is often complex, and a recovery plan should drive operational and financial loss recovery. Recovery plans should include incident response expertise alongside key business stakeholders to maximize recovery. Consider checking your contractual protections and insurance policies to ensure your organization is covered for financial loss from a breach. Review business continuity and disaster recovery plans to ensure they include, and test for current cyber threats.

It’s a Marathon – and a Sprint

Developing and retaining cyber security talent has to be an ongoing process. Relying on exponent staff growth is not a successful strategy. Leveraging both a focus at stronger cyber hygiene, coupled with a focus on retention can help maintain a base level of maturity that will help. That resilience built between better collective practice and cyber development will be useful, not only when the current talent shortage is successfully addressed but will provide a viable buffer against future crises.

Diversity, Equity and Inclusion isn’t a side issue

A company’s efforts in Diversity, Equity and Inclusion (DEI) aren’t just good public relations anymore. They’re also sound recruiting strategy. Younger professionals especially say they want to work for organizations that meet their values.

Companies searching for talent may benefit from creating early career programs to develop their own talent pool. The focus on STEM education in the U.S., especially efforts to get more women and people of color to study in STEM fields are beginning to bear fruit at the professional level, and encouraging young professionals into the cyber security space. Another source of talent might lie with workers returning to the workforce.

Biggest skill gaps:

  • 54% Soft Skills
  • 52% Cloud Computing
  • 34% Security Controls

General Disclaimer
The information contained herein and the statements expressed are of a general nature and are not intended to address the circumstances of any particular individual or entity. Although we endeavor to provide accurate and timely information and use sources we consider reliable, there can be no guarantee that such information is accurate as of the date it is received or that it will continue to be accurate in the future. No one should act on such information without appropriate professional advice after a thorough examination of the particular situation.

Terms of Use
The contents herein may not be reproduced, reused, reprinted or redistributed without the expressed written consent of Aon, unless otherwise authorized by Aon. To use information contained herein, please write to our team.