While other sections of the tech space have seen layoffs over the past several months, cybersecurity hiring remains robust as enterprises and government agencies continue to look for talented tech and security pros to fill thousands of open positions.
CyberSeek, a joint initiative of the National Institute of Standards and Technology’s (NIST) Nice program, lists more than 660,000 open cybersecurity jobs in the U.S. alone. A 2022 report by training firm ISC(2) found a shortage of 3.4 million cybersecurity workers worldwide despite hundreds of thousands of hires over the last several years; that shortage has not alleviated in 2023.
While hiring security talent remains a priority, many organizations still need tech professionals who have the skills necessary to understand new threats, ensure that regulatory and compliance concerns are addressed, and also help lead any organization looking to upgrade its security defenses.
A new crop of emerging cybersecurity skills can help tech talent look for jobs or create new career opportunities within their current organizations. While artificial intelligence and machine learning are now some of the hottest areas in tech due to industry buzz and headlines, other emerging skill sets—including cloud, DevSecOps, and operation technology—are increasingly in demand.
“Cybersecurity threats are constantly evolving, as are the skills needed to combat them. For example, as the attack surface has expanded into the cloud, organizations will need people with cybersecurity skills, such as pen testing, data analysis, etc., who also have cloud experience,” John Gallagher, vice president of Viakoo Labs at security firm Viakoo, recently told Dice.
“Other skill sets that have emerged in the past year include compliance and legal knowledge—especially as cyber insurance has become harder to obtain, and more organizations face growing compliance and audit requirements—and threat modeling skills as the attack surface extends to internet of things, operational technology and industrial control systems,” Gallagher added.
For tech pros looking to start a cyber career, make a professional change, or thinking about moving into a management position, here is a look at several emerging cybersecurity skills that are gaining popularity now… and will be crucial in the years ahead.
A.I. and Machine Learning
Right now, A.I.—especially generative A.I., and machine learning—remain two of the hottest emerging skill areas within cybersecurity. A recent VentureBeat article noted that Microsoft alone spent $1 billion in A.I. research and development in 2022, and plans to spend approximately $20 billion over the next several years to develop these technologies.
A.I. and machine learning are disrupting the cybersecurity industry in two ways. The first is by taking data and analyzing the information to predict when an attack may occur, and then to offer ways to counter these threats. The second is that, by automating what is now routine, A.I. will free up cybersecurity talent for other, more creative tasks, further disrupting the talent market, said Craig Jones, vice president of security operations at Ontinue.
“This technology has also been used to automate routine tasks, freeing up cybersecurity personnel to focus on more strategic initiatives,” Jones told Dice. “An analyst that is particularly skilled at prompt engineering will be able to bring an efficiency in the use of A.I. large language models, which will have an incredibly positive impact on the operation.”
Other experts note that, for younger tech professionals, learning as much as possible about A.I. now is crucial since the technology is only at its earliest stages. Companies need employees who understand its potential.
“With A.I. being in its infancy, security professionals in the early stages of their career could benefit from tracking this technology closely,” Sunil Muralidhar, vice president for growth and strategic initiatives at security firm ColorTokens, told Dice. “This could be in the form of learning how to use A.I. to improve security posture, to securing A.I. to creating frameworks for the safe exchange of confidential data between A.I. systems.”
Cloud Computing and Security
It might seem obvious that cloud computing is a much-needed skill, whether within IT or cybersecurity. Industry observers noted, however, that ever since the pandemic and the continuing of hybrid and remote work, cloud remains one skill that tech and security pros must have and continue to educate themselves in.
“With more and more businesses running their operations from the cloud, cloud security has become a paramount concern,” Jones said. “Knowledge of different cloud platforms, such as Amazon Web Services and Microsoft Azure, as well as an understanding of cloud-specific vulnerabilities and threats, are increasingly sought-after skills. A professional with these skills can help an organization secure its data and operations in the cloud.”
The growing reliance on multiple vendors and platforms also makes cloud security essential, Muralidhar added.
“The ability to have a singular platform that can solve all your security tasks is often not the case. Companies outsource multiple vendors, causing confusion in infosec teams and in the cohesion of security rules,” Muralidhar said. “There is an ongoing need for a simplified platform with comprehensive visibility and consistent policy enforcement. With a shift from three-tiered architecture to cloud-native technologies, it is evident that cybersecurity is ever-evolving.”
DevSecOps and Secure Code
Since the Biden administration has made cybersecurity one of its main tech initiatives, creating more secure code and clearly showing what code is used to build apps has become a significant priority. In turn, organizations need tech pros who understand DevSecOps.
“This approach aims to involve everyone in the security decision-making process early on, reducing vulnerabilities and enhancing code security,” Jones said. “Having skills in this area, such as an understanding of containerization and orchestration tools like Docker and Kubernetes, and proficiency in automated security testing tools, is very appealing to employers.”
This type of approach is also likely to change how developers approach building applications and which emerging skills will replace older ones, noted Jim Grundner, head of engineering and product at JupiterOne.
“Today's world of cybersecurity is calling for an especially high degree of sophistication when it comes to building software to detect, create awareness and build remediation for any given cyber-focused attack,” Grundner told Dice. “Typical primary skills in an area of software development such as front end, database and middle-tier API expertise, although important, are not the focus going forward. We see significant needs at the skill intersection of A.I. and machine learning, combined with data engineering and cloud as vital going forward.”
OT and Beyond
Since the ransomware attacks that targeted Colonial Pipeline in May 2021, more attention is paid to protecting critical infrastructure, including vulnerabilities in OT and ICS systems.
This cybersecurity sector is one area that lacks skilled professionals, since tech pros must understand security and complex OT systems that form the basis of manufacturing and other critical industries.
“Ransomware has been on the rise in the industrial landscape and continues to be a major concern for manufacturing, energy and critical infrastructure organizations,” Tom Molden, CIO for global executive engagement at Tanium, told Dice. “To defend against sophisticated attacks on operation technology environments, cyber teams need people with knowledge about industrial control systems, which are very different than IT systems. Folks with manufacturing engineering backgrounds and cyber expertise are in demand.”
The emerging skill sets for OT and ICS security will also create career opportunities in non-IT areas such as manufacturing.
“Compared to traditional manufacturing or physical security workers, employers will pay a premium in these departments in their race to secure their non-IT devices,” Gallagher said. “As threats become more cyber-physical in their impact—think Colonial Pipeline—faster incident response and forensics will drive employers to pay a premium for security professionals who can operate outside of the traditional IT space.”