Presented by PwC

Cyber criminals continue to get creative and have increasingly sophisticated tools at their disposal to circumvent organizations’ cyber defenses — and organizations are worried. According to PwC’s C-suite playbook on cyber and privacy, topping the 2023 list of rising organizational threats are the following:

  • Cybercriminal activity: 65%
  • Hacktivist/hacker: 48%
  • Insider threat (current/past employee, contractor): 44%

Many senior executives are concerned they’re not fully prepared. The pathways threat actors can access are as dynamic as they are extensive: mobile devices, email, cloud, ransomware, endpoint security, supply chain software, web applications — the list goes on. To combat these threats, many organizations plan to upskill and hire cyber talent in the next 12 months.

But the cyber talent shortage is a persistent challenge. Attrition is a growing problem for 39% of organizations and it’s hindering progress on cyber goals for another 15%. Hiring from the outside also has many organizations on edge. In the U.S. alone, there are 50% fewer candidates available than are needed in the cyber field.

So how do you address the cyber talent shortage? You can update how you recruit for those roles. And you can offer upskilling for existing talent that opens new career opportunities.

1. Cast a wider net when looking for talent

Limiting talent pools to newly degreed talent, tenured professionals or having overreaching “entry-level” job prerequisites can keep your organization on the losing side of cybersecurity.

Many organizations are trying to break these old molds and widening their search parameters. Undergraduate degrees in any area have edged out undergraduate degrees in cyber, computer science or engineering as a requirement. For about 10% of organizations, degrees aren’t even required.

By expanding qualifications and talent pool, you can fill cyber positions faster and retain talent longer. Broader skills can also help information security executives reshape their teams — from a linear tree to a bifurcated branch system that sits across the organization. Many chief information security officers are placing team members on product development (49%) and business (48%) teams, which can put cybersecurity at the right place at the right time — stopping a threat in its tracks.

2. Recruit skills for the 21st century

Information security executives are recognizing that social and interpersonal skills may be just as fundamental as JavaScript. In fact, 65% of organizations consider the ability to problem-solve a mandatory characteristic in a final hiring decision. 

The ability to configure a firewall or perform an audit now needs to be accompanied by soft skills — more than 40% of executives looking for analytical skills (47%), communication skills (43%), creativity (42%) and collaboration (41%).

Individuals who have the right attitude around learning, growth and communication can be the nodal link between departments that are traditionally siloed. For example, when cybersecurity teams work with risk, internal audit and compliance teams, they can jointly monitor and prioritize risks consistently. Nearly three-quarters of organizations say they’ve seen better collaboration between cyber and operational technology (OT) teams. As a result, 79% say their cyber team made progress in securing OT during the past year.

To attract, organizations must combine emotional intelligence with cyber intelligence. When information security teams can track, analyze and counter security threats and communicate, persuade and adapt, you can unite the entire C-suite to actualize change.

3. Upskill your current workforce to unlock value now and into the future

To retain this new mix of cybersecurity professionals, organizations have found upskilling  — hard and soft skills —  to be the most effective in closing the skills gap. Ninety-three percent of companies who introduce upskilling and reskilling programs have seen increased productivity, improvements in employee retention and engagement, and a more resilient workforce. Many also lower costs through applied automation and reducing the need to fill highly specific and higher-level positions from the outside.

Here are a few examples of how cyber upskilling can create a more resilient organization:

  • A business risk officer can take courses in agile, continuous monitoring, and data and analytics to improve his productivity and the department’s performance.
  • An IT auditor who executes risk-based audits and assesses operational effectiveness can learn how to apply Scrum frameworks to business issues, AI modeling to detect and predict fraud transactions, and wrap it all together in a risk assessment dashboard.
  • A cyber defense analyst can fill that long-empty management role by completing credentials that teaches her how to create an incident response strategy, detect threats and analyze cybersecurity incidents.
  • Employees can train in function-specific cybersecurity best practices and cyber hygiene to help protect the organization from email phishing attacks, ransomware and high-risk web applications.

Cyber threats are dynamic. Organizations should challenge any long-held beliefs about training and design their programs to be people-powered, function-specific and business-led. ProEdge, a PwC product, curates industry-leading training from multiple vendors. By using techniques such as gamification and simulations — combined with courses and content that’s updated as new threats emerge — students can apply their newfound knowledge to real-time challenges and work towards tangible business outcomes.

To learn more about upskilling for cyber, check out this eBook, Addressing the cyber skills shortage.

Vikas Agarwal is Leader of PwC’s Risk and Regulatory Financial Services Practice. Matt Gorham is Leader of PwC’s Cyber & Privacy Innovation Institute

Sponsored articles are content produced by a company that is either paying for the post or has a business relationship with VentureBeat, and they’re always clearly marked. For more information, contact