CEOs need to start caring about the cybersecurity talent gap crisis, new report shows

Steve Morgan, founder of Cybersecurity Ventures, presents this scenario: Imagine if street crime exploded and society had millions of unfilled law enforcement jobs, and those positions remained open. The outcome? Utter chaos, he says. And the same goes for cybersecurity.

“That’s our cyber risk if we don’t fill positions in our industry,” he tells Fortune. 

Between 2013 and 2021, the number of open cybersecurity jobs worldwide grew 350% from 1 million to 3.5 million, according to Cybersecurity Ventures’ Boardroom Cybersecurity 2022 Report shared exclusively with Fortune ahead of its Wednesday release. The cybersecurity research company predicts that in five years, those jobs will still be open—even though cybersecurity professionals, on average, make well over six figures. The report is sponsored by cybersecurity company Secureworks. 

“We have so many highly talented people in our industry, but there’s a mismatch in the number of working security professionals relative to growing needs in the global market,” Wendy Thomas, president and CEO of Secureworks, tells Fortune. “While technology, including automation and machine learning, can help shrink the gap, it’s not sufficient.”

The goal of the Boardroom Cybersecurity Report is to demystify cybercrime and cybersecurity topics, which boardroom and C-suite executives tell Cybersecurity Ventures can be “too technical, and use terms they don’t understand.” Simply put, cybercrime damages are costing companies trillions of dollars while the cybersecurity talent gap just continues to widen.

“Think of the growing gap as a dam. If small holes start to appear, the risk that the dam will fail increases exponentially,” Thomas adds. “As hackers continue to successfully grow their e-crime businesses, it further erodes our collective wall of defense.”

In 2022, cybercrime damages are predicted to cost $7 trillion globally, according to the report, and the cost is only going to increase. During the next four years, Cybersecurity Ventures expects global cybercrime costs to grow by 15% each year. By comparison, cybercrime damages cost $3 trillion globally in 2015.

Cybercrime continues because hackers are opportunistic, Thomas explains, and their organizations are financially motivated; they need just one unlocked door to steal money from a company.

“To break the hacker profit model, companies have to make themselves a hard target,” she says. “Failure to do so is to await the inevitable day the adversary finds their way into your unlocked door.”

Ransomware is one of the most prolific types of cybercrime. This is a type of malicious software used to block access to a computer system until a ransom—or amount of money—is paid to the attacker. Under the premise that cyberattacks happen every two seconds, Cybersecurity Ventures predicts that ransomware will cost victims about $265 billion annually by 2031. Consequently, the company also projects that the cyber-insurance market will grow to $14.8 billion in 2025, but $34 billion by 2031.

“To mitigate threats, CEOs need to understand the areas of greatest risk to their business from a successful cyberattack and balance their investment in security protection accordingly,” Thomas says. The three areas of cybersecurity investment with high return include employee education, having holistic detection capabilities, and recovery preparation, she adds.

The focus on cybersecurity needs to start in the boardroom, Morgan argues. CEOs at every Fortune 500 company and midsize to large organization should advocate to have those with cybersecurity experience on their board, he says. 

“That could be the [chief information security officer (CISO)] or an outside executive with real-world cybersecurity experience,” he says. “Do it now to protect your organization, not after a breach or hack to protect your reputation.”

By 2025, 35% of Fortune 500 companies will have board members with cybersecurity experience, according to the Cybersecurity Ventures report, and by 2031 that will climb to more than 50%. By comparison, last year just 17% of Fortune 500 companies had board members with this type of background.

The thought is that if cybersecurity is a regular boardroom discussion, then the importance of it will trickle down to the rest of the organization, Morgan says, becoming a part of the company’s DNA. He encourages executives to take cybersecurity as seriously as profit and loss discussions.

“The alternative is ugly—the CISO comes running for money that was never set aside, and it’s not their fault even though they are oftentimes the scapegoat,” Morgan says. “Put your money where your mouth is; that’s never been more true than it is with cybersecurity.”

See how the schools you’re considering fared in Fortune’s rankings of the best master’s degree programs in nursing, computer science, cybersecurity, psychology, public health, business analytics, and data science, as well as the best doctorate in education programs, and part-time, executive, full-time, and online MBA programs.