Risk Management Job Market: Ongoing Concerns for Business

It’s 2022, and we’re starting off the New Year with problems that feel all too similar to the past. The Omicron variant has many of us feeling déjà vu to the confusion of March 2020 and the fears of past coronavirus spikes. Less than two weeks in, and we’ve already seen a ransomware attack that affected thousands of schools. And businesses and organizations across industries still face a problem that’s been with us for years: a shortage of third party risk management (TPRM) professionals.

And unfortunately, things aren’t looking any better on that front in the year to come.

The State of the Risk Management Job Market

According to data from Cybersecurity Ventures, unfilled cybersecurity jobs have increased 350% over the past eight years—from one million in 2013 to 3.5 million in 2021. And experts don’t see much hope of that number decreasing. In the United States, Cyberseek data shows just under 600,000 job openings in the field.

Yet many of those job listings require experience, skills, and certifications that many candidates don’t have. For example, over 116,000 of those open jobs expect candidates to be a Certified Information Systems Security Professional (CISSP), while only around 93,000 professionals total have that certification.

The math just doesn’t work. Many of those jobs are destined to remain unfilled. And that’s causing consequences for businesses. According to research from the Information Systems Security Association (ISSA), 62% of organizations struggle with an increased workload for the cybersecurity team, and 38% see high burnout amongst staff.

Meanwhile, the Need for TPRM is More Important than Ever

Part of the reason that demand for TPRM talent outpaces supply is that third-party risks only seem to increase with every year. A Gartner report found that 71% of businesses have a bigger third-party network now than three years ago, and the same percentage expects it to grow more in the next three years. 80% of organizations in that same report said they’d identified third-party risks only after doing onboarding and due diligence—proving that what organizations are doing now isn’t enough.

Exacerbating issues, cyber and ransomware attacks are on the rise and more sophisticated  —the first half of 2021 saw a 93% increase compared to the same period of 2020. 2021 also saw an increase in data breaches.  The shift to remote work (make this Work From Anywhere) has added to cybersecurity concerns and vulnerabilities, as more people in more places access sensitive systems and data. On top of everything else, by now, we’re all too familiar with the supply chain issues impacting all sorts of products and jobs.

5 Tips to Address the TPRM Shortage in Your Organization

No one organization can single-handedly solve the TPRM talent crisis, collaboration is key. You have to accept that finding the number of cybersecurity professionals you need to keep your organization well protected is an uphill battle. Yet failing to do so puts you at risk of operational outages, brand damage, and lost profits.

So what can you do? You can take a few steps to minimize the impact to your organization.

I. Make your job offers competitive. When demand outpaces supply, costs rise. It’s a simple economic truth. And not offering enough compensation is the top factor ISSA’s research found for the cyber skills shortage in many organizations. Unsurprisingly, being offered a higher compensation package elsewhere is also the top reason cybersecurity professionals leave an organization.

If you want a skilled cybersecurity risk professional to choose your organization, out of all the other options they have, paying enough is an important first step.

Additionally, shifting from conventional to unconventional recruiting practices can up your organization’s appeal to prospective employees:

Conventional Practices: Unconventional Practices:
  • Post when staff need arises
  • Position open to internal and external candidates 
  • Post is for specific predetermined role 
  • Recruiters hired for hard-to-find skills
  • Education / training budget allocation per employee 
  • Special handling for High performers 
  • Evergreen [continuous] external postings for generic roles 
  • Conduct exploratory interviews 13 every week (3-5x) based on supply
  • Spend 30% of time on professional development for others 
  • Don’t hire for roles, instead create roles

(Table from AIG-Sponsored Cyber Security Lecture from NYU Tandon School of Engineering, co-sponsored by the NYU Center for Cybersecurity.)

II. Keep your expectations realistic. The ISSA report also found that 25% of professionals say their organization’s job ads tend to be unrealistic, demanding more experience, technical skills, and certifications than is practical. You’re better off finding candidates that actually exist than trying for the perfect candidate that’s just not out there (or has already been snapped up by an organization that pays more).

Think through what you really need in a role, and what a candidate needs to bring to the table to be successful. Finding someone that has problem-solving skills, is a good communicator, and has a willingness to learn may serve you better long-term than trying to find someone with a specific set of experiences and certifications.

III.  Focus on the talent you have. Hiring people that have the right set of skills externally is difficult for many of  the reasons covered already. But most certainly you  have promising employees interested in career advancement, it is beneficial to look and invest in the talent you have within.

You can likely meet many of your TPRM needs by helping current employees gain the skills required to better monitor and address third-party risk in your organization. Upskilling is a smart way to fill any skills gaps in your company, while also providing value to your most promising employees. They gain skills that are good for their career, and you gain a worker with the precise skills and knowledge your organization needs most.


IV. Invest in training. TPRM is a constantly evolving field. In the ISSA report, 91% of respondents agreed that cybersecurity professionals have to work to keep up with the skills and knowledge needed for modern challenges. Cybersecurity moves fast, and people’s knowledge can quickly fall behind if they’re not empowered to devote time and resources to learning.

One of the most valuable things any organization can do to address the talent shortage is make sure that the employees you do have can access as much TPRM training and continuing ed opportunities as they need.

82% of professionals in the ISSA survey said they fail to keep up with cybersecurity skills development because job requirements get in the way. An organization that truly cares about security and reducing third-party risk must prioritize providing employees and ensuring time and resources needed are made available to keep up with their training.

V. Make sure you’re a place people want to work for. Hiring great cybersecurity candidates is only the beginning of the challenge—you also have to keep them. Reaction to recent increase in resignations is teaching many companies a hard lesson in the importance of creating a business where people want to work. Nearly 20% of people who quit in the great resignation say it’s because they didn’t like how their employer treated them, and another 13% cited a lack of work-life balance.

A good salary is important to getting and keeping tech talent, but it’s not enough. You also need to think about factors like:

  • How competitive the benefits you offer are

  • How much flexibility you allow employees to balance their personal and professional lives

  • How much support you give employees in career development

  • How well your company performs on ESG (environmental, social, and governance) initiatives—do you exhibit the values employees care about?

  • What the general work environment is


Making sure your business treats TPRM professionals right, once you have them is key to keeping a loyal,  trained, skilled workforce that will help protect you from the threats likely to define 2022.