5 ways to grow the cybersecurity workforce

The demand for cybersecurity professionals has surged over the past decade.  According to (ISC)²’s 2020 Cybersecurity Workforce Study, while the global cybersecurity workforce need stands at 3.1 million, with nearly 400,000 open cybersecurity positions in the U.S. In addition, more than half of survey respondents (56%) say that cybersecurity staff shortages are putting their organizations at risk.

“This remains an emerging industry with threats shifting almost on a daily basis, including new threat actors, new technologies and the evolution of 5G,” says Erin Weiss Kaya, a Booz Allen talent strategy expert for cyber organizations. “Yet we’re still dealing with an 0% unemployment rate, with far more demand than we have current supply.”

The industry and risks are also only going to continue to get larger, so it’s imperative to start to implement strategies and attract talent now to begin to close the skills gap, says Ondrej Krehel, CEO & Founder of cybersecurity firm LIFARS and a digital forensics and ethical hacking expert. “Hackers are only getting smarter and faster, meaning defensive teams need to do the same, to build a strong cybersecurity team and ensure that companies do not suffer from manpower shortages,” he says.

The right skills are hard to find

However, finding and attracting talent with the right cybersecurity skills is no easy task. The list of necessary technical skills, even in today’s entry-level cybersecurity positions, is long. The “entry-level” cybersecurity job description, Krehel points out, often looks like a mid-level senior role in any other industry because of the extensive security or vendor certifications required. “It sets an unattainable bar,” he says.

In addition, non-technical skills, such as agility and flexibility, are harder to measure and recruit for, says Kaya — but they are just as desperately needed. “The necessary skill set requires not technical tools, but the ability to deploy tools and actually interpret the data,” she explains. 

Finding those skills is going to take better recruitment strategies. “I feel the industry has not fully embraced looking at non-linear, non-traditional entry points into cyber,” says Kaya. “The industry has fallen back on fairly traditional recruitment definitions of finding the already proven resource and on technical skills. We need to figure out: How do we look at aptitude as a mechanism for entry into the field? And then how can reskilling programs be used to reach that level of expert execution?”

These are five important ways experts say organizations can take action to grow their cybersecurity workforce today:

Make job postings more attractive to diverse candidates

According to Dr. Pam Rowland, an assistant professor of cyber security at Dakota State University and co-founder of outreach organization CybHER, many organizations need to overhaul their job ads to attract diverse candidates. “Hiring teams need to think critically and redesign, rather than using the same strategies as the past ten years,” she says. For one, firms should abandon highly-masculine color schemes, as well as reconsider long requirement lists that “nobody in this world could meet,” she says. “Research shows that men will look at those lists and apply even if they are only qualified for 25%, but women will say, ‘I can’t do that, that’s not the job for me.’” Instead, she advises listing top priorities, but emphasizing the need for lifelong learners and critical thinkers. 

Attract security-minded software engineers looking for opportunities

One great way to expand the available talent pool is to attract security-minded software engineers who have many of the right skills but are looking for opportunities to amplify their impact by engineering small, purpose-built tools, says Jason Meller, CEO and founder at Kolide.  These tools, which include vulnerability scanners, pen-testing utilities, and endpoint data collectors, are often too niche to buy from security vendors, allow other novice security practitioners opportunities to increase their capabilities, speed, and accuracy. “Surprisingly, many authors of popular open-source security tools are often underappreciated by their current employer,” he says. “If you reach out to these people with an opportunity to continue working on their passion project and the chance to observe how it performs in real world scenarios at your organization, it’s a win-win: You will have a passionate expert who is extremely invested in the future of your security team and the success of their co-workers.”

Find talent by offering incentives to collaborate with the security team

Another great way to identify top candidates within the organization is to create incentive structures for employees to directly coordinate with the security team on meaningful priorities, says Meller.  “For instance, your company may have invested in an external bug bounty program for hackers to report problems, but what mechanisms and incentives are in place for security-minded employees to safely report issues internally?” Once these internal communication structures are in place, you might find you have repeat customers who are great candidates to fill junior positions today with the potential to quickly advance into experienced roles, he says. 

Invest in employee certification programs

The industry needs to commit to training junior employees and providing the resources they need from day one to be successful, says Krehel. “Firms should create programs to help new grads get certified while on the job and learn in real time,” he says. Although certifications cannot make up for years of experience, Krehel points out that it will help junior and mid-level staffers gain a good practical grounding in all aspects of cybersecurity, including operations, forensics and policy. “It will likely also help increase employee retention by showcasing commitment to each individual’s professional growth,” he says.

Draw out gender diversity by getting girls interested early

By high school, it may already be too late to get girls drawn into the world of cybersecurity. Rowland says that middle school is when they really start to decide whether computer science is right for them. “We have found if we can get them interested in middle school, then they’re set and ready to take high school courses that keep them engaged and are no longer so intimidating,” she says. “Once they get an idea of what cybersecurity is, they are more likely to keep exploring.”

Post-pandemic prospects for the cybersecurity workforce

As of 2020, the market size of the cybersecurity industry was $167.1 billion and predicted to grow at a compound annual growth rate of 10% from 2020 to 2027. With that level of growth, it’s clear that after a year of upheaval, building up and strengthening a qualified and diverse workforce will be even more challenging post-pandemic. According to the 2020 (ISC)2 Cybersecurity Workforce Study, 49% of respondents expect their organizations to hire more cybersecurity professionals within the next year.

But while there are no signs that the cybersecurity skills gap will significantly narrow over the next year, Booz Allen’s Kaya is optimistic over the long haul. She points out that the unprecedented shifts and emerging threats of the past year have actually made cybersecurity an evolving field that appeals to a larger number of people.

“I think there is heightened interest in this field, we’re beginning to look at non-traditional entry points to expand the candidate pool, and there are very effective mechanisms for re-skilling individuals who have a baseline to become experts,” she says. “This is an exciting time for cybersecurity: You’re taking on fascinating challenges and your life is never the same the next day.”