How to Address the Cybersecurity Talent Gap
The talent shortage in cybersecurity is real. The most recent (ISC)² Cybersecurity Workforce Study puts the global cybersecurity talent shortage at more than 4 million people. Let that number sink in—4 million people. As expected, the fact that a large number of organizations (especially the largest ones) are chronically understaffed dramatically undermines the confidence that organizations can appropriately address cybersecurity issues.
What’s behind this talent shortage? And what can you do to ensure you are not understaffed?
Behind the Cybersecurity Talent Shortage
If you’ll excuse the play on words, there is no shortage of factors behind the cybersecurity talent shortage:
For one, the simple fact that there is an ever-growing number of companies and products/services that are tech-related causes a galloping demand that couldn’t be proportionally met even if it was the only reason. Even with an increased emphasis on automation, the talent shortage is here to stay.
Another reason for the security talent shortage is that more and more organizations finally realize that cybersecurity is not an afterthought. It is now obvious that this field deserves the same attention and funding as other parts of their organization. As a result, companies that were previously content with one or two specialists are now building entire teams—usually after suffering data breaches or other forms of cyberattacks.
It’s also important to consider the perceived attractiveness of the cybersecurity field when compared to other IT fields. It is far easier to convince an 18-year-old to study software development in hopes of building the Next Big Thing, getting their app or startup bought by a larger company and buying a yacht that needs its own yacht than to become a cybersecurity expert. The industry needs to become much better at marketing itself.
In addition, entry-level requirements for cybersecurity experts are often too rigorous. Typically, that’s the result of outdated HR practices, where not ticking a few boxes automatically disqualifies potentially good hires. In other words, companies are often looking for the ‘perfect fit,’ and there are simply too few candidates who are able to fill every single requirement for these positions.
What You Can Do
If you are struggling to fully staff your cybersecurity team, there are plenty of things you can do to help yourself.
Review Your Hiring Process
This is not to say you should do away with any and all standards and requirements. It’s just that you might want to rethink how much emphasis you put on certain requirements.
Sure, it makes sense to require a formal degree in the field, but perhaps you shouldn’t write off potential candidates just because they don’t have the right degree, or if they worked their way through a bootcamp or if they went to a community college or some other path to education. Perhaps they picked up the necessary skills along the way throughout their career.
Get Security Experts Involved
You also need to make sure that security people are involved in the hiring processes for security hires. Often, HR departments are left to determine what constitutes a good hire without consulting the department that needs the talent. This can result in job ads that dissuade people from applying, thinking they have no chance, or a job description that contains requirements that aren’t actually required.
Set up a Comprehensive Mentoring Model
In this system, experienced cybersecurity people in your company can guide and instruct new hires so they acquire the necessary skills. Focus on people who are willing to learn and meet new challenges instead of those with the proper accreditations and degrees. Keep in mind, however, that this can sometimes put too much of a burden on your senior people. You’ll have to make sure they are on board first.
Recruit Existing Employees
You should also seriously consider retraining people in your company who might be interested in going into cybersecurity. Of course, people from other tech fields will be the most suitable candidates, but this does not mean you should disregard people from other company areas. For example, people from math-related fields like finance and business operations can be suitable candidates for retraining.
It’s essential to do these retraining programs the right way, meaning that they are as inclusive as possible. They can even favor certain demographics (women or those folks who are over 40) that tend to be underrepresented in cybersecurity and tech in general.
To overcome the talent shortage in cybersecurity, organizations will have to be realistic, first and foremost. It’s also imperative to foster a collaborative environment between different business groups so as to address this challenge together.
