As the Internet has become integral to everyday business, cybersecurity is today a major challenge that organizations have to grapple with. The urgency has been exacerbated by the ever-increasing scale and sophistication of cyberattacks. Businesses, big and small, are constantly under the threat of data leakage and data loss. The demand for cybersecurity professionals has skyrocketed as a result, even as there is a cybersecurity skill gap among the pool of prospective employees.
As many recruiters have found out, there are only so many cybersecurity experts in the market to fill the number of vacancies. According to a 2019 study by the nonprofit cybersecurity entity (ISC)2, while there are roughly 2.8 million cybersecurity professionals on the planet at present, the workforce would have to grow by a staggering 145 percent to satisfy global demand. That implies there are five cybersecurity jobs today for every two cybersecurity professionals.
And if recent years are anything to go by, the gap between vacancies and talent is widening. The enormity of this gap means this is going to remain a problem well into the foreseeable future. Businesses, therefore, have to explore different strategies to ensure their systems are staffed well enough to avoid, withstand and/or recover from a cyberattack. Here are some ideas.
1. Retrain existing non-technical staff
Technical staff is low-hanging fruit for cybersecurity training. However, several other IT disciplines are struggling with a talent shortfall. Businesses would thus do well to look beyond IT staff and conscript into cybersecurity their non-technical staff who have an interest in the field.
Of course, this might mean engaging someone who would have to go through extensive training to become as competent in the role as they need to be. Organizations will be a little hesitant to invest so much technical training for fear that the person might not stay on for long thereafter. Nevertheless, it’s necessary as a stopgap in place of leaving the cybersecurity position vacant while competing for the scarce costly talent in the market.
2. Look beyond traditional IT qualifications during recruiting
The Internet has been the biggest force in the democratization of knowledge. Some of the most prolific hackers in the world are self-taught. Some people have a passion for cybersecurity. They read and practice during their free time. So, don’t be overly fixated with formal IT or cybersecurity credentials during recruitment. Look for people in other professions who have a genuine interest in cybersecurity. Some are considering a career change and it can work.
A great example? The UK Cyber Retraining Academy, a project of the UK Government in partnership with the SANS Institute has demonstrated that this is indeed possible. It takes individuals with high natural aptitude through an intense 10-week program that helps transition them into cybersecurity careers. The curriculum focuses on deepening student knowledge in computing and security principles with extensive use of competitions, labs, and other hands-on teaching techniques. It has succeeded in turning former psychiatrists, lawyers, parking attendants, journalists, and bartenders into cyber practitioners for some of the world’s largest organizations including Airbus and NATO.
3. Increasing cybersecurity remuneration budget
Cybersecurity positions greatly outstrip the available talent. The law of demand and supply dictates that this scarcity can only lead to a bidding war. So, if you want to be the organization cybersecurity experts are keen on working for, you have to be ready to offer more than other employers out there.
In theory, this is an option that’s only available to the largest corporations who can afford to splurge millions of dollars each year on cybersecurity staff remuneration. However, small and medium-sized businesses have other tools in their arsenal such as stock options.
4. Organize internal cybersecurity competitions
During cybersecurity hackathons, participants get the chance to showcase their skills at penetrating company networks, identifying application bugs, and developing controls that prevent cyberattacks. These will often feature cybersecurity experts drawn from across the country, region, or globe.
Employers should consider organizing their own internal, smaller scale, cybersecurity competitions where non-IT staff with an interest in cybersecurity can demonstrate their knowledge and abilities in tackling real-world cybersecurity obstacles within an adversarial, fast-paced environment. This is one of the best avenues to identify and start grooming for cybersecurity non-tech staff who demonstrate a keen interest and some self-taught aptitude.
5. Build relationships with local educators
Chances are that an organization’s employees will mainly come from the city or state it’s based. So instead of waiting for computer science graduates who fall short of expectations in tackling cybersecurity, employers can be more proactive by getting in touch with local colleges and educators. They can communicate their recommendations on educating a hands-on cybersecurity workforce.
That way, they can align the cybersecurity talent pipeline with the organization’s needs. It might feel a little like doing the legwork for local competitors since there’s no guarantee that graduates from these college programs will necessarily work for you. However, the merits of participating in cultivating a local cybersecurity-ready workforce far outweigh the demerits.
6. Hire women
Like many technical fields, the cybersecurity workforce is heavily dominated by men. Just a quarter of cybersecurity professionals are women. That isn’t necessarily because women do not have an interest. Much of this has been due to the job market inherently favoring male candidates. With the heightened urgency to bridge the cybersecurity skill gap, ignoring half the population is an approach that can no longer work.
Organizations must recognize gender biases in their current hiring practices and encourage more women applicants for cybersecurity roles. And the talent is there. Cybersecurity and coding camps for girls are growing in popularity. And according to the 2019 (ISC)2 Women in Cybersecurity Workforce Study, women are finding their way to cybersecurity leadership positions in higher numbers thanks to their higher levels of education.
The cybersecurity skill gap is not insurmountable
The global cybersecurity skill gap is daunting but not insurmountable. By applying the above tips to their recruitment process, organizations can enhance their security stance and help close the security gaps.
Featured image: Pixabay
The example fo the UK Cyber Retraining Academy is a good example of retraining people for a new career – its just a shame that the UK government didnt continue funding/supporting it. There is also the UK government Cyber Skills Immediate Impact Fund which has tried to retrain people from different backgrounds in all sorts of fields – I think two rounds of funding have been allocated but nothing since the end of 2018! The government needs to rethink its priorities and take this more seriously!