Written by Leon Ward, Vice-President of Product Management, ThreatQuotient
We hear a lot about the cybersecurity skills gap, which the latest research puts at 3.4 million globally. There are lots of reasons why organizations find themselves dealing with a skills deficit – from an actual dearth of qualified talent to internal factors including turnover, lack of budget/competitive wages, limited opportunities for growth and promotion, and lack of training.
One aspect that is within a company’s control, but is often unremarked, is unrealistic hiring practices. While this can be a problem across all sectors – after all, every business wants to be sure they get highly experienced people on board – there seems to be a particular issue around cybersecurity hiring.
It’s not uncommon for companies to require three to five years of experience for an “entry-level” cybersecurity position. Is this because budgets are misaligned with needs? Are internal training programmes insufficient or non-existent? Do companies not appreciate that applicable experience can come through many different avenues and take many different forms? Are hiring managers stuck in the past when rigorous cybersecurity programmes weren’t part of the university curriculum? Or is it the belief that the high-stakes nature of cybersecurity means you need battle-hardened veterans, rather than new recruits, on the front line of cyber defence? Whatever the reason, these positions often go unfilled or result in high turnover.
Here are five things employers can do to expand their workforce and lay a solid foundation for the future growth of their security teams.
- Consider cybersecurity degrees an important component of the experience journey. The number of universities in the UK offering degrees in cybersecurity (or computer science with a cyber security specialism) is rising rapidly. Thirty-one institutions offer degree-level course or higher, with many certified by the NCSC. Many include industrial placement allowing students to gain real-world experience that they can bring immediately to post-graduate employment. There is growing grassroots interest in taking computer science and cybersecurity degrees, too, with entries into single science subjects rising at GCSE level, and Maths being the most commonly taken A Level subject in 2022. This should translate into more candidates opting for technical or science-based degrees, including computer science.
- Build a strong internship programme. Internships and degree apprenticeships are becoming an increasingly popular route as an alternative to full-time university education and the bonus is that they enable businesses to identify talent at an early stage. Companies can choose to partner with educational institutions to offer placements or run their own programmes in-house to bring on talent. It is a tactic already employed in the mainframe sector, where an ageing expert demographic was threatening a real resource crisis. Now several mainframe operators and the businesses that support them are investing in young talent to fill the gap. It is a great way to see if there’s a match between the organization and the candidate and build a pipeline of talent to fill open entry-level positions.
- Look for candidates from within. Turnover often happens because employees become bored or don’t see opportunities to move up. And the costs to companies can be surprising—33% to 200% of the departing employee’s salary to replace them. Training is a win-win as it can help reduce the skills deficit and increase retention. Companies don’t even have to invest heavily in building their own educational programmes. Instead, enable employees to develop baseline technical and cybersecurity skills through a number of online courses available from well-respected groups including: CompTIA Security+, ISACA Cybersecurity Fundamentals, and (ISC)2 Systems Security Certified Practitioner (SSCP).
- Recognise the value of related work experience to the field of cybersecurity. Any type of on-the-job experience that focuses on troubleshooting issues and working with customers, such as working on the help desk, translates well into working in cybersecurity. Learning how to get to the root of a problem and dealing with upset customers gives job applicants a solid foundation to build on. Candidates with positions in service and support roles bring valuable skills including listening and empathy, as well as troubleshooting and decision-making capabilities, which are important in a number of areas including testing, quality assurance (QA) and product development. As is often evident across the employment market, skills can be taught, but attitude is harder to develop. If a prospective candidate has the right attitude and empathy to make a good cybersecurity specialist, they shouldn’t be discounted simply because they don’t have this or that technical qualification. How advertisements are framed is also essential if organisations want to attract a wider pool of candidates. Focusing on personal attributes rather than a rigid adherence to qualifications can bring more women and underrepresented groups to the table. With diverse businesses proven to do better than their monocultural counterparts, it is well worth considering changing up your advertisements to attract more applicants.
- Automate various elements of cybersecurity. ThreatQuotient’s 2022 State of Cybersecurity Automation Adoption report finds that organisations are becoming more confident in automation. Consider using a balanced approach to automation where you automate repetitive, low-risk, time-consuming tasks, while human analysts take the lead on irregular, high-impact, time-sensitive investigations with automation simplifying some of the work. This reduces the number of entry-level people required as well as burnout by allowing analysts to focus on more rewarding higher value activities. In fact, organisations report that employee well-being and retention are regularly used as part of their cybersecurity automation ROI calculations. Additionally, simplify complexity by adopting cybersecurity automation platforms with low- or no-code interfaces. Solutions that provide a choice of no code through a simplistic playbook builder, as well as the option to code using standard formats like JSON or YAML to support more advanced requirements, can make automation accessible to a range of users with varying skill sets.
We’ve been talking about the cybersecurity skills gap for years. Let’s start to break it down into more manageable and approachable chunks. When we focus on entry-level recruiting with realistic expectations, strong internship programmes and internal training and professional development, while automating and simplifying various aspects of cybersecurity, we can make headway and start to cultivate the next generation of security leaders.