Businesses and the cybersecurity industry alike know very well the impact and cost of cyberattacks. Mitigating these attacks requires more than the right security products or service providers; they require cybersecurity professionals to be adept and ahead of the curve. This is why it’s time for us to rethink the cybersecurity talent pipeline to address the growing skills gap, writes Michael Smith, pictured, Chief Technology Officer of Neustar Security Services.
In May, (ISC)2 — the world’s largest cybersecurity non-profit — launched a scheme designed to improve the availability of cybersecurity skills in the UK. The scheme, 100K in the UK, saw the organisation make its entry-level cybersecurity certification available for free to 100,000 people interested in a career in cybersecurity.
The announcement of the scheme reflects the continued need for skilled professionals within the industry. In the (ISC)2 2021 Cybersecurity Workforce Study, the organisation identified that there were 2.72 million cybersecurity open jobs worldwide that are necessary to fill to defend critical assets. This shows a shortfall of cybersecurity talent, which has been a long-standing issue for the industry — one that is growing each year. Even as more talent does gradually enter the cyber space, the global workforce needs to increase by 65 percent to meet demand.
Not only do more cybersecurity roles continue to open, but thousands of practitioners leave the industry each year. The 2021 Cybersecurity Workforce Study found that the global cybersecurity workforce dropped from 3.12 million down to 2.72 million between 2020 and 2021. Within the UK alone, 65,000 cybersecurity professionals left the talent pool in 2021. The UK Government has estimated that 17,500 people need to enter the industry each year to meet the current skills demand, without accounting for any further loss of talent.
However, the cybersecurity skills gap extends beyond the number of skilled practitioners and to the quality of those skills. Cyberattacks grow in number and complexity each year, and attackers will continually adopt new methods and vectors of attack. This means that the quality of a cybersecurity practitioner’s technical skills is increasingly important. Already, the technical skills gap is becoming a growing concern among many practitioners — the UK Government’s cybersecurity skills in the UK labour market 2022 report showed that almost half of cyber companies felt that job applicants lacked the technical skills required.
Addressing the technical skills gap goes beyond more aggressive talent recruitment practices. It involves businesses fostering a stronger culture of continuous development and up-skilling. This is an area that practitioners already admit needs improvement. In the fifth annual industry report from the Information Systems Security Association (ISSA) and analyst Enterprise Strategy Group (ESG), 82 percent of respondents highlighted continual professional development as something they struggle to commit to due to job requirements.
Fortunately, there is a solution that can go some way to addressing all three of these challenges. It requires a change in approach to bridging the cybersecurity skills gap itself, by moving away from conventional recruitment strategies. This is something that cybersecurity leaders are increasingly recognising as necessary.
Cybersecurity leaders have relied on traditional recruiters and HR processes to source talent for many years, but this has yielded minimal results in the majority of cases, in turn prolonging the skills gap. As a result, more are now looking for ways to build new talent pipelines. Many CISOs and leaders in similarly technical fields are becoming more hands-on in the process of identifying and attracting talent, leading to new approaches being taken. These ranges from actively networking in their daily lives to becoming directly involved with regional security organisations, conferences and mentorship programs. In doing this, CISOs are becoming de facto recruiters.
The new approach works to attract existing talent, but this itself will not solve the ongoing skills gap. Rather, it could set a precedent that leads to a salary ‘arms race’ among organisations competing for the same small pool of cybersecurity talent. Taking this approach one step further would begin making considerable progress in bringing new talent into the industry.
Instead of looking within the existing cybersecurity market, organisations should work to find talent from parallel fields. Professionals with experience in related tech and IT practices with transferrable skills and an eagerness to learn are an ideal option, as they can be up-skilled and helped to develop over time within the company. Together with a hands-on recruitment approach and initiatives from government and industry, this longer-term approach to nurturing talent from within can help mitigate the worst impacts of the cyber skills gap.
Creating a culture of up-skilling within an organisation also brings with it significant long-term skills benefits for existing practitioners, helping to address the continuous development gap. Making knowledge-sharing and up-skilling an integral part of a company’s culture directly benefits an organisation’s cybersecurity strategy.
New industry initiatives to attract more people into the industry are always welcomed and necessary. However, a long-term solution to the skills gap involves taking a new approach that prioritises up-skilling from within, led by cybersecurity leaders. Doing so is more than a recruitment plan; it’s a practical long-term cybersecurity strategy.