Is there a cybersecurity skills gap? Plenty of surveys and anecdotal evidence seem to say that’s the case. For example, an end-of-year survey of IT professionals conducted by ESG found that 53 percent of organizations reported a shortage of security skills, up from 51 percent the year before and up from 45 percent in 2016. So, from this perspective, it looks like not only is there a skills shortage, but it is getting worse.
Clearly, having an experienced and skilled cybersecurity workforce is more important than ever. But could we already have that workforce in place? Are we approaching hiring cybersecurity workers all wrong?
Stop Thinking about Security in Tech Terms
In a HelpNet Security article, Grant Wernick asked whether organizations are looking for the wrong skill sets when hiring security staff.
“Cybersecurity tends to look for traditional tech credentials. But cybersecurity is much more than a strictly technical role,” he wrote. “Threats are constantly evolving, new technologies lead to new vulnerabilities, and technical proficiencies can become quickly outdated. At its core, investigating cybercrime relies on curiosity and problem-solving.”
Looking for tech credentials is an old-school approach from the days before there were specific cybersecurity education opportunities. About a decade ago, I attended an event for CISOs and CSOs, and all but one told me that they stumbled into security by accident; they were on the IT team and given cybersecurity tasks.
Wernick suggested organizations look within for people who are curious, who take initiative in problem-solving and provide security training for them. “Advances in fields like artificial intelligence and natural language processing are removing many of the technical hurdles that stand in the way of someone with raw curiosity and an investigative mindset to pursue a career in security,” he added.
Tomorrow’s Security Workforce
Too often, organizations are looking to fill cybersecurity positions with a focus on last year’s security issues and last decade’s hiring attitudes. The Information Security Forum (ISF) examined these concerns in a new paper, Building Tomorrow’s Security Workforce. According to the paper, organizations need to refocus their outlook to incorporate new developments in the global security workforce. ISF offered four objectives to set the strategic direction for building a sustainable security workforce. They are:
- Adapt to increasing complexity and scale of demands.
- Seek candidates with a wide range of competencies.
- Strengthen diversity in the workforce.
- Encourage retention with a progressive working culture.
I had the chance to get more details from Steve Durbin, managing director of the Information Security Forum, about how these objectives can improve the skills gap.
Adapt to Increasing Complexity and Scale of Demands
“To address changes in demand,” he explained, “organizations should embrace their expanding remit and define the required roles and responsibilities.” This may involve dividing the security workforce’s activity into two overarching strands:
1. Operational security: This involves implementing and maintaining day-to-day security services.
2. Center of excellence: This embodies the organization’s commitment to information security by setting policy and strategy, initiating and running security-related projects and promoting a positive cybersecurity culture within the organization.
By adapting the security workforce to the complexity and scale of demand, organizations can effectively manage information risk and build a robust, accountable and sustainable security workforce.
Seek Candidates with a Wide Range of Competencies
Here Durbin agrees with Wernick’s point that the skills shortage falls in the non-technical areas of security, which rarely get featured in job advertisements.
“Most unfilled vacancies are caused by organizations seeking ready-made experts with a specific combination of skills, qualifications and industry experience,” he said. “This has created unfilled vacancies in a market where demand outstrips supply, with potential employees commanding ever-increasing salaries.”
Organizations should realign their focus to candidates with aptitude, attitude and broad experience, which will expand the group of potential candidates.
Strengthen Workforce Diversity
“Recruiting individuals with diverse competencies and skill sets is critical to delivering effective security; tomorrow’s security workforce will need expertise in governance, risk, compliance, people, process, technology and beyond,” said Durbin. “Research has shown that cognitive diversity—difference in perspective or information processing styles—is an effective indicator of high performance in organizations, which is not predicted by factors such as gender, ethnicity or age. Against a threat landscape that exploits diversity for profit and gain, organizations cannot afford to recruit a workforce with homogeneous competencies, skills or cognitive outlooks.”
Encourage Retention with a Progressive Working Culture
Cybersecurity unemployment is at zero, and this means skilled professionals aren’t afraid to take their talents elsewhere for more money and better benefits. Hence, organizations, CISOs and information security leaders should focus on understanding the culture of the security workforce and evolving that culture to aid retention.
To build a sustainable security workforce, Durbin said, organizations should adapt to market demands by seeking candidates with diverse competencies and skill sets coupled with providing competitive benefits and structured career development.
“As the security workforce matures, embracing the vast amounts of untapped talent with the right aptitude, attitude and experience, the exaggerated myth of a future global security workforce shortage will be debunked,” Durbin added. “A sustainable security workforce is essential if the information security function is to become a partner to the business and effectively manage the increasing security burden.”