How to Solve the Cybersecurity Skills Gap

Understanding how to bridge the talent gap in the cybersecurity industry requires thinking beyond traditional approaches to recruiting. While there’s been progress, there is still room for organizations to evolve, which will require not only changing the way they think about hiring but the way hiring managers communicate with human resources. Yet many organizations continue to struggle with finding and retaining the talent they need, partly because their cybersecurity staffing needs have burgeoned so quickly. Where once there was a single cybersecurity career, there are now more than 900 different cyber career profiles, according to CareerOneStop.

Part of the problem is that candidates are trying to get degrees or certifications to get into these roles, yet companies aren’t willing to take a chance on entry-level candidates. Everyone recognizes the talent gap, but applicants are consistently being told they aren’t the right fit for the role, Dr. Christine Izuakor, CEO, Cyber Pop-up told RSAC in a recent podcast. “There are so many great tangential roles that translate well into cybersecurity that are currently untapped,” Izuakor explained. “Posting a job and hoping that people apply isn’t enough. We have to do more.”

Izuakor identified three big problems that perpetuate the skills gap: a lack of entry-level opportunities, organizations’ unwillingness to go the extra mile to recruit in non-traditional ways and a lack of focus on training and upskilling. Others agree with this third point. In a recent blog post, Robert Ackerman Jr., founder and managing director, AllegisCyber wrote, “Most surveys show that upgrade training is relatively scarce, contributing to severe workplace pressure and, ultimately, high turnover. Continuous cyber-training is lacking, in part, because there seems to be no time to learn while chronically fighting the next conflagration.”

Making Cybersecurity Training More Accessible

Many would agree that security practitioners are overwhelmed with putting out fires, making it difficult to shift gears and focus on training and upskilling. The good news is individuals and organizations from the public to the private sector have made progress. To that end, we’d be remiss if we did not mention the countless practitioners who are doing their part to mentor newcomers to the industry. Organizations from WiCys to (ICS)2 both offer mentorship programs and help to pair mentors and mentees, and companies from Google to Fortinet and NIST are offering their own training programs.

Ron and Cyndi Gula are also excellent examples of industry leaders who are working to close the skills gap with the Gula Tech Foundation, which invests in and funds cybersecurity companies like npower, Black Cyber Security Association and Girl Security. In fact, grant awards of all denominations are available from a variety of investors. However, investing in these nonprofit organizations whose mission is to make cybersecurity more accessible to the broader population is only one part of what must be a multi-tiered approach to addressing the skills gap.

The Secretary of the Department of Homeland Security (DHS) Alejandro Mayorkas recently announced his vision for strengthening the cybersecurity workforce, recognizing also that, “We must ensure our own workforce is reflective of the communities we serve.” Mayorkas noted that DHS will be launching a “workforce sprint” next month that will focus on several elements including diversity, equity and inclusion (DEI).

DEI in Cybersecurity

Any DEI strategy must acknowledge that relying solely on colleges to educate students would be a fool’s errand. The reality is that many cybersecurity practitioners honed their skills through hands-on, self-guided education. Recognizing that not all high school students will go on to college, the government is also partnering with organizations like the Girl Scouts and to help the K-12 sector create and implement cybersecurity education programs.

In addition to the exploding number of online classes and bootcamps available through EdX, Udacity, Coursera and other platforms, there are a growing number of cybersecurity programs offered at colleges and community colleges through which students can earn degrees or certifications that prepare them for entry-level positions.

In the words of Secretary Mayorkas, “We cannot tackle ransomware and the broader cybersecurity challenges without talented and dedicated people who can help protect our schools, hospitals, critical infrastructure and communities.” Talent and dedication are attributes that can rarely be captured in a résumé. Companies must face the reality that what they have been doing is not working. If the goal is to close the skills gap – or at least narrow it – we as an industry must think differently about how we approach training and education, as well as recruiting and retaining talent.

Avatar photo

Kacy Zurkus

Prior to joining RSA Conference as a Content Strategist, Kacy Zurkus was a cybersecurity and InfoSec freelance writer as well as a content producer for Reed Exhibition's security portfolio. Zurkus was a regular contributor to Dark Reading, Infosecurity Magazine, Security Boulevard and IBM's Security Intelligence. She has also contributed to several industry publications, including CSO Online, The Parallax, and K12 Tech Decisions. During her time as a journalist, she covered a variety of security and risk topics and also spoke on a range of cybersecurity topics at conferences and universities, including Secure World and NICE K12 Cybersecurity in Education. Zurkus has nearly 20 years experience as a high school teacher on English and holds an MFA in Creative Writing from Lesley University (2011). She earned a Master's in Education from University of Massachusetts (1999) and a BA in English from Regis College (1996). In addition, she's also spoken on a range of cybersecurity topics at conferences and universities, including SecureWorld Denver and the University of Southern California.

kacy-zurkus has 62 posts and counting.See all posts by kacy-zurkus

Secure Coding Practices