Upskilling IT Security Talent a Smart Bet 

With demand for cybersecurity professionals at an all-time high and companies facing acute staffing shortages, organizations should look to upskilling young cybersecurity workers as an employee retention strategy, according to a report from (ISC)². 

The study, which polled 1,250 hiring managers at small, mid-sized and large organizations in the United States, Canada, United Kingdom and India, also recommended organizations look outside the traditional pool of cybersecurity candidates to build resilient teams at all skill levels.

Among the findings: All study participants are responsible for hiring entry- and junior-level roles at their organization, with 91% of them having hired staff at this experience level within the last two years.

Entry- and junior-level practitioners combined make up nearly two-thirds of participant organizations’ security teams, on average, while larger organizations tend to have higher percentages of more experienced professionals on their security teams, according to the study.

Training Talent at All Levels

“The cybersecurity talent shortage is currently being felt at all role types and levels,” said Michael Skelton, senior director of security operations at Bugcrowd, a crowdsourced cybersecurity provider. “Roles remain open for months, and qualified candidates have a plethora of options available to them. To meet the demand needed of our industry, we absolutely need to train more people at all levels.”

Gen Z and Cybersecurity

He noted that the youngest generation in the workforce, Gen Z, is the generation that grew up “pressing all the buttons” to see what happened.

“They’re vibrant, creative and passionate—making them perfect for an industry where creativity thrives and curiosity is necessary,” he said. 

His advice is: Hire to train, don’t just hire to fill a seat.

“When hiring entry-level roles, also reposition or hire capacity to train,” Skelton said. “Having roles dedicated internally to the growth of new candidates, as well as a culture of knowledge-sharing and allowing for mistakes in the process of learning is vital to the success of such programs.” 

The report noted previous research had highlighted certain challenges when identifying qualified cybersecurity job seekers.

“The tendency for many organizations is to seek candidates with the highest technical qualifications and relevant certifications, but expecting those qualifications is unrealistic for entry- and junior-level candidates,” it stated. 

Joseph Carson, chief security scientist and advisory CISO at Delinea, a provider of privileged access management (PAM) solutions, noted that recent initiatives, including commitments to providing more security awareness training and more cybersecurity jobs, are a good step.

“However, we must prioritize what we can do now and what we must do in the future,” he said. “We need to fast-track the need for skilled workers in cybersecurity and fast-track them into the industry, as the skills shortage is only getting larger.”

From Carson’s perspective, incident response and business resilience are areas where organizations will need to attract and retain the greatest amount of resources and talent.

“When security controls fail to prevent attacks, this means the business must look to their incident response and recovery capabilities to get the business back up and running,” he said.

He explained that in addition to incident response, a strong backup strategy that reduces risks from ransomware, a solid privileged access security solution and multifactor authentication (MFA) will make it more difficult for attackers to be successful. 

Andrew Hay, COO at LARES Consulting, an information security consulting firm, said he is personally a very strong supporter of hiring workers who will then be nurtured through on-the-job training; Hay added he has leveraged this method in the past to upskill ambitious and creative individuals into various roles.

“Not every company, however, can wait for the person to gain the required on-the-job experience to make the short-term impact that they’re looking for,” he noted. “Some organizations need a qualified person immediately and cannot—or will not—wait to train someone that could grow into the role.”

To ensure this approach to hiring entry-level security pros for their potential pays off, Hay said it’s important to create a formal program around this strategy. 

“Set your expectations early and measure the success of candidates against those expectations,” he said. “Also, overcommunicate to ensure that everyone understands what is expected.”

Lost in Translation

Mark Lambert, vice president of products at ArmorCode, an application security provider, agreed that cybersecurity is an “extremely hot” job market right now.

“It is especially white-hot for those individuals that have the ability to communicate with development teams,” he added. “The biggest challenge organizations are facing is that they cannot find individuals that can translate security concepts into actions that the development teams can quickly perform.”

Lambert said the top three things he would recommend graduates focus on as they enter the job market include building awareness of the software development process.

“If you’ve not already, go online and take a free Java development course, create a GitHub project and learn the basic concepts–you don’t even need to set up tools on your computer; it’s all in the cloud,” he said. 

The second is to run security tools on an open source project. He pointed to WebGoat or JuiceShop as two projects from the Open Web Application Security Project (OWASP) that many companies use to evaluate security tools. 

“And many security tool vendors have free or community versions,” he said. “Get some free accounts set up and run them on open source projects or public websites and learn how these tools work.”

Third, he recommends that those entering the IT security workforce become part of the community.

“Look for an OWASP chapter in your area and start networking,” he said. “Attend the sessions—many are still virtual—and include on your resume and on LinkedIn that you are a member.”

Nathan Eddy

Nathan Eddy is a Berlin-based filmmaker and freelance journalist specializing in enterprise IT and security issues, health care IT and architecture.

nathan-eddy has 244 posts and counting.See all posts by nathan-eddy