5 Steps We Can Take to Address the Cyber Skills Shortage
The cyber skills shortage is not going away anytime soon, despite progress we are making as an industry to attract new talent. Per the latest “ISC2 Cybersecurity Workforce Study,” we added more than 460,000 warm bodies over the past year, yet the talent gap still has grown more than twice that of the workforce.1
Depending upon which research report you read, we have a shortage of somewhere around 3.4 million or 3.5 million individuals worldwide2. But we are not the only industry with a talent gap. The medical industry, for example, is facing a shortage of more than 10 million physicians worldwide3. The skills shortage creates challenges, of course. According to ISACA, 60% of organizations are struggling to retain individuals, and 62% say their teams are operating at a talent deficit.4
The cybersecurity industry, however, is in a fortunate position because we have the opportunity to mitigate the impact of the talent shortage through actions we take both as a community and as individual organizations.
What are some of the positive steps we can take?
1. A Blended Approach to Recruitment
I’m a strong advocate of the traditional approach to recruiting talent, i.e., identifying individuals who have the right education, certifications, experience, and qualifications. But finding those individuals these days is like finding a unicorn. Good luck.
If we are to properly address the shortage, we have to expand our horizons. Cybersecurity is for people who have an interest in technology; who bring a puzzle mindset; who are curious to figure out how things work; who get excited about coalescing a system to do something it can do that is not its intended purpose; and then finding ways to secure it in as seamless a manner as possible.
We have to cast a wider net. They may not come through the traditional tertiary education path. We have to find people with the ability to execute. But we also have to make sure these people work well with teams and have strong ethics. Cybersecurity exposes people to the potential to do good or bad. When we bring new people into our community, we have to make sure they understand the boundaries and have a strong moral compass.
2. More Diversity
We hear so much about diversity. In cybersecurity, the focus often seems to be on gender. It is true that we need to bring more women into the field but it is also true that diversity is about much more than gender.
People exist in various dimensions—where they are from, what their culture is like, their age, religion, ethnicity. When we bring in someone new, can we identify what that person will add to the team in terms of cultural values and fit? Can they add a different cultural nuance that will bring fresh ideas and perspectives? Where can we find them and how can we make sure they are properly trained, especially those that come through the nontraditional tertiary education path?
3. Mentorship
Formal mentorship programs are a relatively new concept for our industry and they have been a positive development in identifying individuals who may have the skills, temperament, and ethics for cybersecurity. Industry associations provide another mechanism that can help us connect and assess the skills of individuals, as do community colleges.
Mentorship is not only about recruiting new talent; it is also a major factor in connecting, nurturing, training, and retaining. As a field CTO, I have always been conscious of providing new members of my team with both a mentor and a clearly articulated career pathway, with specific goals and targets. People need to know they won’t just be tracking alerts and doing repetitive, monotonous work for the rest of their lives. This all builds strong social capital and these are the ties that bind.
4. Leadership and Culture
In some ways, cybersecurity is like the Wild West. We’re a vocation that is just 30–40 years old (at best) compared to others that go back decades or even centuries. In this environment, not everyone in leadership has the technical background or experience of having been on the front line.
It is important, at or near the top levels of the organization, to have people with the technical skills along with the business acumen to provide leadership and direction to the people on their teams. It is not about being a cybersecurity expert but about having the appreciation and understanding that puts you in the communication range of the experts. I’ve seen selection panels where the people doing the hiring knew less than the people they were interviewing.
5. Technology
We are seeing a lot of focus on technology to help address the skills challenge. This is an important development for our industry, today and for the future. With an increase in automation, machine learning, and artificial intelligence (AI), we can use technology to help supplement and complement our human resources.
We can mitigate the impact of the skills shortage, not necessarily by replacing humans with machines, but by using machines to free up our people to do more interesting and challenging work that requires a creative human element. People will be more attracted to our industry, and are more likely to be satisfied in their jobs, if they can focus on work that actually means something to them. This is how we can start to change the value proposition and how we think about the workforce in attracting and retaining good cyber folk.
Putting It All Together
We have a better chance of attracting new talent to our industry and to our companies when we approach the skills shortage holistically.
This means casting a wider net for individuals who may have the skills, temperament, and moral compass to be successful in cybersecurity, even if they may not have the educational background or qualifications we have traditionally sought. There also needs to be a clear understanding that such entrants will be required to put in the effort to lift their knowledge, skills, and learnings to improve.
It also means making our industry and the work attractive and appealing to people of diverse backgrounds and providing all of our people with the tools, training, and guidance to be both happy and successful.
We accomplish this when we invest in modern technologies backed by automation, machine learning, and AI, and when we provide strong leadership through communication, culture, mentorship programs, and more. One of my mantras is this: recruit for attitude, train for competence, coach for performance.
It is going to take time to build a pipeline that will fully address the skills shortage. But there is much we can do in the meantime, particularly when we appreciate that good cyber talent is not just about reducing risk: it’s about being a strategic enabler of innovation for our organizations.
- Cybersecurity Workforce Study, (ISC)2, October 20, 2022
- Cybersecurity Workforce Study, (ISC)2, October 20, 2022.
- Why is there a global medical recruitment and retention crisis?, World Economic Forum, January 9, 2023.
- State of Cybersecurity 2022 Report, ISACA, March 23, 2022.