IT Security Hiring Must Adapt to Skills Shortages

A rapidly evolving threat landscape, high demand for experienced professionals and diverse skill requirements are all contributing to the cybersecurity talent gap.

A June report from Lightcast estimated the US cybersecurity worker shortfall was approaching 500,000, with a supply-demand ratio of 69%, meaning there are 69 workers available for every 100 job openings.

Organizations must continue to expand their recruiting pool, account for the bias that currently exist in cyber-recruiting, and provide in-depth training through apprenticeships, internships and on-the-job training, to help create the next generation of cyber-talent.

“For years, we’ve been led to believe there is a substantial gap between the number of open jobs and qualified candidates to fill cybersecurity jobs,” says Dave Gerry, CEO at Bugcrowd, in an email interview. “While this is partially true, it doesn’t provide a true view into the current state of the market.”

He says employers need to take a more active approach to recruiting from non-traditional backgrounds, which significantly expands the candidate pool from just those with formal degrees to individuals, who, with the right training, have incredibly high potential.

“This provides the opportunity for folks from diverse backgrounds, who otherwise wouldn’t be able to receive formal training, to break into the cybersecurity industry providing income, career and wealth-creation opportunities that they otherwise may not have access to,” Gerry adds.

Related:Closing the Cybersecurity Talent Gap

He explains the company does not require any certifications or specialized degrees to join Bugcrowd.

“For us, it’s about the candidate having the right attitude and curiosity that we feel we can help train them to become a cybersecurity expert,” he notes.

To do this, the company recruits from non-traditional backgrounds and under-represented groups -- the company has hired teachers or folks in fashion, among others.

Additionally, the company launched Bugcrowd University which promotes free services to help employees or students gain access to security skills.

Mentorships, Training, Diversity

Omri Weinberg, co-founder and CRO at DoControl, says promoting cybersecurity education, offering mentorship and internships, increasing diversity, and providing ongoing professional development opportunities are all ways to help companies close the cybersecurity skills gap.

“Collaboration among stakeholders is essential to address this challenge effectively,” he says. “It all starts at the top.”

When it becomes a top priority to the board of directors, CEO and other executives, they will invest more time, money, and effort to educate the next generation alongside educational institutions to create more awareness and opportunities for the future of the cyber workforce. 

Related:Stress Test: IT Leaders Strained by Talent Shortage, Tech Spend

“Cybersecurity is one of the fastest evolving industries,” Sunil Muralidhar, vice president of growth and strategic initiatives at ColorTokens, explains via email. “Regardless of the specific specialization an individual might choose to focus on, creative thinking and problem-solving skills are the best skills an employee can have.”

Also critical is the ability to collaborate with teams across the company, who may have varying degree of technical or security skills.

He says while coding knowledge is important when fighting cyber threats, what sets candidates apart is the way in which they approach a problem.

“Creative problem solving and critical thinking skills will improve an applicant’s chances in an employer’s eyes tenfold,” Muralidhar explains.

Beyond Salaries: Opportunities for Growth

Gerry explains Bugcrowd’s compensation rates are based on what the market is paying for particular roles.

“This includes base salary, bonuses, equity, wellness day, unlimited paid time off and other benefits as part of the total compensation package,” he says. “The only way for us to succeed as a company is if our employees succeed as individuals. To do this, they need to feel valued and well compensated.”  

Related:Pursuing Nontraditional IT Candidates: Methods to Expand Talent Pipelines

Gareth Lindahl-Wise, CISO at Ontinue notes the post-COVID world has made remote working an expectation, but businesses should make sure candidates understand how they can effectively come together with peers and stakeholders face to face when needed.

“Remember, we are bidding for career years,” he says. “Can I demonstrate that two, three, four years or longer working here will be the most rewarding for the candidate as opposed to somewhere else?”

He says organizations must demonstrate to prospective security hires that they can offer development opportunities in a way that is not just vertical.

“Incentivize the hours people put into training, if it is worth it, and whether it is worth rewarding -- think small financial benefits or additional time off for study,” Lindahl-Wise says. “Encourage and enabling job shadowing and sharing.”

He encourages hiring managers to redefine or limit the scope of their role profiles and start thinking about how responsibilities might be divided between multiple, less senior roles.

“Stop building role profiles that end up being a green unicorn with purple spots,” he advises. “Also, critically, understand how attractive -- or toxic -- you may appear to the neurodiverse community -- there is significant potential to be embraced.”