Closing the Cybersecurity Talent Gap

Talented cybersecurity professionals are hard to find. Imagination and perseverance can help make the search easier.

John Edwards, Technology Journalist & Author

February 28, 2023

5 Min Read
finger pushing a security button
SIAMRAT.CH via Adobe Stock

Despite recent layoffs announced by Amazon, Google, Microsoft, and others, some tech professionals remain in short supply, particularly skilled and creative cybersecurity experts. To find the professionals needed to protect their systems against cyberattacks, IT leaders are increasingly turning to various creative approaches.

Cybersecurity talent remains in high demand for 2023 and is predicted to remain in demand for the foreseeable, says Doug Glair, cybersecurity director with technology research and advisory firm ISG. “To address this challenge, companies must leverage traditional HR recruiting, hiring, and retention strategies, along with some non-traditional strategies, to address the ongoing demand.”

Always network with relevant contacts in your field, advises John Burnet, vice president of global talent at AI-based SaaS platform provider Armis. “Whether the need is right now or around the corner, proactivity is the name of the game when looking for great talent.”

To succeed in today's competitive cybersecurity job market, organizations must look for talent in adjacent fields, both externally and within their own organization, says Jon Check, executive director of cyber protection solutions at Raytheon Intelligence & Space. “Employees who are looking to change career paths, or simply try a different role within the cybersecurity industry, can be ideal candidates for additional security training,” he explains.

Qualifications and Certifications

As always, the most sought-after cybersecurity professionals are those with the strongest credentials.“Certifications such as CISSP and CISM demonstrate that individuals have technical capability and are putting effort into their careers,” says Richard Watson-Bruhn, privacy and cyber security expert at professional services firm PA Consulting.

It pays to be flexible when facing a scarce candidate market. “Over the past few years, we've learned that a cyber degree or typical cyber background isn’t necessarily a requirement to be a successful security professional,” Check says. “What matters … are the characteristics or ‘soft skills’ that an employee exhibits.” An intelligent, promising candidate can acquire specific skills by working alongside experienced colleagues.

Meanwhile, many enterprises will only hire people with proven cyber experience. “This dramatically shrinks the candidate ocean into a candidate pool,” Burnet observes. He notes that it's better to focus on values, traits, and behaviors rather than a degree or dated qualification. Burnet also advises leaders to reevaluate their organizations' onboarding program “to give promising new hires the best experience and accelerated learning journey.”

Fresh Approaches to Candidate Searches

Cybersecurity is often viewed as just another technical talent field, yet candidates are expected to possess a wide range of rapidly evolving knowledge and skills. When filling staffing gaps, leaders should examine the skill sets that are missing from their current team, such as creative problem solving, stakeholder communications, buy-in development, and change enablement. “Look for candidates who will help balance out existing team skills as opposed to individuals who match a specific technical qualification,” Glair says.

Before hiring can begin, it's necessary to attract suitable candidates. Initial search steps should include website updates and social media posts, Glair says. He also suggests creating an internal “cybersecurity academy” that will build talent from within the organization. “This should include the technical, process, communications, and leadership skills needed to address today’s cybersecurity challenges,” Glair notes.

Burnet recommends sponsoring a “sourcing jam.” “That means getting recruiters and/or hiring managers in a room together ... to trawl through their networks and get them to personally reach out.”

It's easy to forget that cybersecurity is still a relatively new field. “There are many people who couldn’t, or didn't, discover cybersecurity as a first career, but have all the right talents to excel in the field,” Watson-Bruhn says. “Retraining programs can find people who perhaps have a first career in marketing or teaching, who can become skilled members of the team and bring wider knowledge and different views from their first career.”

Possible Pitfalls

Flexibility is essential when searching for cybersecurity candidates. Requiring individuals to meet all of the criteria set can lead to finding nobody or individuals who think alike with similar backgrounds to the person setting the criteria, Watson-Bruhn warns. Meanwhile, flexibility can sometimes lead to pleasant surprises. “Often, the best talent ends up missing something you expected in one area, but brings something completely new,” he says.

Another common mistake is restricting talent searches to individuals with traditional academic backgrounds. “While there are many distinguished university programs that are specifically focused on preparing students to enter the cyber workforce, often … these programs can’t fully train the students on the hard skills they will need for their future cyber careers,” Check says. This apparent drawback actually provides the opportunity to hire candidates with other types of academic degrees, which can be complemented by on-the-job cyber training. “By overlooking this group, organizations are limiting the potential these new nontraditional hires could bring to their companies,” he notes.

Approaches for attracting, hiring, and retaining cybersecurity talent should be embedded into every enterprise’s cybersecurity strategy. “This means investing in cultivating, maintaining, and evolving the culture of the organization so people -- the most important asset -- are top priority,” Glair says. “This includes focusing on recognition, rewards, flexible work practices, clear progression paths, open communications and feedback, performance-based incentives, and learning and development programs.”

What to Read Next:

CISO Budget Constraints Drive Consolidation of Security Tools

What Ukraine's IT Industry Can Teach CIOs About Resilience

About the Author

John Edwards

Technology Journalist & Author

John Edwards is a veteran business technology journalist. His work has appeared in The New York Times, The Washington Post, and numerous business and technology publications, including Computerworld, CFO Magazine, IBM Data Management Magazine, RFID Journal, and Electronic Design. He has also written columns for The Economist's Business Intelligence Unit and PricewaterhouseCoopers' Communications Direct. John has authored several books on business technology topics. His work began appearing online as early as 1983. Throughout the 1980s and 90s, he wrote daily news and feature articles for both the CompuServe and Prodigy online services. His "Behind the Screens" commentaries made him the world's first known professional blogger.

Never Miss a Beat: Get a snapshot of the issues affecting the IT industry straight to your inbox.

You May Also Like


More Insights