The skills gap continues to plague the IT industry, particularly when it comes to cybersecurity. The good news is that there has been some progress. The latest (ISC)2 Cybersecurity Workforce Study found that the number of skilled professionals needed to close the cybersecurity skills gap has shrunk from 4.07 million to 3.12 million -- but it’s still a significant issue.
And particularly as we see security incidents having a greater impact (the Solar Winds attack is the perfect example of this), the more critical filling this gap becomes. But it’s not enough to just focus on filling the open positions today -- organizations must look at the bigger picture and start investing in the workforce of tomorrow.
Untapped Candidate Pools
One solution that will help close the skills gap is to seek out and hire underrepresented candidates. However, providing them with the needed educational resources and skill-building opportunities is yet another challenge. Cybersecurity education is not always accessible to these groups, which typically leads them to pursue other career paths. Investing in the preparation of essential talent pools, such as students, is one key component to closing the cybersecurity skills gap.
With the crucial need for people with cyber skills, IT recruiters need to consider candidates who don’t fit the traditional mold of a cybersecurity professional. Considering how quickly this field is changing, recruiters must re-orient their perspective. By widening their searches, organizations can expand their talent pools and play an active role in bridging the skills gap.
Organizations must provide appropriate resources, and candidates must be willing to take advantage of this opportunity. Along with universities that offer cybersecurity curricula, several community organizations recognize the value of diversity in the industry, providing access to content and programs designed to address the talent shortage. ICMCP and WiCyS are two examples of groups that partner with private organizations to create access to different types of training and mentorship programs for women and minorities looking to transition or grow within the field of cybersecurity.
These community organizations want to not only help individuals begin their careers but also to see them advance into leadership roles. Through this cooperation of public and private partnerships, community organizations can help increase representation of women and minorities within cybersecurity.
Looking to the Long-Term Strategy
As noted earlier, filling the existing gap will require a longer-term strategy where the industry rethinks how to develop a sustainable pipeline of future talent. One of the biggest issues in cybersecurity hiring has to do with the sets of skills and attributes hiring managers believe are mandatory in a “qualified” individual. All too often, these wish lists grow much longer than what any individual could have possibly attained over the course of a 5-, 7-, or even 10-year career in the industry.
To make matters worse, hiring based on a predetermined list of qualifications tends to rule out some of the most talented and capable recent graduates -- those who are eager to learn and most excited about the profession. To turn this around, organizations can begin to prioritize innate strengths over “X years of experience.” Using this approach, they will end up with employees who are happier to do their jobs and fit in more seamlessly with the rest of the team. Interviewing for, say, analytic sharpness, level of comfort with abstract ideas, communication skills and leadership ability, independence and autonomy, mathematical and modeling skills, and other such “soft” skills may reveal much more about a candidate’s chances for long-term success than his or her resume alone.
In addition, training must be continuous. Organizations must enable on-site training in which talented and new hires pick up the technical, hands-on skills they need to monitor networks and mitigate threats. Even tenured employees appreciate and benefit greatly from opportunities for continued education, whether via in-person or online courses, seminars, or conferences.
Organizations have discovered some of their best cybersecurity employees by looking within their own IT departments, encouraging individuals who may no longer be stimulated in their current roles to move laterally into a cybersecurity position by completing training programs and/or certifications. These workers bring a new, fresh perspective; this alone demonstrates why upskilling and reskilling should be considered essential when looking to build out security teams.
Looking Down the Road
Progress is being made to decrease the cyber skills gap, with the goal of 100% coverage of all cybersecurity jobs so that organizations can present the strongest front against mounting cyber assaults. But organizations and the groups they partner with can’t afford to rest on their laurels. Instead, they need to continue the strategies that have brought them success and employ new ones to continue the positive trend of bringing more individuals into this dynamic, fulfilling, and vital career field.
Sandra Wheatley is responsible for Fortinet’s threat intelligence, customer marketing, security academy and veteran’s training programs. Sandra has served on multiple non-profit boards and is a founding board member of US2020, a White House Initiative to improve STEM learning and increase the pipeline of STEM workers in the U.S. She holds a B.S. degree from Santa Clara University, a diploma in Community Leadership from Boston College, and a diploma in Corporate Responsibility from U.C. Berkeley.