Numerous think tanks are seeking to resolve the cybersecurity skills gap, estimated by industry group (ISC)2 to stand at 3.4 million worldwide. It’s an issue that cannot be resolved by relying upon the usual influx from higher education. The call has been to recruit in a less discriminating way by encouraging people in related professions or who have some aptitude and the relevant soft skills to enter the profession.
But for the most part, that’s not what is happening. Organizations are competing for resources from the same small pool of people, according to the “Global Cybersecurity Outlook 2023” published by the Worldwide Economic Forum. This may well threaten the viability of security initiatives if cybersecurity professionals are tempted to move jobs more frequently, leading to a more transient workforce.
A transient workforce does nobody any favors. It doesn’t help individuals achieve their potential when their tenure is so short, and businesses become more vulnerable because they don’t have the stability and resilience needed to create a strong security posture. Moreover, those with the deepest pockets will come out on top, making it very difficult for startups and small and midsize businesses to thrive, curtailing economic growth.
The Best Intentions Can Backfire
However, encouraging non-skilled applicants into the sector without adequate provision can also backfire. A UK government report found 22% of cyber-sector companies employ staff who lack the necessary skills needed, and 44% say their job applicants lack the necessary technical skills to do the job. Those businesses had to either take unskilled staff or keep looking, leading to vacancies remaining open for months. Due to a poorly equipped workforce, 44% could not meet their business goals.
The plain truth is that it’s not just a numbers game. Many of these roles are considered “hard to fill” because they are for specialist skill sets such as forensic analysis, security architecture, interpreting malicious code, or penetration testing. Or they’re for senior roles with three to six years’ experience. Even if companies recruit people with high potential but not the requisite background, it will take years for these recruits to upskill to reach a sufficient standard.
Moreover, if we throw open the gates completely, we risk diluting the industry by introducing a whole swath of people with no technical skills. Yes, soft skills are valuable and in short supply too, but relying on these alone to fill the workforce gap does nothing to address the problem businesses have: a lack of trained, competent cybersecurity professionals, resulting, once again, in less resilience.
Training Is the Only Way Forward
Another major hurdle is that many organizations are reluctant to invest in training because the job market is so volatile. There’s a fear that, by investing in new recruits, those staff members will become a flight risk and put themselves back into that talent pool. In fact, the (ISC)2 survey found the opposite: Of the cyber professionals they spoke to, 64% said they take certifications to improve their skills, while 53% do so to stay up to date with current trends. Only 15% said the chief reason they undertake training is to apply for a job outside the organization.
Yet expecting businesses to shoulder the full cost of retraining seems unfair. Thankfully, we’ve seen some initiatives here, such as the (ISC)2 pledging a million free courses and exams and universities, including Stanford, the University of Maryland, and the University of Colorado, offering free online courses. While these are welcome, they won’t come close to satisfying demand. More free training is needed but it must be targeted.
The cyber career pathways rolled out across the US, UK, and Europe now provide a much clearer understanding of the skills required for specific roles. Consequently, it’s become much easier to see the specific courses needed to carve out a career, helping individuals, educational institutions, and businesses plan accordingly. But we now need to give more attention to the roles in the highest demand, which are the most likely to be poached. Supplying sufficient training in those areas can help curb the “fishing in a barrel” problem that is likely to destabilize the sector.
Cybersecurity is not for the faint hearted. People are expected to continue to undertake demanding qualifications throughout their career. They are culpable for the safety of the organization and its customers’ and employees’ data. For those aspiring to enter the profession, we need to provide the necessary tuition. We have the tools; now we need to identify those roles that are in crisis. Mapping those and offering tuition to support people could make all the difference to solving the skills gap.