Tackling the Cyber Skills Shortfall: A Multipronged Approach

Written by

The cybersecurity industry is in the market for a lot of new talent. James Coker sets out to explore all of the ways it can find it, fast! 

The cyber skills shortage is an issue that the security industry has been wrestling with for some time. What was already a significant problem has quickly turned into a crisis during the COVID-19 pandemic, with organizations and individuals facing a barrage of cyber-threats due to the digital shift.

Citing ISACA’s State of Cybersecurity 2021 study, Jonathan Brandt, director, professional practices and innovation, ISACA, outlined: “Our research also shows that understaffed teams remain strongly correlated to an increasing number of cyber-attacks.”

This trend has increased the burden on already stretched cybersecurity teams, causing significant levels of stress and burnout.

The need for additional skilled cybersecurity professionals is therefore enormous. The 2021 (ISC)2 Global Workforce Study found that while the skills shortage has fallen, the size of the workforce is still 65% below what it needs to be. In addition, only a third (34%) of cybersecurity professionals surveyed in ISACA’s State of Cybersecurity 2021 report believe that their teams are appropriately staffed.

The issue is even more concerning when scrutinizing the prospective cyber talent pipeline. HP Wolf Security’s research paperBeat the Cybersecurity Talent Shortage, cited research showing that just 3% of bachelor’s degree graduates have cybersecurity-related skills in the US.

Therefore, many organizations currently feel unable to fill their vacancies appropriately. For example, ISACA’s State of Cybersecurity 2021 study revealed that around half of cybersecurity professionals do not believe their applicants are well qualified for the roles they are recruiting for.

In this landscape, it is clear that organizations need to take new, innovative approaches to fill their cyber job vacancies. This won’t be achieved by a single silver bullet, but instead, through a range of initiatives, working concurrently with one another.

Retain Existing Internal Staff

Retention of cybersecurity staff has been a significant problem for organizations. Yet, keeping existing workers in place for longer periods should be the foundation for tackling talent shortfall. An obvious starting point is to offer more workplace benefits to these individuals, such as extra vacation days and flexible working. ISACA’s Brandt commented: “Once you have the talent that you need, retention is very important. It can be time-consuming and expensive to recruit, and in a hot job market, it is more than just compensation and benefits that will attract and retain staff.”

In the view of Clar Rosso, CEO of (ISC)2, the shift to hybrid working provides the perfect opportunity to enhance the work-life balance for cybersecurity professionals. “Remote working offers more flexibility to employees and prospective employees, as well as to employers. It makes roles more accessible and appealing to amazing and valuable individuals who may have family and care obligations, health issues that might affect their ability to commute, those who are introverted and those not wishing to trade an existing and beneficial quality of life for the requirement to commute to a single location,” she outlined.

In addition to improving workplace conditions, organizations can prove they truly value their cybersecurity talent by investing in their professional development. Brandt commented: “Focus on training and certifications for your team. Your team is worth investing in, not only to upskill and build the team you want but at the individual level. You’re investing in future leaders, future decision-makers and valued assets.”

Looking From Within

Sometimes, it’s easy to overlook what’s right in front of you. Many organizations may already have ready access to cybersecurity professionals in the making; they just don’t know it yet. (ISC)2’s Rosso noted that individuals working in various fields would have the mindset and soft skills suited to a cyber career. “Rather than being laser-focused on technical skills, we need to evaluate technical experience and other critical skills such as problem-solving abilities, critical and analytical thinking, creativity, the ability to work independently and in a team and communication skills. This approach will expand the potential talent pool and allow organizations to access people who can develop and grow with the business and its needs,” she explained.

Joanna Burkey, CISO at HP, concurred: “With a desire to learn continually and the skill of working productively in uncertainty, everything else can be taught! The ability to work in an area where the goalposts shift often and the paths forward are not always black and white is a foundational skill to working in a field that evolves as quickly and as often as cyber does.”

Rosso’s point about pulling in the same direction of the organization is pertinent to harnessing internal talent. After all, these individuals are already inside the business and understand its operations and ambitions. HP’s report noted: “Retraining personnel can fine-tune the instruction to the company’s particular needs. Employer-paid training also builds loyalty. It engages employees who aim to bolster their credentials, add new skills to their résumés and improves potential earning power.”

Change Recruitment Practices

The above principles relating to identifying non-security internal talent can also be applied to organizations’ external recruitment strategies. Rather than being fixated on recruiting candidates with (often expensive) technical qualifications that are out of reach to many people, there should be a greater focus on soft skills. This includes candidates’ ability to adapt and learn. After all, cybersecurity is a rapidly evolving sector, meaning skills constantly need to be updated, irrespective of previous qualifications. (ISC)2’s Rosso believes this should be reflected in job descriptions, opening the door to a much wider pool of talent to apply. “Requiring years of experience and technology-specific qualifications for entry-level roles needs to stop. This pervasive practice is one of the most prominent and unnecessary barriers to entry for the next generation of cybersecurity professionals who our sector so desperately needs,” she said.

In addition, the growing acceptance of remote working and the use of video conferencing technology to facilitate business activities mean roles that may previously have only been available to those who lived in a particular area(s) can theoretically be filled from any geographic location. If realized, this would dramatically increase the available talent pool for organizations. Rosso stated: “One of the biggest opportunities that the remote working boom offers is the ability to expand hiring footprints. Employers and individuals are no longer restricted to only hiring or accepting roles in commutable reach of a single office location.”

“One of the biggest opportunities that the remote working boom offers is the ability to expand hiring footprints"

Promoting Diversity and Inclusion

The cyber industry’s lack of diversity has been well documented. There is a significant underrepresentation of individuals with a wide range of characteristics, including genderrace and neurodivergent people. Encouraging more candidates from these backgrounds to pursue a career in the sector can play a significant role in solving the skills gap. Rosso commented: “If we are to truly make a lasting reduction in the global cybersecurity skills shortage, we need to make the profession more balanced, more representative of society and more open and welcoming to all regardless of gender, age, ethnicity, socioeconomic status or educational background.”

Aside from increasing the volume of candidates, HP’s Burkey explained that greater diversity is key to combatting the increasingly dangerous cyber-threat landscape. “A diverse organization is a resilient one, with a variety of thoughts, backgrounds and lived experiences being present. The attackers are a diverse group, and we must be too!”

To achieve this, organizations must take action to ensure people with a diverse range of experiences and ways of thinking can thrive and avoid taking a one-size-fits-all approach.

ISACA’s Brandt advised: “Take a hard look at your cybersecurity team’s culture: Is it inclusive, diverse, collaborative? Is this a competitive environment or a supportive one? Would a non-traditional candidate feel welcome, comfortable in asking questions and requesting mentoring? If your culture is not as welcoming as it could be, set expectations for the culture before recruiting non-traditional staff.”

Embrace AI and Automation

Another potential solution to the skills crisis is to take advantage of modern technologies, such as AI, to automate tasks. Ideally, this will free up security professionals’ time to focus on more complex tasks that they find more rewarding. HP’s Burkey explained that organizations should understand the specific benefits AI can offer them, then make purchasing decisions based on that assessment.

“My philosophy on automated tools including AI is that they are best leveraged in ways that free up humans to do what humans are good at,” she outlined. “I think that is a great place to start when thinking about how ML/AI/automation can benefit any cyber strategy – what are the humans already there really good at? How do we maximize the time and resources they have to do what they are best doing? Using automation to fill in those holes is a terrific starting point, and once deployed will help expose the right ways for their use to grow in a particular program.”

From the maker of the world's most secure PCs and printers, HP Wolf Security is a new breed of endpoint security. HP's portfolio of hardware-enforced security and endpoint-focused security services is designed to help organizations safeguard PCs, printers and people from circling cyberpredators. HP Wolf Security provides comprehensive endpoint protection and resilience that starts at the hardware level and extends across software and services. For more information, visit www.hp.com/wolf.

*Based on HP’s unique and comprehensive security capabilities at no additional cost among vendors on HP Elite PCs with Windows and 8th Gen and higher Intel® processors or AMD Ryzen™ 4000 processors and higher; HP ProDesk 600 G6 with Intel® 10th Gen and higher processors; and HP ProBook 600 with AMD Ryzen™ 4000 or Intel® 11th Gen processors and higher.

**HP’s most advanced embedded security features are available on HP Enterprise and HP Managed devices with HP FutureSmart firmware 4.5 or above. Claim based on HP review of 2021 published features of competitive in-class printers. Only HP offers a combination of security features to automatically detect, stop, and recover from attacks with a self-healing reboot, in alignment with NIST SP 800-193 guidelines for device cyber resilience. For a list of compatible products, visit: hp.com/go/PrintersThatProtect. For more information, visit: hp.com/go/PrinterSecurityClaims.

***HP Security is now HP Wolf Security. Security features vary by platform, please see product data sheet for details.

Brought to you by

What’s hot on Infosecurity Magazine?