Cybersecurity teams are struggling to find the right talent, with the right skills, and to retain experienced employees. The situation is only likely to worsen, as inflation and a tight labor market push up wages.
This was the view of a panel of chief information security officers, speaking at Infosecurity Europe. But there are steps that organizations can take to ensure greater diversity, to build cyber teams from within and to keep hold of their most effective employees.
According to Paul Watts, a distinguished analyst at the Information Security Forum (ISF) and a former CISO, universities produce graduates with strong technical knowledge, but not always the broader skills they need to operate in a business environment. This includes the lack of communications skills, understanding of how businesses operate and even emotional intelligence.
His views were echoed by Erhan Temurkan, director of security and technology at Fleet Mortgages. “We are finding that graduates are coming out of university who know how to use the tools,” he said. “But the way I put it is, having a paintbrush doesn’t make you an artist.”
Further, graduates sometimes lack a sufficiently deep understanding of networking and IT operations.
One reason is that graduates’ views of cybersecurity roles are quite limited. “All students want to be pen testers,” said Watts.
The industry could, he suggested, do more to demystify a wider range of roles within the industry, including those that can prepare entrants for management positions.
Read more about the cybersecurity workforce: Cybersecurity Workforce Gap Grows by 26% in 2022
Cara Annett, security awareness and culture director at RX Global, questioned whether the industry could do more to recruit people with backgrounds outside cybersecurity and IT.
“I came from a non-technical background. How do we attract people from creative backgrounds?” she asked. “We are quite reliant on academia to create our pipeline [of talent], but is that what is needed by individuals and businesses?”
The panel agreed that employers could do more to attract talent, both by engaging earlier with undergraduates and by casting the net more widely.
“I’ve done guest lectures and it gives a real lens on the day-to-day life of a security engineer, SOC analyst or even CISO,” Temurkan said. “This is where graduates get real insights. And as a community, we have to keep giving back.”
Firms can also diversify their recruitment, by looking to underrepresented groups and also looking internally. “That diverse group can be within your organization,” said Annett.
The panel conceded, though, that upward pressure on salaries looks set to continue. But firms should look beyond just pay. Flexible working and working from home are now a “hygiene factor”, Temurkan admitted.
“You could be like-for-like on salary, but if the other organization gives one or two more days working from home, they will go for them,” he said.
Firms are more likely to retain staff if they invest in them, argued Watts. “We have the terrible situation where peers are unwilling to train people, because they will become a ‘flight risk’. But you have to develop people. If you are not doing that, it becomes a revolving door.”