Is the "Cyber Skills Shortage" a Misnomer?

We have been hearing for years that there is an acute ‘cyber skills’ shortage. Statistics vary, but even back in 2019, it was estimated that the global IT cyber skills shortage had surpassed four million. However, little has been written about whether this data is relevant and, crucially, whether it frames the problem correctly.

Firstly, let’s examine the premise of whether there is a ‘cyber skills shortage.’ The fact is, just because firms can’t always hire for the roles they advertise, it doesn’t necessarily follow that there is a shortfall in the candidate pool. Perhaps the focus needs to shift into developing and implementing more effective, inclusive hiring strategies.

Let’s break this down. Inclusive hiring can increase the number of job applications a business will receive for each vacancy and improve their ability to identify skilled candidates (by removing bias), thus increasing their chances of finding someone that’s a fit. So what does inclusive hiring entail?

By being much clearer on what skills are needed and developing more realistic job descriptions, businesses can extend their applicant pool. A very long list of “essential” requirements is just shorthand for exclusion. Either because businesses are guilty of developing job descriptions that include a whole team’s worth of work (which might put anyone off but disproportionately impacts women) or because they are excluding people unnecessarily, based on outdated or biased views about what makes someone suitable for a role.

Businesses should distil their job ads down to just two or three non-negotiables by clearly setting out the difference between skills needed on day one, which should go in the job ad as “essential,” versus skills that can picked up in the first six to 12 months with support.

They should also exercise caution when insisting on degrees/certifications as part of these non-negotiables. Qualifications are expensive, so by putting that barrier in place, businesses only see applicants who have had specific opportunities, which isn’t the same as identifying people who have the best skills. Sometimes they’re not truly needed but merely used as a convenient filter to reduce the volume of applications.

This may bring numbers down, but they will be losing skilled people, which is inequitable for those individuals and bad for business. Before adding a specific type of experience or certification to your job ad, consider this: “What does this role specifically require? What skill is this qualification acting as a proxy for? Might a candidate have gained this knowledge via another route?” Then add the skill to the job ad, not a mandated way of gaining it.

Businesses should ensure that the language they are using in job descriptions is inclusive. Masculine-coded job adverts have been shown to decrease the number of women applicants significantly, whereas feminine-coded ads do not impact male applicants. There is a host of information online, including tooling, which assists with language scanning. The interview process should also be set up to minimize bias by using standardized questions and scorecards as a bare minimum.

They should also rethink where jobs are being advertised. Hiring “from your network” is very limiting. It will likely be constituted of very similar people unless you have taken proactive steps to ensure against this. There are fantastic tech community job boards where businesses can post roles to break out of their LinkedIn echo chamber.

It’s no good hiring people. However, if you’ve not ensured your work environment is inclusive, this is setting them up for an awful experience. Businesses need to be honest with themselves: Do people from underrepresented groups feel safe and supported? Do they even want to apply to your roles based on what they can see? Will they leave prematurely?

To that last point, companies need to actively work on retention and ensure this is consistent across their team’s demographics (poor retention disproportionately impacts people from underrepresented groups). You need to help people grow and promote them via an equitable process. Their tenure in your organization will be short-lived if you don’t, leaving you with yet another open role to fill and increasing homogeneity in your company’s upper layers, which will further dissuade potential candidates who don’t see themselves represented.

Excellent cybersecurity professionals come in many guises. Let’s fix our ability to recognise that first and then reassess if there’s still a skills shortage to address. Many organizations will have a long road ahead of them. Perhaps step one is for their leaders to speak out about the critical importance of diversity and inclusion and lead by example by educating themselves and their teams on how to become part of the solution. This is everyone’s responsibility – and the results will be to everyone’s benefit.

What’s Hot on Infosecurity Magazine?