Whether it’s the explosion of new ways for staff to work remotely, or the seemingly huge rise in cyber-attacks, it has been a landmark period of change for the entire IT industry over the last two years. The pandemic’s impact on the way organizations operate has exposed a series of cybersecurity frailties that many business leaders are struggling to deal with. This is leading to a demand for cybersecurity professionals that can’t be met. Recent figures suggest the staff shortfall is widening in every region around the world apart from Asia-Pacific. This severe shortage of expertise means businesses are struggling to retain talent and find the people with the experience to tackle today’s cybersecurity issues.
It’s important we assess why we’re facing these challenges. Recent research from ThreatConnect, Cybersecurity Under Stress 2022, found that 41% of UK-based IT security managers are actively considering whether to leave their job in the next six months, while less than a quarter would be likely to recommend a career in cybersecurity. As security teams are under greater pressure due to the increased frequency and complexity of attacks, stress and burn-out are undoubtedly a challenge. Still, much of the issue is down to some fundamental self-imposed cultural problems within the industry that would be so easy to change.
Despite it being 2022, we’re still seeing organizations post job adverts that belong in the 1980s, which use boilerplate wording, and seem to be written by someone that has little idea what the job should be, nor what the job seekers in our industry look for. Unconscious bias, poorly written job descriptions and preconceived notions of what is required are driving skills shortage. These factors are also creating a diversity shortage. Tech vendors aren’t making their lives easy when it comes to their hiring criteria; using words like '"cutting-edge,” “rock star” and “unicorn” in their job descriptions just gives the impression of a closed, exclusive cybersecurity club when actually we’re in desperate need of fresh, diverse talent. Organizations must start reframing their expectations of who can fill roles and analyze what skills are required for grappling with a threat landscape that is radically changing.
This is especially relevant when looking at our industry’s proliferation of new tools and buzzwords, which given their lack of effectiveness, is also driving a huge issue in cybersecurity staff training. If technology vendors can continue to improve their focus on the user experience and on the path to adoption, end-user organizations can move beyond the ‘skills crisis’ by hiring people rather than just certifications.
"Organizations must start reframing their expectations of who can fill roles and analyze what skills are required for grappling with a threat landscape that is radically changing"
While it’s important to address the recruitment shortfalls, it is far more crucial for businesses to consider how they retain their staff and invest in their security operations to ensure the problem doesn’t worsen. Often, the answer is not as simple as hiring more people. While this can be beneficial if the people are right, at a time when we’re facing this unprecedented talent shortage, the time and money spent by a business on hiring new employees can be used more effectively to bolster their security infrastructure. Ultimately, it is better to have a smaller group of well-trained IT professionals that know your business inside-out, rather than a disparate larger group of new employees (or contractors) unequipped with the right skills.
The headlines and discussions about the talent crisis can seem alarming and understandably leave many business leaders concerned about the future. The significant shortfall in new intakes, coupled with discontent amongst those working in the industry, is unsustainable, but there are solutions. The key to finding these will be for the leadership across IT and HR departments to work together to advertise their company in a way that attracts the right team members and maintain and upskill existing employees. Businesses need to ensure their staff has access to training to prepare them for what’s coming in the months and years ahead.
Perhaps most importantly, they must be prepared to help avoid burn-out and avoid the feeling of 'owners vs. staff.' The 24/7 nature of infosec cannot be sustained by a handful of people being expected to work around the clock, and with staff sharing their experience on sites like GlassDoor, LinkedIn and Reddit, a businesses reputation for overworking and under-caring are red flags that can be found instantly with a quick search.
Organizations that find themselves without the budget or even the desire to hire can supplement their existing staff with the technology and expertise of a suitable security partner to get the balance right. These multiplier forces working together can positively affect an organization’s overall security posture, enabling the people you already have to handle strategic initiatives and critical priorities effectively.