Given the seemingly never-ending reports of data breaches across the last two years, coupled with mobile malware rising and ransomware finding new targets in healthcare and municipalities, it should come as no surprise that the cybersecurity industry is a hot potato right now. According to the 2019 (ISC)2 Cybersecurity Workforce Study, there are some 2.8 million people working worldwide in the cybersecurity sector, with the US (804,700) and the UK (289,000) being the biggest cyber-employers. That’s the good news.
The bad news is that it’s simply nowhere near enough. Despite media headlines highlighting the cyber-skills shortage for a very long time, there’s little sign that this workforce gap is shrinking; in fact, the opposite is happening. According to that (ISC)2 report, the gap has grown since 2018 due to a global hiring demand surge. In the US alone, it is estimated to be around 500,000, and in Europe, 291,000. Globally, the cybersecurity workforce shortage is estimated to be some four million vacancies. That means the number of people working in cyber needs to grow by 145% just to catch up and stop the stagnation. To put that into some perspective, 65% of organizations represented in the (ISC)2 survey had a shortage of cybersecurity staff and 51% of cybersecurity professionals said that this shortage was putting their business at risk.
So, what is wrong with security industry recruitment and how can the errors of the past be corrected to ensure the right talent, in the right numbers, can be hired moving forward?
Recruitment Isn’t Working
“There are clear signs that IT security recruitment isn’t working as needed,” Amanda Finch, CEO of the Chartered Institute of Information Security (CIISec) says. “According to the Enterprise Strategy Group, the number of organizations reporting a problematic shortage of cybersecurity skills has increased every year since 2015.” Does this mean that the cybersecurity industry needs to rethink its approach to recruitment? Finch is convinced that, unless things change, we will be facing a “stagnating” workforce that is unable to keep up with the expanding skills gap. “A large part of this problem is a result of where recruitment focuses its efforts,” Finch explains. “Too often there is the expectation that security is a technical subject: meaning only people with an aptitude for tech, or the right technical qualifications, should be considered.” This, in turn, results in recruitment from a narrow demographic. CIISec’s annual survey this year revealed that 89% of respondents were male, and 89% were over 35. “Unless the industry rethinks its approach to recruitment by embracing greater diversity, in gender, age, ethnicity, disabilities and experience, businesses will continue to face reduced protection and over-worked security staff,” Finch warns.
Placing too much emphasis on education, be that in terms of a university degree or industry certifications, is certainly the primary reason for recruitment failing the sector so badly, according to BeyondTrust CISO, Morey Haber. “Information security is much more akin to a vocational job that requires self-learning or training, but not a formal education,” he insists. “To that end, the industry should look for passionate individuals that have an interest in cybersecurity and possess exceptional detective and deductive skills.”
Anthony Young, director at Bridewell Consulting, agrees that many employers are far too shortsighted when it comes to recruiting cybersecurity professionals. “They expect to hire employees that have the knowledge and skills to cover the latest technology, solutions and threats,” Young points out, “but it’s impossible for an individual to be an expert in all areas concerning cybersecurity as the landscape is constantly changing.” Which, Young adds, means that searching for someone that ticks all the boxes often means that truly talented individuals get overlooked. “Organizations should focus on identifying talented individuals who have a real passion for cybersecurity and invest in training them up,” he argues.
“There are clear signs that IT security recruitment isn’t working as needed”
Filling the Gaps
As the talent pipeline is increasingly squeezed, the cost of recruiting the right talent increases, Graham Hunter, vice-president of skills at CompTIA says.
“A more sustainable and strategically sound approach is developing talent
in-house rather than fighting for resources in urgency,” Hunter explains. “Lifelong learning needs to be adopted as habit, enabling employees to move up in the business and open up spaces for lower-level roles.”
Is widening the talent pool criteria really all that needs to be done to break the skills gap impasse? If only it were that easy. “Many businesses are under-benchmarking and inaccurately scoping roles,” says Ross Tanner, head of practice (information security) at La Fosse Associates. This means that cyber-salaries and years of tenure are often aligned to technology counterparts, or multiple remits are crammed into individual roles. “Unsurprisingly, it’s common to find companies unsatisfied with their cyber-teams’ outputs further down the line,” Tanner says. Then there’s the problem of putting way too much responsibility at the door of security tools which are often considered to be some kind of silver bullet. “The common theme throughout security vendors today is ‘automation’ or ‘artificial intelligence’ in their products,” he continues. “Without the right people in place to make sense of the outputs from those tools, companies are left with an ineffective and costly overhead that could be better spent on highly-skilled security specialists, or training to upskill existing staff.”
There are forward-thinking recruiters out there, applying the kind of approaches needed to start shrinking the cybersecurity skills gap. So, what are they doing right that others have done so wrong? Diversity is the key factor according to Lynn Studd, director, BT Security, who says that recruiters need to look at attracting as diverse a range of potential employees as possible, “in particular, by thinking about what the barriers and the enablers of their careers are.”
So, for example, BT “recognizes the skills that neurologically diverse candidates can bring to security, in particular around complex problem solving and pattern analysis,” Studd says.
Amanda Finch certainly agrees that forward-looking organizations are expanding their reach when looking to attract the right people. “They look outside technology to find individuals with the right transferrable skills which can benefit a security role,” she says. “For instance, tracking and managing multiple actions at once could easily be transferable from a parent returning to work, and teachers should be highly capable of demonstrating and explaining best practice.” Finch is also seeing evidence of recruiters taking a framework-based approach rather than simply looking at CV keywords, which means identifying the capabilities a specific role needs, then matching those to candidates. “The framework-based approach to best practices and skills is a way of validating security skills and roles,” Finch says, “ensuring that each role is really understood and clearly displays to new recruits the paths they can follow in the organization.”
“A large part of this problem is a result of where recruitment focuses its efforts”
Give Everyone a Fair Shot
If there is one essential takeaway from the conversations Infosecurity has had with CISOs and cyber-recruitment specialists, it is this: everyone must be given a fair shot at an infosec career if any real progress is to be made in filling the skills gap anytime soon. This simple-sounding notion is key, according to Joan Pepin, chief security officer at Auth0. “In general, there is a ‘type’ that has traditionally been the infosec practitioner,” she says. “While you can find many examples of people who don’t fit that, that idea has been propagated and, in some cases, defended and enforced.” However, infosecurity recruiters need to be very careful when talking about any cultural fit. “It doesn’t mean we play the same video games, watch the same shows, laugh at the same jokes, or go to the same movies,” Pepin concludes. “It means we care about our jobs, our customers, and we’re innovative and creative.”
Identifying In-Demand Skills for Modern Cybersecurity Roles
Firstly, we need to understand where the skill shortages sit within most organizations as far as cyber is concerned. “Currently we’re not seeing a skills shortage at CISO level,” Bridewell Consulting’s Anthony Young says. “The real skills gap exists beneath CISO level, particularly around specialized technical skills like penetration testing or cloud security.” So, while many companies are embracing AWS, Azure and Google Cloud, all too often they might not have all the expertise required to ensure that they are configured securely, as various reports of leaking data buckets confirm. This reveals an interesting reality: while in-demand skills vary widely across organizations based on size and specialization, they do follow technology trends. No surprise then that Morey Haber, CISO at BeyondTrust, sees “skills for the cloud, identity and privileged access, vulnerability, patch, and configuration management, and mobile device security,” being firmly in demand. CompTIA’s Graham Hunter agrees, insisting that “in-demand skills fall into the three main categories of modern security: technology, education and process.” The most sought-after skills, though, remain firmly in the traditional category of technology. “Whether it is new practices that reflect a more proactive mentality (such as cybersecurity analytics), new tools that address cloud/mobile infrastructure (such as identity and access management), or new threats that take advantage of digital reliance (such as social engineering), Hunter says that “companies need their IT and security specialists to be up-to-speed on the changing technological landscape.”
The changing landscape comes to the fore as far as Steven Cockcroft, director at Cybersecurity Professionals, is concerned too. “Some of the most in-demand skills that are lacking include compliance, risk management, framework implementation and auditing,” he says. “These skills will become more essential in the years to come as more businesses adopt stricter cyber processes and need to consider the wider implications of their security strategies.” Perhaps, then, the most in-demand skills will be transferable ones, and these are underutilized currently. “Framework implementation and auditing are strategy-based skills,” Cockcroft concludes, “which will benefit from candidates who think in different ways.”