The cybersecurity skills gap and talent shortage is a topic on the agenda of almost every board across the industry – and it’s becoming an ever more urgent discussion. In fact, according to the 2023 State of the CISO report by Salt Security, 91% of CISOs agree that finding and keeping qualified cybersecurity talent significantly impacts their ability to deliver on digital transformation initiatives. With an estimated global workforce gap of around 3.4 million people, it’s time to rethink our approach to tackling the ever-increasing cybersecurity skills gap. But where to start?
For Camellia Chan, CEO and Co-Founder of Flexxon (who was also one of our ‘Most Inspiring Women in Cyber in 2022‘), the narrative around cybersecurity hiring needs to be approached differently: “There is a popular misconception that entering the tech world requires years of formal, technical education – but we must shift the narrative. I did not have those credentials when I joined the industry, I studied business management at university. But if you have a passion and want to work hard, there are many ways for you to pick up the skills and be an excellent cybersecurity professional. That’s why it’s crucial that business invest in quality education and training for employees.”
Viewing talent as an investment is not uncommon, but an open mind to the idea of the ‘perfect candidate’ is crucial, especially when it comes to education, according to Haris Pylarinos, CEO and Co-Founder at Hack the Box: “We should move away from a traditional hiring model that focuses solely on university degrees and specific certifications.”
“This way, a broader range of candidates, including self-taught hackers and experienced professionals from various backgrounds, can apply. This approach matches what I feel is more important in the industry today – practical experience. Relying solely on a university degree will actually sabotage your hiring efforts.”
Edward Thorpe, Lead Talent Acquisition Partner at Garrison, expresses a similar view: “By considering talent outside of cyber, from fintech or gaming as examples, we can start to develop pipelines of more diverse talent eager to work in an industry that is equally prosperous, yet less competitive and potentially more rewarding.”
Ilona Simpson, CIO, EMEA, at Netskope, suggests that the problem is that many educators focus only on encouraging people to get into STEM: “It implies that you only need engineers. You also need customer support, you need corporate managers, you need UX designers… You need everyone. You need every skill in our industry.”
But where else can this talent be found? Steven Wood, Director of Sales Engineering at OpenText Cybersecurity, suggests: “Expanding talent catchment profiles, implementing supportive intern programs, revising recognition, and giving the cybersecurity team a seat at the boardroom table are all credible actions that businesses should take today.”
When it comes to existing recruitment practices, Jamal Elmellas, Chief Operating Officer at cybersecurity recruitment agency Focus-on-Security notes: “Hiring from within the same small talent pool is undoubtedly causing issues in the cybersecurity sector. It’s intensifying competition over top talent, particularly those with three to six years’ experience, and this is leading to more churn. A transient workforce does nobody any favours.”
Additionally, Elmellas outlines the significant risk to approaching the talent shortage with an ‘anything goes’ type attitude: ” If we throw open the gates, we risk diluting the industry by introducing a whole swathe of people with no technical skills. While that may fill the recruitment gap, it does nothing to address the problem the business has which is a lack of trained and competent cybersecurity professionals, resulting, once again, in less resilience.”
Chris Cooper, a member of ISACA Emerging Trends Working Group, shares a similar worry: “We can’t continue along the path we are on where the sector is made up of predominantly white middle-aged men but nor can we pretend this is an unskilled career path. We need to tread carefully. Implying that soft skills are enough to succeed in the sector is disingenuous.”
Cooper continues: “Employers should be asking if applicants are able to demonstrate transferable skills which could be applied to a career in cyber – we should be actively sharing our experience with each other so everyone can benefit.”
Evidently, in order to create a robust future, it’s important that we diversify our hiring views in many different ways. Crucially, a diversity of thought (whether that’s voices across industries, regions, genders etc.) is necessary for a strong future. Tech has always been forward thinking, but in many ways the industry lags behind its counterparts in terms of diversity. In fact, according to research by Eskenzi PR and Marketing, only one fifth of cybersecurity leadership roles are filled by women.
Caitlin Nowlin, Program Manager at Hyland, further explains: “No matter the task, it’s always important to have multiple perspectives. Our background and experiences can impact how we approach a problem or activity, and having a broad set of individuals working on something means all the kinks are ironed out. This approach requires diversity – of gender, race, ethnicity, background and even education is key to making something the best it can be. But there is a huge gap right now, especially in tech and computer science industries.”
Evidently, there’s no one path to ‘solving’ the skills gap. Instead, an open mind in the hiring process, alongside retaining talent is key – to plug the skills gap and make organisations as safe as possible.