Are We Making the Cybersecurity Deficit Worse?

Article by Jamal Elmellas, COO of Focus-on-Security

The cybersecurity skills gap is growing annually, with 3.4million vacancies in the sector at the last count[1], equivalent to a 42% deficit given that the global cybersecurity workforce totals 4.7million. The end result of those shortages is intense competition in the marketplace, with businesses aggressively competing for talent in a dwindling talent pool, which not only does nothing to address the shortages but will also ultimately make their security posture worse off.

According to the World Economic Forum (WEF)[2], organizations are now competing for talent by paying more to the same small pool of people. This exacerbates the staff shortage by creating a high turnover of cybersecurity experts from company to company which results in a highly transitory workforce. With professionals staying in situ for shorter time spans, there’s limited ability to apply their skillsets, and when they do leave and the recruitment cycle starts again, the business suffers from a lack of continuity.

Those with deep enough pockets will inevitably be in a better position to tough it out than their rivals but ultimately we are weakening the economy by making more businesses susceptible to attack. This has led Gartner[3] to warn that “lack of talent and human failure will be responsible for over half of significant cyber incidents” by 2025 due in no small part to this state of flux. So, what can we do to prevent this endless round of musical chairs?

What we need are people to cross over from other sectors. The problem here is that the industry tends to fixate on technical skills which make it very difficult for those with transferable soft skills to enter the market. 

As the WEF report notes, cyber resilience skills are much broader than many people realise and are certainly not limited to computer science or engineering. The soft skills for cyber roles can come from disciplines such as economics, law, psychology, sociology, communications and media studies. However, a recent drive to promote this over social media platforms when promoting the European Cybersecurity Skills Framework (ECSF)[4] was largely met with disdain with people stating technical skills were essential.

Current hiring practices also show a heavy bias towards technical qualifications. The (ISC)2 Hiring Managers Guide[5] found cybersecurity managers were responsible for job descriptions, as opposed to HR or cybersecurity teams. However, they were often looking for several years’ experience for entry and junior level roles and for qualifications such as CISSP and CISM usually associated with senior roles. It was deemed critical that candidates had IT or security certifications by 51% of those questioned.

The study concludes that hiring managers should consider non-technical skills and traits and attitudes are slowly changing. Many now regarding technical skills as teachable and soft skills such as problem solving, creativity and teamwork as indispensable qualities that can’t be taught. But how do you go about breaking down those barriers and encouraging non-cybersecurity professionals to apply?  

Career frameworks such as the newly launched ECSF, the UK’s Cyber Security Council’s Cyber Careers Framework[6], and the much more well-established National Initiative for Cybersecurity Education (NICE)[7]overseen by NIST in the US, are making great strides in helping to determine the skillsets and knowledge for specific roles. This, in turn, allows those within the sector to explore where their skills could take them, whether that’s laterally or to climb the ladder. But these frameworks are now looking to open up the sector too.

The UK Cyber Security Council’s Career Mapping Tool[8], for instance, aims to make it easier for candidates to find out how they can get into cyber, but the tool itself falls short for those with little experience. The interactive questionnaire has 19 questions that ask the user to rate their knowledge level as ‘unfamiliar’, ‘some’ or ‘advanced’ and even answering ‘some’ to all the questions will provide a zero percent match – bad news for cyber rookies.

Yet, while there’s clearly room for improvement, such tools are moving us in the right direction. We need to be looking more proactively at how we can nurture not just acquire talent as an industry, rather than competing tooth and claw over a shrinking talent pool. Those businesses that realise this and make the investment in their staff will undoubtedly not only enjoy higher retention rates but also stand to preserve their security posture.