By Robert Ackerman Jr., AllegisCyber
If you have recently read stories about the shortfall of cybersecurity talent, you would get the impression that it’s finally easing. In fact, it is in some ways. But this almost certainly won’t last unless companies drastically change their hiring ways.
This reality isn’t particularly clear to the average organization, however.
Before poking into this, let’s start with some numbers. According to (ISC)2, the world’s largest nonprofit association of certified cybersecurity professionals, the global shortage of cybersecurity workers eased in 2021 for the second year in a row. Last year, the number declined to 2.72 million, down from 3.12 million in 2020, which in turn declined from 4 million in 2019.
In some cases, predictably, the number of cyber workers increased in tandem with a more robust cybersecurity workforce. In the United States, for example, the cyber workforce rose to 1.14 million in 2021 from 879,000 in 2020, an increase of 23 percent. In addition, the number of cyber pros in 2020 rose from 805,000 in 2019, an increase of nearly 10 percent, according to (ISC)2.
So far, so good. Perspective is in order, however.
Last year, in fact, the global cybersecurity workforce gap increased, not decreased, in every region in the world except Asia-Pacific because of their slower-than-expected economic recovery from the Covid-19 pandemic. This, negatively impacted IT services, as well as other economic sectors. The Asia-Pacific situation had an outsized effect on the global number because it has more cybersecurity workers than any other geographic region.
The reality is that the cybersecurity job gap will likely start rising again for a variety of reasons. These include unprecedented nation-state attacks on the software supply chain, as well as surging ransomware attacks of critical infrastructure in the U.S. and elsewhere. In addition, organizations continue to come to grips with an accelerated transformation to hybrid workforces — typically less cyber secure.
The best number to look at today – also provided by (ISC)2 – is this one: The cybersecurity workforce still needs to grow 65 percent to effectively defend organizations’ critical digital assets. This huge disconnect between the number of workers needed and the number available is why more than half of respondents in a (ISC)2 poll of security pros at scores of companies said cybersecurity staff shortages continue to put their organizations at risk.
It’s no easy task to find and attract cyber talent with the right skills. To address it properly, companies once and for all must break out of their traditional models of what they think a cybersecurity professional looks like. Cyber job descriptions must be rewritten. The mix of the talent pool must be broader. And practical experience needs to be prioritized over degrees.
Many cyber skills can be learned on the job. What cannot be learned on the job — and essential –is unabashed curiosity, the ability to solve problems and creative thinking.
One major technology company that has drastically improved its approach on the cybersecurity talent hiring front is IBM. It has created what is calls “new collar” cyber jobs – jobs offering on-the-job cybersecurity training, industry certifications and access to community college courses to select job candidates. Big Blue, in short, is prioritizing capability and willingness to learn over degrees. “New collar” jobs represent 20 percent of IBM cybersecurity hires since 2015.
Another huge technology company embracing new methods in cyber hiring is Microsoft, which late last year launched an aggressive effort to bolster the cybersecurity workforce Microsoft is working alongside community colleges nationwide to help train and recruit a whopping 250,000 workers into cybersecurity roles by 2025, representing more than half of the cybersecurity workforce shortage.
Microsoft worked with 14 community colleges across six states to develop an approach for the campaign. The company’s commitment offers a cybersecurity curriculum free of charge to 4,000 higher education institutions. It has also said it will provide training to faculty at 150 community colleges and scholarships and resources to 25,000 students.
To be sure, companies need guidance in adopting new ways to cope with the cyber skills shortage. Here are steps they should take:
+ Retool your hiring strategy. The field of cyber pros is still relatively new, and the talent pipeline is narrow. To cope, focus on core requirements, not lengthy lists of technical specifications. Work to attract security-minded software engineers, who may be looking for new opportunities. Also consider candidates outside the technology field, who can provide new ideas and perspective. In addition, make job postings more attractive to a broader array of candidates.
+ Broaden diversity efforts. Too many female cyber pros weren’t encouraged to study technological curriculum as young girls. Regardless, they managed to learn how to do much of cyber work anyway and should be considered as hires. There is a similar gap in underserved minority communities. To broaden hiring prospects, consider checking in with development-focused organizations such as the National Society of Black Engineers and Women in Cybersecurity.
+ Invest in employee certification programs. Companies should create programs to help young people get certified on the job. Certifications don’t make up for years of experience, but they help junior and mid-level staffers embrace a good, practical cybersecurity grounding.
+ Offer on-the-job training. Upskilling and reskilling are essential to closing the cyber skills gap, and part of this responsibility rests on the shoulders of companies themselves. IBM’s “new collar” job programs is an excellent example of how to draw new cyber pros into the fold.
Lastly, companies should also bear in mind that cyber pros, often under extreme stress, suffer burnout.
As a result, a Forrester survey last year found that 65 percent of cyber workers consider leaving their jobs at some point. Some are leaving the field altogether. Salaries are generally good, but many benefit packages must be better. Needed is more paid time off and flexible work options? Bottom line, companies will never get ahead of the cyber hiring curve if they don’t mitigate typically high turnover rates.