Look at the careers page of most cybersecurity companies and you will see numerous job openings for entry level to more senior technical roles. However, your organization may not see a high number of qualified applicants.
While there is a healthy debate about the cause — a profound shortage of talent across the industry or unrealistic expectations of what constitutes entry-level levels of knowledge — the results are the same. There is a mismatch between internal needs and external resources.
It’s no secret that with the proliferation of threat actors, nation-state attacks, ransomware-as-a-service, and AI-based incursions, the industry is not keeping up with demand for skilled people. Although the number of people entering the security workforce is growing, the industry continues to fall short of staffing needs, thereby compounding risk and the likelihood of successful cyberattacks.
Due to rapidly advancing threat actor tactics, skills can become outdated quickly. Like a doctor that needs to keep up on the latest medical advancements to treat their patients, so too must security professionals continue to educate themselves, evolve their skills and try to stay a step ahead of threat actors.
The cybersecurity skills imperative
Organizations like ISC2, ISACA, OWASP, and SANS Institute offer a variety of upskilling programs and industry certifications, often at low cost (sometimes free), including an emphasis on women and minorities who are significantly underrepresented in the cybersecurity field. However, most employers often feel that simply possessing a certification is insufficient on its face.
To address this problem, security vendors, MSPs and MSSPs included, need to look inward. For example, some organizations have partnered with local universities or have launched their own training programs — actual in-house “colleges.” Such initiatives give people interested in a cybersecurity career a foot in the door and also continuously upskill their existing workforce. Additionally, in-house training helps build loyalty to the organization over the long term and can help people from underserved communities launch their career.
Security providers should consider developing more robust training programs and couple them with recruitment. We just can’t sit back and wait for the right people to apply to our job openings. And if you want to attract top-tier experienced talent, the answer may be developing them in-house rather than trying to compete solely by offering the highest pay and benefits.
Teaching the right kind of skills
Cybersecurity is a constantly evolving discipline, and training programs must anticipate future challenges rather than simply react to current ones. Designing training through the lens of real-world breach scenarios accelerates adaptability and relevance. While mastering the fundamentals of defense remains essential, remember this: as offensive tactics evolve, so too must our defenses.
The reality is that despite all the preventative measures you can put in place, there is still the likelihood that an organization will be attacked. Unfortunately, today’s threat actors are just that good.
Most importantly, cybersecurity education should focus on resilience before, during and after an attack — even more strongly than on prevention. In other words, can your organization (cybersecurity companies are breached too) or your clients survive an attack, with minimal operational downtime? I believe knowledge of how backup technology works and its proper configuration is essential for today’s (and tomorrow’s) security environment.
The message I want to leave you with is that cybersecurity providers must understand the pitfalls of complacency respective of their customers’ security posture. Complacency extends to filling roles with qualified people. You can’t just expect the experience you need most to fall into your lap.
Education and upskilling should be part of your security business’ DNA. Without this, your organization doesn’t advance as far as it could and the talent gap continues to widen.
___
About the author
Brian Frank is the Director of Technical Services at Fenix24, where he leads a team of engineers responsible for managing, designing, and maintaining solutions for clients. Throughout his career, Brian has focused on serving enterprise clients in various roles, using his expertise to collaborate closely with client teams to address and solve challenges. His strategic approach and commitment to excellence ensure that client needs are met accurately and efficiently, fostering long-term partnerships based on trust and success.
Join our LinkedIn group Information Security Community!
