Most organizations are still lacking talent, according to a new report, but experts think expanding the definition of a cybersecurity professional can help.
Breaches in recent years—ranging from the Pegasus malware hack to the WannaCry and NotPeyta outbreaks—highlight how critical a robust cybersecurity strategy is for all organizations, large and small. Yet the gap in cybersecurity skills for most businesses continues to persist: There are simply not enough skilled professionals in these roles to meet the demand. This fact is evidenced in the fifth annual industry report from the Information Systems Security Association (ISSA) and analyst Enterprise Strategy Group ESG, “The Life and Times of Cybersecurity Professionals 2021,” which shows that the cybersecurity skills shortage has not improved.
The report, which surveyed 489 cybersecurity employees, shows that a heavier workload (62%), unfilled positions (38%) and worker burnout (38%) are contributing to the skills gap. Nearly all surveyed (95%) believe the gap has not improved in recent years.
SEE: Security incident response policy (TechRepublic Premium)
Hiring and keeping professionals “remains a top challenge in 2021,” according to William Candrick, research director in the Gartner IT practice. “The global demand for cybersecurity skills far exceeds the current supply of traditionally qualified individuals.”
The report is “no surprise,” said Camille Stewart, Google’s head of product strategy. Stewart, who has worked for Deloitte’s Cyber Risk program, under the Obama administration as the senior policy adviser for cyber, infrastructure & resilience policy at the Department of Homeland Security, and in other top positions, says the cybersecurity gap is “a multifaceted problem.”
She observed that many small to midsize organizations don’t properly prioritize cybersecurity, “which does them a disservice—because if you have seen all of the ransomware and supply chain attacks that have been going on, [they] are not immune from being targeted.”
Another issue is that those who have open roles don’t know how to fill them. The Cybersecurity Infrastructure Security Agency has several open positions, for instance, and is “trying to get really creative with how they recruit the talent,” she said.
A primary route to doing this is by connecting cyber jobs to a more diverse talent pool.
“It has long been a problem to fill cybersecurity roles,” Stewart said. “The industry is fraught with high and often unnecessary certification requirements, training requirements that often are barriers to entry.”
Candrick agrees with this assessment. “Gartner advises CISOs to expand where and how they look for cybersecurity talent,” he said. “Cybersecurity job listings typically have criteria that limit the available talent pool. For example, job listings often require a four-year degree, security certifications, and significant previous experience,” but many successful employees can pick up these skills on the job.
“Conversely, clients hire talent that may have cybersecurity skills, but lack the credentials HR typically filters for,” he added.
Increasing diversity should be a priority, Stewart believes. “As long as the field is not as diverse as it should be, we cut out a large cross-section of the population that could be working and innovating on these issues.” Steward is involved in initiatives such as Girl Security, NextGenNatSEc, and ShareTheMIcInCyber, aiming to help bring women and people of color to jobs in the security industry.
“We have to break out of the traditional models for what cybersecurity practitioners look like and what their resume looks like,” Stewart said. “We need to rewrite job descriptions. Some of them cause potential candidates to self-select out, or impose requirements that don’t align to the job as stated.”
For instance: If you’re looking for a junior cybersecurity practitioner, and require a CISSP, which takes five years to accomplish, it “doesn’t align,” she said. “That’s not a junior practitioner.”
Cultivating talent via apprenticeships, or providing on-the-job training are great ways to expand the candidate pool.
Stewart thinks the industry should “reflect” and “broaden the field of a candidate.” To “open the pool of candidates, whether that’s gender, ethnic, racial diversity, or even diversity of experience or so many people trying to transition careers and think about their next phase of life that would be great candidates for cybersecurity,” she said. As the descriptions evolve, the picture of what a successful employee looks like evolves, as well.
If CXOs are looking for the right skills to hire for, Stewart says that “curiosity,” is key. “A penchant to solve really complex challenges, interest in technology, an aptitude for coding languages––because you can even learn those on the job,” she said. The other key element is people skills, she believes. Despite the technical knowledge required for cybersecurity work, “Cybersecurity is focused on people,” Stewart said.
“Whether you are looking at the malicious hacker or the user that you seek to protect, your background and understanding of the business environment, people, and culture are all relevant,” she said. “If you can combine it with an understanding of technology and the desire to learn the specific skill sets of the role, you are a great candidate for a cybersecurity job.”
Stephen Boyce, founder of The Cyber Doctor, has spent his career in cybersecurity—on both sides of hiring. He’s worked in supporting cybersecurity initiatives for the federal government—ranging from the FBI to the US Department of State—and has recruited talent in cybersecurity in both the public and private sector.
As someone who hires cyber talent, he caught himself not always looking past “[a candidate’s] resume or beyond what they have on paper.” It’s critical, he said, for hiring managers to stop comparing candidates’ experiences to their own. “You’re not hiring yourself,” he added. “You’re interviewing someone else who may be at a time, the way in which you went about it, or the path was totally different.”
Boyce also sees unrealistic expectations, on the side of hiring managers. “You’ll have job descriptions that require 10 to 15 years of experience for a technology that hasn’t even been around that long,” he said. “If someone says, ‘I want a Cloud security expert,’ well, the Cloud hasn’t been around for 20 years. It makes you laugh.”
Although he’s got his Ph.D., Boyce doesn’t think the academic route is necessarily critical to be good at cybersecurity. However, candidates are “sometimes overlooked due to not having degrees or checking certain boxes.”
Soft skills are critical for cybersecurity roles, Boyce agrees.
“Ultimately, it’s understanding people. It’s understanding how people interact or don’t interact with these technologies,” he said. “We focus on the technology aspect, but there’s just so much more that really plays and really is all of cybersecurity.”
There’s a lot at stake if employers don’t begin to tackle the cybersecurity talent gap. For one, Boyce says, those with extremely high technical skills could “use their talents for bad,” instead.
The other big risk is losing out on a diversity of viewpoints.
“We really need people from all different walks of life,” Boyce said. “We need people from other disciplines, other avenues, other parts of the world that think differently, to help us with the goal of providing a safe and secure environment in the digital age.”