A 2022 study from cybersecurity training and certifications non-profit the International Information System Security Certification Consortium (ISC)² found that the worldwide gap of cybersecurity workers totals 3.4 million. The need to fill those positions is unlikely to lessen in the near future and securing the right talent to stay ahead of threats can seem like an insurmountable task. “Because threats and technology are outpacing security capabilities, the most urgent skill sets of the future sometimes aren’t even identified yet, let alone taught at scale,” says Jennifer Addie, COO and strategy director at cyber accelerator program MACH37.
Yet, there are ways to secure and retain cybersecurity team members in the face of today’s challenges. Eight experts share how they view the need for cybersecurity talent and offer insight into strategies to fill the skills gap.
1. Make cybersecurity more accessible
Cybersecurity is undoubtedly a technical field but refusing to step outside of those technical boundaries can make it less likely to attract people who could be a good fit for these positions. The way people talk about cybersecurity, the language and framing used, are worth considering when trying to make the field more accessible.
“What we’re looking to avoid is conveying any sort of technical elitism that makes others feel less welcome, less worthy of joining, or unable to understand when they are actually very able,” Addie explains. This can apply to the way cybersecurity is talked about in educational programs and even job listings.
2. Widen your search parameters for cybersecurity hiring
When organizations start to think about accessibility, they can broaden the potential talent pool for cybersecurity hiring. Not every viable cybersecurity job candidate needs to fit in the same box. Kevin Cross, CISO at technology solutions company Dell Technologies, offered himself as an example of someone who might have been overlooked for a job in cybersecurity. He has a degree in kinesiology; he did not start on the traditional STEM path.
“Be open to applicants with the right aptitude, forgoing some of the more formal requirements like product or industry-specific knowledge,” Johannes Ullrich, dean of research at IT and cybersecurity training company SANS Institute of Technology, recommends.
3. Find ways to attract underrepresented groups of people
Women account for 24% of the cybersecurity workforce, according to an (ISC)² Cybersecurity Workforce Report. Just 9% of the cybersecurity workforce is Black; 8% is Asian; and 4% are Hispanic, according to a the 2021 Diversity, Equity, and Inclusion in Cybersecurity report from policy program Aspen Digital.
Finding ways to attract more diverse candidates for cybersecurity jobs could help fill more roles. “Prioritizing diverse hiring can help your company get an edge over other competitors in the market when it comes to recruitment of potential talent,” says Travis Lindemoen, managing director of IT staffing agency Nexus IT Group.
How can companies approach diverse hiring? “If you want to be able to hire diverse candidates and underrepresented minorities, some of the things that [you] need to do, and things that we’ve done ourselves, is ensure that you’re putting inclusive language and narratives into your communications, into your job descriptions,” says Cross.
Companies can also look to foster partnerships with organizations that help to promote diversity in the workforce. For example, Dell Technologies works with historically black colleges and universities (HBCUs). The HBCU Partnership Challenge, launched in 2017, aims to increase career prospects for HBCU students. In 2023, Cybersecurity and Infrastructure Security Agency (CISA) announced a partnership with nonprofit Women in CyberSecurity (WiCyS) to work on addressing the gender gap in cybersecurity and technology.
4. Develop strategies that work for your organization
Looking at industry-wide strategies is valuable for organizations working to bolster cybersecurity talent, but flexibility and knowing company-specific needs is also important.
“Particularly in cyber, companies sometimes blindly adopt practices and philosophies just because other tech organizations have done the same,” says Abby Payne, chief people officer at identity and access management provider SailPoint. “While it’s always smart to be aware of employee trends in industry, developing strategies that are aligned with specific needs inside an organization is a much more effective approach. One size just doesn’t fit all.”
5. Take the time to learn want candidates want
When companies seek to fill a role, the hiring team often has a vision of the perfect candidate. But in an industry where hiring is a competitive sport, organizations also have to consider what top talent is looking for in an employer. “What are you doing as a company to be a place where people want to work?” Dell’s Cross asks.
Pay and benefits are at the top of the list. “By not budgeting properly, companies cannot compete effectively in the recruitment landscape nor offer compensation packages sufficient to keep top notch talent,” Lindemoen contends.
Competitive compensation and benefits are important, but not all organizations have pockets deep enough to offer the best packages available to cybersecurity job candidates. Pay certainly plays a big role in job candidates’ decisions, but so does flexibility.
The remote versus in-office debate continues, but organizations that embrace flexible working environments for their employees may find more interested applicants. “Companies that can find ways to offer remote work will not only be able to offer a more attractive job to many candidates, but they will also significantly increase the geographic reach of a job, covering many more candidates that would not consider relocation,” says SANS Institute’s Ullrich.
6. Provide people with growth opportunities
Professional development benefits both employer and employee. Offering paths to career progression helps employees feel valued, and those new skills they learn help employers keep up with rapidly evolving cybersecurity needs. “We emphasize ‘re-recruiting’ our team (or ‘crew’) by giving them opportunities to gain new skills, take on new responsibilities, and showing them that their contributions are valued,” Payne says.
Pairing growth opportunities with mentorship can also incentivize employees to stick with a company. “Investing in retention through mentorship/leadership development program has proven successful for cultivating close knit teams with low attrition rates,” Nexus IT Group’s Lindemoen says.
7. Make security a cultural value
Security does not operate in a silo. It affects every aspect of a company’s operations. Recognizing the importance of cybersecurity and weaving into the culture of a company shows team members their work is valuable, and it makes it a shared responsibility.
“Understanding that security is everyone’s responsibility will have a huge impact, especially against dealing with social engineering and targeted phishing attacks,” says Manikandan Thangaraj, vice president of IT management software company ManageEngine. “With a reduced workload, security professionals can spend their time and effort defending sophisticated threats and stepping up a proactive security strategy. This will reduce burnout by a greater extent and help retain skilled talent.”
Cybersecurity professionals may be less eager to search for a new job if their company understands the value of security. “Working for an organization where what you do not only matters but is also valued is a welcomed surprise for most cybersecurity professionals,” says Michael Scott, CISO at data security company Immuta.
8. Don’t underestimate burnout
The work of cybersecurity teams is never done. The threat landscape continues to grow with new actors and attack vectors emerging constantly. The pressure to stay ahead of those threats can easily lead to burnout among cybersecurity employees. And 84% of security professionals report feelings of burnout, according to a 2021 report from password management company 1Password.
Burnout can lead to attrition, which puts companies right back into the thick of the hiring competition. “Providing and encouraging needed PTO is really important in this industry,” Josh Wiggs, talent acquisition expert for cybersecurity company Conquest Cyber.
9. Get involved in early education
Companies that need cybersecurity talent can play a role in helping students learn about the field and prepare for their careers. “Fostering relationships within academic institutions can yield much needed success against this talent shortage problem; especially if you target universities with robust IT/cybersecurity programs,” Lindemoen points out.
Engaging with students in universities, high schools, and junior high schools can help a new generation understand cybersecurity earlier and build interest. While getting involved in education does not solve the immediate need for talent, that need will always be there.
“Some might argue that early education means that those employees won’t be here for another 15 years, but that time goes quickly, and in cyber, we see students as early as elementary school functioning at very high levels technically, so that talent may not be so far away after all,” Addie says.
10. Establish internship programs
Internship programs are common in many industries, and they could be a useful recruiting tool in cybersecurity, according to Wiggs. “While these programs require effort to stand up and maintain, the long-term payoff is well worth the investment,” he says. “Creating these internships and apprenticeships is an extraordinary opportunity to attract and retain talent.”
11. Consider outsourcing
With talent in such high demand, not every enterprise will be able to retain a full in-house cybersecurity team. Many companies opt for a hybrid model, outsourcing some functions and keeping some internal.
“Organizations, based on their maturity level, can also seek help from managed service providers to streamline their security operations,” says ManageEngine’s Thangaraj. “This doesn’t always mean outsourcing the entire security operation, rather it can mean being able to rely on assistance from security professionals when needed.”
12. Leverage automation
“Data, technology, infrastructure: everything’s expanding at a rapid rate, and we can’t keep throwing bodies at the problem,” Cross argues. While cultivating and finding human talent remains vital, companies can also consider the ways in which technology can be used to automate cybersecurity.
“Investing in tools and technologies that automate level-one threat mitigation will not only reduce the impact surface but also help security professionals to effectively hunt for more advanced threats,” Thangaraj says.
Read the original article HERE