We’ve all heard about the cyber skills gap by now. As cyber adversaries grow more advanced and organizations struggle to manage these evolving threats, cybersecurity jobs are getting harder to fill. There are an estimated 2.9 million unfilled openings worldwide, with half a million in North America alone. Meanwhile, 60% of organizations say it takes at least three months to fill an open cybersecurity position.
But what isn’t often talked about is the idea that this gap is not really an industry problem, nor is it the responsibility of job applicants to fill. I believe that responsibility for resolving the skills gap falls squarely on the shoulders of companies and business leaders. Only by taking ownership of this crucial issue and embracing it can companies begin to effectively address it. No matter who you hire, there will likely be a significant gap between their initial skills and the precise skills your organization needs.
Universities, especially those with dedicated cybersecurity programs, can provide a solid educational grounding. However, graduates must still face intense on-the-job training in order to understand a company's particular security environment and needs. Business leaders must shift their expectations and focus on three basic principles to help address this issue: hire for values, not skills; upskill current employees with an effective learning culture; and invest in future generations of cyber defenders.
Hire for Values and Use Robust Training to Fill in Gaps
When hiring cybersecurity talent, it’s unreasonable to expect a perfect technical fit right away. This is why I believe that recruiting based on values is so important. Rather than seeking out specific knowledge, we look for four attributes in all candidates: accountability, helpfulness, adaptability and focus. From there, we see it as our responsibility to fill in the gaps with hands-on training. The idea of a new employee being productive on day one is a myth and can often be harmful. Instead, companies must expect a learning curve with new hires and invest in crucial ramp-up time to give them room to acclimate to a specific work environment, whether their job is in cybersecurity or not.
As a platform for proactive security model management, ReliaQuest has a unique view into hundreds of security environments at some of the biggest companies in the world, which helps us train new hires for the big leagues from the start. We can reproduce the most challenging security scenarios over and over by rebuilding them in a simulated environment. This means that when new team members start, they see these difficult instances 18 times a day. They can learn in five weeks what would typically take 14-16 months. While not all companies have this kind of insight, they can still utilize this type of “learning over the shoulder” training within the specific security environment of the company. This kind of robust new hire training has decreased our employee ramp-up time by 70 percent, allowing us to staff up quickly to meet customer demand.
Upskill Current Employees with Performance-Based Training
Once this new hire training is complete, a company’s job of educating its employees has only just begun. We’ve implemented ReliaQuest University, the company’s dedicated upskilling arm, to continue elevating our employees beyond week one. This ongoing, performance-based training helps our team keep up their technical skills and, crucially, learn how to perform in high-pressure situations.
Imagine a batting cage. Sports trainers in baseball and beyond do everything they can to put athletes in game-time scenarios. But while batting cages create the experience of having high-speed balls thrown at a player, what’s missing are the adrenaline and high pressure of game time. This is where advanced security simulations are impactful. They give employees the technical knowledge they need while also teaching them how to respond when things go wrong in a variety of situations.
Implementing performance-based training in this way has helped us to cultivate essential cyber skills within our own teams and, in turn, promote from within rather than seek out new talent. We’ve promoted from within the company 47 times in 2017 and 70 times in 2018.
Invest in the Next Generation of Security Pros
As cybersecurity becomes integral to the safety of both our business and personal lives, it’s our responsibility to train not only our current employees but the next generation. I take this responsibility very seriously. In 2018, we invested in establishing the ReliaQuest Cybersecurity Labs at the University of South Florida (USF), committing $1 million to the program over five years. Our goal is to inspire young adults and provide them with opportunities to learn more about cybersecurity. The simulation lab provides students with core technical knowledge through 4-week long classes taught by professors and security experts and is open to anyone at the university. Thirty students graduated from the Labs in the fall of 2018, and we were thrilled to hire 11 of them.
Our team is also investing in a younger generation through our support of Junior Achievement, which has exposed around 14,000 5th graders and 19,000 middle schoolers to the cyber industry.
Embrace the Skills Gap and Collaborate Across Industries
The cyber skills gap isn’t going to disappear on its own. It’s time to embrace it and take responsibility for it. It’s up to all of us to take someone who has the desire and ability to learn and provide them with continuous training and development. This enables them to grow their career and ensures that our organizations are defended from a growing number of cyber threats.
What is learned in a training environment and what’s needed in a real-world scenario are two very different things. This is where it’s our responsibility to fill the gap. Some major private and public organizations are already taking the initiative and working to address these problems. For example, the Cybersecurity Talent Initiative pairs private sector agencies like the FBI and the DoD with Microsoft, Workday and Mastercard to train cybersecurity professionals, secure jobs for them and even help pay off their student debt. This kind of cross-sector, creative collaboration coupled with internal ownership of the skills gap will go a long way to address this issue and make the internet a safer place for businesses worldwide.