The last few years certainly haven’t been easy for cybersecurity leaders. A heightened need for cybersecurity driven by increased threat actor activity and destructive malware has come coupled with the cybersecurity skills shortage. The latest ISC(2) report puts the industry at a shortage of 3.4 million skilled cybersecurity professionals globally. But it’s a far more nuanced situation than that. The industry needs people who can bring a mix of technical skills and business understanding to the table. Leaders have an important role to play in filling that specific need.
Here are three strategies for attracting good people into the industry:
Focus on the big picture
Cybersecurity has become a very complex field. It’s easy to get wrapped up in what’s happening in every single domain, whether it’s identity management, security operations center (SOC) or extended detection and response (XDR).
It’s almost next to impossible to understand all of these individual domains, so it makes sense that there’s been a move toward more specialization and a push toward specific certifications and toward certifications tied to products. But in all of this, the big picture can get lost. Organizations need people who can understand the big picture and connect the dots between many different cyber capabilities available to serve clients and organizations.
In terms of the biggest factors impacting the workforce shortage, many professionals are narrowly focused: they’re chasing certifications or specific product expertise. In that process, they definitely get good at a certain technology, but they don’t always have the ability to move beyond that boundary and do other tasks within cybersecurity. Leaders can play a role in helping to break down some of this pigeonholing and expand breadth of knowledge.
Get really serious about investing in talent.
When it comes to talent, it’s not a question of build or buy: it’s both. Companies have to make investments within. Encourage employees to develop new skills, don’t let talent fester. One person might really understand XDR, but it’s important to ensure they gain exposure to other areas and gain additional skills. Let them broaden their horizons and try different security roles.
Companies also need to foster a culture of mentorship. Here are some ways to develop such a culture:
- Grow the next generation of security talent.
- Pair junior employees up with more senior employees.
- Encourage the back-and-forth of information sharing.
This kind of leadership must come from the top, and organizations have to do it in a way that’s structured to ensure it truly happens and doesn’t just become something that looks good on paper or that the organization claims to do, but really doesn’t.
Look for people other than computer science majors.
When hiring and investing in talent, keep an open mind. Companies often focus on those coming out of colleges and universities, but don’t overlook those who are further along in their careers. They may not have specific cybersecurity experience, but they have other valuable business and communication skills such as problem solving and critical thinking. It’s quite possible to train these people on the specific security disciplines.
Consider liberal arts and other majors outside computer science and cyber, as well. Often, people with backgrounds outside engineering and computer science will bring a different and unique perspective to aspects of cyber: think threat intelligence, Tier 2 investigation, threat hunting, and research.
Partners can help supplement the organization’s internal resources and fill in organizational gaps. Until the company has the expertise it needs, it’s possible to outsource it. Until the team decides which new technologies they want to use, it can lean on theirs. This will also offer more time and internal energy to make some of the investments mentioned above without worrying that the company has left certain security bases uncovered in the meantime. And the team may decide that working with a partner makes more sense for the company’s particular needs than doing everything in-house.
Companies also need to consider collaboration: public and private entities joining forces to ensure stronger cyber security for all involved. There are solutions that organizations can implement in a shared pool model, as well, to share both the cost and the benefit.
Cybersecurity leaders have the potential to make a significant impact on closing the skills gap. Considering those outside the computer sciences field may make sense for many organizations. Everyone wants the perfect hire, but in the pursuit of perfection, companies miss out on other possibilities. I got into cybersecurity because someone took a chance on me. Make the space and the time for employees to grow.
Companies also need to look inward to determine if the team has leveraged technologies, processes and people in the right manner to solve the perceived skills shortages. Maybe it's not so much a talent shortage, but more the need to improve efficiencies in the cybersecurity arena.
As cybersecurity concerns compound, it's important to look closely at the organization’s own security shortcomings, whether it’s head count, technology, or both. Then based on the findings, have the conviction to make the decisions that will keep the organization’s network and data safe.
Amit Gandre, CEO, Americas, Inspira Enterprise