What can organizations do to capitalize on the current fluidity in the job market in order to bring fresh cybersecurity talent into the fold?
We all know there’s a cybersecurity skills shortage. Across the globe, the shortfall of talent is now measured in the millions. We’ve also all heard about the Great Resignation: a once-in-a-generation period of upheaval in the job market as workers reappraise their career paths following the pandemic. At first sight, this would appear bad news for industries like cybersecurity where demand for skills is already so high. One recent US study claims that nearly three-quarters (72%) of employees working in IT roles are thinking of quitting their job in the next 12 months.
However, look beyond the gloom and there may actually be an opportunity here for employers, if they choose to take it. With the right hiring policy, organizations can actually capitalize on the volatility of the job market to attract fresh talent into the fold. That way, they can improve their security posture and pursue secure digital transformation, as well as encourage innovation as an essential driver of progress.
Why security has a skills challenge
A new study from industry body ISACA features insight from more than 2,000 cybersecurity professionals around the globe. It claims that 63% have unfilled security positions, up 8% year-on-year, and 62% feel their teams are understaffed. A fifth say it takes over half a year to even find qualified candidates for open positions.
The bad news continues. Some 60% of respondents report problems retaining their existing staff, up 7% from the previous year. The main reasons talent is leaving are:
- Being recruited by other companies (59%)
- Insufficient salary/bonus (48%)
- Limited career advancement opportunities (47%)
- High stress levels (45%)
- Poor support from management (34%)
The findings chime with other industry research. According to (ISC)², the global cybersecurity skills shortfall now stands at 2.7 million workers globally, including nearly 200,000 in Europe. And in the UK, half of security leaders claimed recently that they are thinking about resigning due to stress and burnout.
A bad time to lose skills
At a time when 43% of organizations told ISACA they experienced more attacks last year, skills shortages are making them less secure. According to the (ISC)² report, the top consequences of staff shortages are:
- Misconfigured systems (32%)
- Not enough time for proper risk assessments (30%)
- Slow patching of critical systems (29%)
- Oversights in process and procedure (28%)
There are ways to mitigate the shortfall in talent. Automation and machine learning (ML) can take on some mundane processes and free up staff to work on more important tasks. But organizations still need humans to train and interpret the results from many ML systems. Outsourcing is another option, but it can be expensive and providers often don’t have sufficient knowledge of client organizations.
Where’s the opportunity?
That’s the bad news. But peer through the clouds and there are some rays of hope just beginning to poke through. The truth is that traditional ways of hiring have long contributed to the security skills crisis. Too many organizations look for accreditations and university degrees in candidates. In some cases, hiring managers never even get to interview potentially able candidates because automated HR software has filtered them out.
Yes, a certain amount of technical acumen is of course required. But a lot of it can be taught on the job. Much harder to teach are skills like:
- Problem solving
- Interpersonal/communication
- Attention to detail
- Simplifying the complex
- Curiosity
- Strategic thinking
All of these are arguably just as important as accreditations and degrees. In fact, the top skills gap ISACA survey respondents said they see in today’s professionals is soft skills (54%). Blinkered hiring policies have also contributed to a lack of diversity in various industries. This means employers are missing out on new perspectives and diverse ways of thinking that could add tremendous value to their security teams, not to mention help address persistent skills shortages.
Time for change
So what can employers do to tap the Great Resignation and capitalize on the current fluidity in the job market? Ten things spring to mind:
- Don’t focus just on accreditations, certifications and university degrees, but consider actual experience and appetite to learn
- Retrain those HR algorithms to ensure they’re not unduly filtering out potentially suitable candidates
- Change the hiring culture to one where there’s more focus on training candidates on the job
- Appeal to talent inside the organization in adjacent departments such as IT
- Reach out to talent outside the organization, in roles including mathematics, database management, and even former military operatives
- Offer improved support for single parents and mums returning to work after having a child. Many may be considering a career move after taking a break
- Increase salary packages to reflect the high-stress nature of many security roles and the criticality of the function to the business
- Do more to retain existing staff through mentorship and career development plans
- Set diversity goals and stick to them
- Eradicate pay and promotion gaps
This certainly isn’t an exhaustive list. By being more creative with their hiring and evolving the culture around cybersecurity, employers could actually benefit from this unique time in the labor market. As threats mount, they certainly need to pull out all the stops.