*This blog was co-authored by Sean Falconi
Not a day goes by that we don’t hear about some new large-scale data breach, ransomware attack, or zero-day exploit that affects tens of millions of people. As a result of the increasing number of attacks, and their growing complexity, the need for highly skilled cyber professionals is still at an all-time high. Despite widespread mass overall unemployment due to the coronavirus (COVID-19) pandemic, and layoffs at some security companies, experts expect that the need for both will only increase.
In this blog, we’ll discuss the cyber security talent gap and how you can develop your workforce to manage risk.
Why Is There Still a Cyber Security Talent Gap?
According to a 2019 survey, The Life and Times of Cybersecurity Professionals, nearly three-quarters of cyber security professionals believe the cyber security skills shortage has affected them. Why are we facing such a shortage of people and skills for this specialized and very necessary profession? One of the challenges is that universities are not graduating enough qualified candidates fast enough to fill the demand for new entry-level employees.
Another issue is that the cyber landscape continues to rapidly evolve, thus requiring more specialized skills in the workplace. This has forced major corporations to put less emphasis on having a college degree to qualify for a cyber security job. Companies are now realizing that although a college degree is a great asset, they also need to consider more skilled workers with hands-on experience from the military and trade schools.
Colleges and universities are slowly changing their curriculum to meet the demands of the job market. They’re offering more partnerships and internships with security firms and private companies to give college graduates the opportunity and experience to get their “feet wet” before graduating. There are more avenues to training opportunities outside the classroom now, too. There’s also been a shift to focus more on security and IT certifications in lieu of undergrad or graduate degrees. However, is that enough to fill such a large cyber security talent gap and assist in identifying the right talent? As a recruiting or hiring manager, how can you be confident that the person you’re hiring has enough experience to perform their job?
Establishing Cyber Security Skills Frameworks
There’s been some discussion around establishing a governing body or overarching framework to give more structure to the cyber security workforce, similar to certifications like Chartered Financial Planner (CFP) in the financial services industry, for example. This could help cyber security professionals chart a career path more easily, and provide a baseline for employers. It would also make it easier to determine if someone is qualified for a particular role.
In the early 2000s, the Department of Defense (DoD) implemented a directive to identify, tag, track, and manage its cyber security workforce. It established a manual that included an enterprise-wide baseline IT certification requirement to validate knowledge, skills, and abilities of people working in cyber security roles.
The directive evolved into a framework that outlined workforce skill levels and categories. It also aligned them to approved IT certifications. Although it received some push back, it was a solid tool for providing a mechanism to track and cross reference skills. Most importantly, it established a baseline and structure.
Good to Great: Hiring and Developing Teams
The DoD example provides one approach that’s worked in the public sector. The question is, can this be done in the private sector? In his book, Good to Great, Jim Collins studied many companies over time and outlined what they did to not only survive but thrive over long time periods.
In the chapter “First Who, Then What,” Collins says that great companies make a deliberate and sometimes costly decision to hire the “right” people. The right people, according to Collins, are the ones who can be trusted to go where the company is going and continue to evolve and grow with it, regardless of their skillset.
The “who” aspect is critically important and applies to the cyber security talent gap. For example, let’s say you see a job posting asking for someone who has 10 years of experience implementing the General Data Protection Regulation (GDPR) framework. But, that’s actually impossible, because the framework was adopted in April 2016 and only enforceable starting in May 2018. It’s likely, though, that there are people experienced in similar implementations, or people who have had limited GDPR experience.
Staying with this example, if GDPR implementation is a skills concern for your organization, how do you overcome it? Hire people, or build on the skills your employees already have? If you have employees who are strong and adaptable, the cost for training and development will likely be lower in the long term. If you’re under the crunch of a timeline, however, growing your own talent is a luxury you can’t afford, and outsourcing the talent, or hiring someone who is already an expert might be a better option.
Employers as Educators
If you’d like to grow and develop the team you already have, keep reading. Kurt John, Chief Cybersecurity Officer, Siemens USA offered some recommendations for employers looking to close the cyber security talent gap. John points out that “employers must now view themselves as educators, too.”
Imagine an experienced cyber security professional who has risen through the ranks to a position of leadership and responsibility. While the workload and other duties are likely significant, the company would likely benefit from also looking at the individual as an educator.
Three Training Scenarios
It’s easy to imagine senior leaders saying, “It would be great to get more people like so-and-so. If we could just hire three more, we could go after the opportunity that will take our business to the next level.” A forward-thinking company could see the talent that one outstanding employee has and develop a plan to have that employee mentor three existing employees to upscale their skill sets.
Let’s model a few training scenarios.
Scenario 1. Expert teaches internally to team.
Team consists of:
- Senior Cyber Security expert
- Junior Tech specialist
- Mid-level Cyber Security associate
- New hire with average but uneven IT knowledge
- Marketing team support for training materials, etc.
Risks:
- Expert may not be a good teacher
- Employees may not learn as broadly as they could in a formal training session
- May disrupt deliverables for clients or business
- Instruction is limited to experience of that person
Benefits:
- Team learns together
- Knowledge is likely relevant to clients
Scenario 2. Employees attend formal training.
Risks:
- Higher cost
- May have to wait for training opportunity
- May disrupt deliverables for clients or business
- Team still need integration and mentoring after they complete training
Benefits:
- Employees gain broad knowledge
- Likely certification/education credit
Scenario 3. Employees and expert attend training together.
Like scenario 2, but the expert attends the training with employees, and mentors concurrently.
Risks:
- Highest cost
- May disrupt deliverables for clients or business
Benefits:
- Team learns together
- Knowledge is likely client relevant
- Employees gain broad knowledge
- Likely certification/education credit
In the scenario 3, the costs are the highest, but so are the benefits.
Can a Remote Workforce Help Fill the Cyber Security Talent Gap?
Although the challenges to filling the cyber security talent gap are significant, we offer an additional consideration. With the current environment of most offices still closed and employees working from home, many management teams are seeing first-hand how valuable and productive remote teams can be, and how quickly many employees have been able to adapt and thrive. We anticipate this trend continuing as more businesses warm to the idea of using remote cyber security teams. According to a recent study, more employees and employers see benefits, sustained productivity, and comfort with remote work.
By opening up requisitions to remote workers, you can expand the talent pool and find potential hires far beyond the confines of your city or state, and may even enjoy some cost savings in the process. If you’re struggling to find talent in your area, consider recruiting remote workers, or even highly skilled cyber security professionals who may be ready and willing to leave cities now in favor of less populated areas as long as they have a flexible schedule that enables them to spend at least part of their time working remotely.
Summary
In the short term, take a close look at the requirements listed in your current job postings. Think about who you want to have on your team long-term. How can you train and mature the team you have already to meet future demands? Where is it more cost effective to consider managed security services instead of building your own security operations center or hiring and staffing a full-time team of analysts and SOC staff, so you can free up more time for your existing team to focus on strategic issues? Consider different scenarios and weigh the costs and benefits to your organization.