Recent news headlines are clear on one thing: there is a massive shortage of cybersecurity experts in the industry. Cyberattacks are permeating every commercial and government sector yet the talent pool of defenders can’t keep pace. When data is compromised and there aren’t enough experts to secure the front lines, we ALL are at risk of identity theft, monetary losses, reputational damage, fines, and operational disruption—to name a few.
With more than one in four organizations experiencing an advanced persistent threat (APT) attack and when 97 percent of those APT’s are considered a credible threat to national security and economic stability, it’s no wonder the skills shortage is on everyone’s mind.
A report from Frost & Sullivan found that the global cybersecurity workforce will have more than 1.8 million unfilled positions by 2020. It begs the question: what’s causing such the shortage? According to a Deloitte report, the lack of effective training opportunities and risk of attrition may be to blame.
The Search for Cyber Talent
Given the pervasive nature of cybersecurity attacks, enterprises can’t afford to wait around for premiere talent to walk through the door. Companies need to take a proactive approach to hiring qualified talent—and, yes, it takes effort. Through proper training and education, companies can build highly skilled teams of defenders to face ever-increasing threats.
Everything from digital forensics to computer languages to network defense to cybersecurity law should be skills that candidates possess or are willing to learn immediately. In today’s training and education landscape, where traditional cyber training classroom settings prove ineffective preparing professionals for real-world attacks, companies need to adopt a paradigm shift during their talent search—being comfortable hiring for character and cultural fit first, then, training for skills development.
Instead of brooding over the current staffing shortage realities, enterprises can take proactive action to combat the talent gap with these search strategies:
Fill the talent pipeline
Consider hiring people with different industry backgrounds or skill sets to bring new ideas to the table. Sometimes, getting an “outside” perspective on the challenges firms are facing sheds a new light because they notice nuances and inconsistencies that internal teams, who are in the day-to-day, may not see immediately. Look for passionate candidates with an eagerness to learn. Companies today are prioritizing skills, knowledge, and willingness to learn over degrees and career fields because they know that some things cannot be taught in a classroom such as: curiosity, passion, problem-solving, and strong ethics.
Look for individuals with real-world experience
If you happen to have candidates in your pipeline that have industry knowledge, ask about their real-world experience. Inquire about the kinds of things they’ve learned in their previous position and get them to share how they remedied attacks. Create a checklist of skills you desire from a candidate that may include identity management, incident response management, system administration, network design and security, and hacking methodologies, to name a few. Learning how they dealt with real situations will reveal a lot about their personality, character, and skill set.
Re-examine job postings
Often a job posting is the only thing compelling a candidate to apply for a position. If the job posting is simply a laundry list of skills requirements and degree preferences, it may deter candidates who have those skills but also seek to work for a company that values innovation, creativity, and strategic vision. Read descriptions carefully to determine if they portray the culture of your organization. If a cultural vibe is lacking, it may be time to inject a sense of corporate personality to attract the right candidates.
Provide continuous professional development opportunities
With advances in technology, professionals need to be on top of the latest trends and tools to succeed in their job. That is why it is vital to re-skill and consistently train your existing cyber team so they can successfully prepare for anything that comes their way—and you can retain your top talent. Conferences, webinars and certifications are not for everyone—so it is important to find growth opportunities that employees want to pursue for both their personal as well as their professional benefit.
Create a culture of empowerment for retention
CISOs can set expectations early in the hiring process so candidates understand how their specific role impacts the organization. For example, during the interview process, notify candidates of your expectation that they be “students of the industry” such that they are expected to stay on top of security news and happenings. Gartner advocates for a “people-centric security” approach where stacks of tools are secondary to the powerful human element of security. Additionally, send out quarterly or bi-monthly roundups of the latest cybersecurity news and events to keep your team abreast of current affairs. Making it as easy as possible for them to be “students of the industry” increases the likelihood that they will remain current on industry developments and engaged in their role.
Invest in Training to Cultivate Talent
Executives are demonstrating their support for strong info security programs by increasing hiring budgets, supporting the development of info security operation centers (SOCs) and providing CISOs with the resources they need to build strong teams. With the right talent, you will have a better chance of successfully defeating attackers, staying aware of current threats, and protecting your team, your company—and your job. These strategies will go a long way in preventing future attacks and preparing staff and systems to respond when things go awry. The cybersecurity staffing shortage is no longer just a cybersecurity department issue—it’s a global business risk issue.