Closing the Cybersecurity Talent Gap

Despite recent layoffs announced by Amazon, Google, Microsoft, and others, some tech professionals remain in short supply, particularly skilled and creative cybersecurity experts. To find the professionals needed to protect their systems against cyberattacks, IT leaders are increasingly turning to various creative approaches.

Cybersecurity talent remains in high demand for 2023 and is predicted to remain in demand for the foreseeable, says Doug Glair, cybersecurity director with technology research and advisory firm ISG. “To address this challenge, companies must leverage traditional HR recruiting, hiring, and retention strategies, along with some non-traditional strategies, to address the ongoing demand.”

Always network with relevant contacts in your field, advises John Burnet, vice president of global talent at AI-based SaaS platform provider Armis. “Whether the need is right now or around the corner, proactivity is the name of the game when looking for great talent.”

To succeed in today's competitive cybersecurity job market, organizations must look for talent in adjacent fields, both externally and within their own organization, says Jon Check, executive director of cyber protection solutions at Raytheon Intelligence & Space. “Employees who are looking to change career paths, or simply try a different role within the cybersecurity industry, can be ideal candidates for additional security training,” he explains.

Qualifications and Certifications

As always, the most sought-after cybersecurity professionals are those with the strongest credentials.“Certifications such as CISSP and CISM demonstrate that individuals have technical capability and are putting effort into their careers,” says Richard Watson-Bruhn, privacy and cyber security expert at professional services firm PA Consulting.

It pays to be flexible when facing a scarce candidate market. “Over the past few years, we've learned that a cyber degree or typical cyber background isn’t necessarily a requirement to be a successful security professional,” Check says. “What matters … are the characteristics or ‘soft skills’ that an employee exhibits.” An intelligent, promising candidate can acquire specific skills by working alongside experienced colleagues.

Meanwhile, many enterprises will only hire people with proven cyber experience. “This dramatically shrinks the candidate ocean into a candidate pool,” Burnet observes. He notes that it's better to focus on values, traits, and behaviors rather than a degree or dated qualification. Burnet also advises leaders to reevaluate their organizations' onboarding program “to give promising new hires the best experience and accelerated learning journey.”

Fresh Approaches to Candidate Searches

Cybersecurity is often viewed as just another technical talent field, yet candidates are expected to possess a wide range of rapidly evolving knowledge and skills. When filling staffing gaps, leaders should examine the skill sets that are missing from their current team, such as creative problem solving, stakeholder communications, buy-in development, and change enablement. “Look for candidates who will help balance out existing team skills as opposed to individuals who match a specific technical qualification,” Glair says.

Before hiring can begin, it's necessary to attract suitable candidates. Initial search steps should include website updates and social media posts, Glair says. He also suggests creating an internal “cybersecurity academy” that will build talent from within the organization. “This should include the technical, process, communications, and leadership skills needed to address today’s cybersecurity challenges,” Glair notes.

Burnet recommends sponsoring a “sourcing jam.” “That means getting recruiters and/or hiring managers in a room together ... to trawl through their networks and get them to personally reach out.”

It's easy to forget that cybersecurity is still a relatively new field. “There are many people who couldn’t, or didn't, discover cybersecurity as a first career, but have all the right talents to excel in the field,” Watson-Bruhn says. “Retraining programs can find people who perhaps have a first career in marketing or teaching, who can become skilled members of the team and bring wider knowledge and different views from their first career.”

Possible Pitfalls

Flexibility is essential when searching for cybersecurity candidates. Requiring individuals to meet all of the criteria set can lead to finding nobody or individuals who think alike with similar backgrounds to the person setting the criteria, Watson-Bruhn warns. Meanwhile, flexibility can sometimes lead to pleasant surprises. “Often, the best talent ends up missing something you expected in one area, but brings something completely new,” he says.

Another common mistake is restricting talent searches to individuals with traditional academic backgrounds. “While there are many distinguished university programs that are specifically focused on preparing students to enter the cyber workforce, often … these programs can’t fully train the students on the hard skills they will need for their future cyber careers,” Check says. This apparent drawback actually provides the opportunity to hire candidates with other types of academic degrees, which can be complemented by on-the-job cyber training. “By overlooking this group, organizations are limiting the potential these new nontraditional hires could bring to their companies,” he notes.

Approaches for attracting, hiring, and retaining cybersecurity talent should be embedded into every enterprise’s cybersecurity strategy. “This means investing in cultivating, maintaining, and evolving the culture of the organization so people -- the most important asset -- are top priority,” Glair says. “This includes focusing on recognition, rewards, flexible work practices, clear progression paths, open communications and feedback, performance-based incentives, and learning and development programs.”

What to Read Next:

6 Worthless Security Tactics That Won't Go Away

CISO Budget Constraints Drive Consolidation of Security Tools

What Ukraine's IT Industry Can Teach CIOs About Resilience