Fixing the cybersecurity skills gap: Draw on wider talent pools
The cybersecurity sector faces unprecedented challenges, ranging from ransomware to determined nation-state actors. One of the biggest hurdles is finding the people to deal with those issues. How can we source talent to help bridge the gap?
According to the Enterprise Strategy Group, 95% of cybersecurity professionals say that the skills gap hasn't improved in the past few years, while almost half say it has worsened. A heavier workload is a major effect of the skills gap for another 62% of respondents, while 38% complain of burnout as a result.
In the UK, the government has explored sourcing talent from unconventional sources. In analyzing cybersecurity recruitment options, the Department for Digital, Culture and Sport cited several potential avenues. These include training undergraduates with specialized cybersecurity modules and sourcing masters and Ph.D. students.
Should you pay the ransom?
Training further education candidates
The UK report also recommends recruiting those in further (post-high school) education for entry-level cybersecurity positions.
Companies are identifying and targeting these opportunities. At the end of October, Microsoft launched a campaign to help plug the cybersecurity skills gap by working with community colleges. It will train faculty staff at 150 colleges to teach cybersecurity programs, make free cybersecurity curriculum material available, and offer a scholarship program to 25,000 students. It hopes to train and recruit 250,000 people into the cybersecurity workforce through these channels by 2025.
ISC2's 2021 Cybersecurity Career Pursuers Study found that just half of the cybersecurity employees had computer and information services degrees. It also found that newer workers in the field came from outside IT.
Drawing from talent outside IT
The UK's analysis also identifies another interesting option for cybersecurity recruiters: retraining workers from other industries. This focuses on industries where the skill sets reflect those often seen in the cybersecurity space: risk awareness, discipline, a focus on procedure and attention to detail.
The report identifies the military and law enforcement as fruitful sectors for potential talent. One in three respondents to the ISC2 survey had a military and law enforcement background.
How would companies train those without a grounding in traditional computer science? The most promising route is a cybersecurity apprenticeship. This requires an investment from companies and a commitment to developing talent that would not be immediately productive. However, the advantage is that the company would mold apprentices to its processes and systems, creating a talent base perfectly suited to its cybersecurity posture.
Employers can also work with third-party organizations dedicated to training people from these backgrounds in cybersecurity. IBM's SkillsBuild initiative has worked with SaluteMyJob, an organization that finds work for veterans, to train 500 former UK military service personnel in cybersecurity jobs. AT&T also began working with nonprofit group NPower last year to train veterans for cybersecurity jobs. VetsInTech partnered with Infosec to help prepare veterans for cybersecurity roles by training them on entry-level CompTIA certifications — ending with a Security+ boot camp.
Courting neurodiversity in cybersecurity recruitment
Another untapped source of talent for cybersecurity skills is neurodiversity. People with autism spectrum disorder (ASD), for example, sometimes have the focus on detail and pattern recognition that are so important in cybersecurity analysis. In its 10 on 10 survey of over 6,700 cybersecurity professionals, Bitdefender found almost one in four people agreeing that neurodiverse hires would make cybersecurity defenses stronger.
Companies are eager to source from this talent pool. PricewaterhouseCoopers teamed with Mercyhurst University to train students with autism in cybersecurity jobs, and both IBM and SAP have programs to hire individuals with ASD into cyber jobs.
Phishing simulations & training
However, creating opportunities for neurodiverse candidates takes a considered approach, warns Theo van Wyk, head of cybersecurity and solutions at large Canadian IT services company CDW. "The organization has to be aware of neurodiversity needs," he says. "We must make sure that our management skills and interactions adapt to what's suitable for those candidates."
The final alternative talent pools for cybersecurity talent are perhaps the most obvious: under-served gender and racial groups. The UK's National Cyber Security Centre logged female representation in the cybersecurity industry at just 31% — higher than other studies — while 85% of employees were white. One of the easiest ways to bridge the cybersecurity skills gap is to provide more opportunities for women and people of color.
Sources
- ESG: Cybersecurity Skills Crisis Continues for Fifth Year, ISSA.org
- UK DDCMS: Understanding the Cyber Security Recruitment Pool, Gov.UK
- Microsoft: America faces a cybersecurity skills crisis, Microsoft
- ISC2: 2021 Cybersecurity Career Pursuers Study, ISC2
- Bitdefender: 10 in 10 Report, Bitdefender
- Mercyhurst will train students with autism for cybersecurity work, Times Online
- NCSC: Decrypting Diversity, NCSC