Industry insights

Fixing the cybersecurity skills gap: Draw on wider talent pools

Danny Bradbury
November 30, 2021 by
Danny Bradbury

The cybersecurity sector faces unprecedented challenges, ranging from ransomware to determined nation-state actors. One of the biggest hurdles is finding the people to deal with those issues. How can we source talent to help bridge the gap?

According to the Enterprise Strategy Group, 95% of cybersecurity professionals say that the skills gap hasn't improved in the past few years, while almost half say it has worsened. A heavier workload is a major effect of the skills gap for another 62% of respondents, while 38% complain of burnout as a result.

In the UK, the government has explored sourcing talent from unconventional sources. In analyzing cybersecurity recruitment options, the Department for Digital, Culture and Sport cited several potential avenues. These include training undergraduates with specialized cybersecurity modules and sourcing masters and Ph.D. students.

Should you pay the ransom?

Should you pay the ransom?

Download The Ransomware Paper for real-world ransomware examples, mistakes and lessons learned.

Training further education candidates

The UK report also recommends recruiting those in further (post-high school) education for entry-level cybersecurity positions.

Companies are identifying and targeting these opportunities. At the end of October, Microsoft launched a campaign to help plug the cybersecurity skills gap by working with community colleges. It will train faculty staff at 150 colleges to teach cybersecurity programs, make free cybersecurity curriculum material available, and offer a scholarship program to 25,000 students. It hopes to train and recruit 250,000 people into the cybersecurity workforce through these channels by 2025.

ISC2's 2021 Cybersecurity Career Pursuers Study found that just half of the cybersecurity employees had computer and information services degrees. It also found that newer workers in the field came from outside IT.

Drawing from talent outside IT

The UK's analysis also identifies another interesting option for cybersecurity recruiters: retraining workers from other industries. This focuses on industries where the skill sets reflect those often seen in the cybersecurity space: risk awareness, discipline, a focus on procedure and attention to detail.

The report identifies the military and law enforcement as fruitful sectors for potential talent. One in three respondents to the ISC2 survey had a military and law enforcement background.

How would companies train those without a grounding in traditional computer science? The most promising route is a cybersecurity apprenticeship. This requires an investment from companies and a commitment to developing talent that would not be immediately productive. However, the advantage is that the company would mold apprentices to its processes and systems, creating a talent base perfectly suited to its cybersecurity posture.

Employers can also work with third-party organizations dedicated to training people from these backgrounds in cybersecurity. IBM's SkillsBuild initiative has worked with SaluteMyJob, an organization that finds work for veterans, to train 500 former UK military service personnel in cybersecurity jobs. AT&T also began working with nonprofit group NPower last year to train veterans for cybersecurity jobs. VetsInTech partnered with Infosec to help prepare veterans for cybersecurity roles by training them on entry-level CompTIA certifications — ending with a Security+ boot camp.

Courting neurodiversity in cybersecurity recruitment

Another untapped source of talent for cybersecurity skills is neurodiversity. People with autism spectrum disorder (ASD), for example, sometimes have the focus on detail and pattern recognition that are so important in cybersecurity analysis. In its 10 on 10 survey of over 6,700 cybersecurity professionals, Bitdefender found almost one in four people agreeing that neurodiverse hires would make cybersecurity defenses stronger.

Companies are eager to source from this talent pool. PricewaterhouseCoopers teamed with Mercyhurst University to train students with autism in cybersecurity jobs, and both IBM and SAP have programs to hire individuals with ASD into cyber jobs.

Phishing simulations & training

Phishing simulations & training

Build the knowledge and skills to stay cyber secure at work and home with 2,000+ security awareness resources. Unlock the right subscription plan for you.

However, creating opportunities for neurodiverse candidates takes a considered approach, warns Theo van Wyk, head of cybersecurity and solutions at large Canadian IT services company CDW. "The organization has to be aware of neurodiversity needs," he says. "We must make sure that our management skills and interactions adapt to what's suitable for those candidates."

The final alternative talent pools for cybersecurity talent are perhaps the most obvious: under-served gender and racial groups. The UK's National Cyber Security Centre logged female representation in the cybersecurity industry at just 31% — higher than other studies — while 85% of employees were white. One of the easiest ways to bridge the cybersecurity skills gap is to provide more opportunities for women and people of color.

Sources

Danny Bradbury
Danny Bradbury

Danny Bradbury is a print journalist, editor, documentary filmmaker and podcast presenter. He has edited several magazines on a freelance basis covering software development and IT security. His freelance clients include the National Post (Canada), TechRepublic, the Australian Fairfax media syndicate (including the Sydney Morning Herald), The Independent Newspaper, The Guardian (London), SC Magazine, Computer Weekly, Investment Executive, the Financial Times, specialist cryptocurrency web site Coindesk.com, IT Pro, The Economist Intelligence Unit and Microscope.

For the past few years, he has been a winner at BT's Infosecurity Journalism awards. His documentary film Epicentre, about the cultural history of the nuclear arms race, was entirely self-funded, researched, filmed and produced. It has been successful on the festival circuit.