The cybersecurity talent gap is well documented and well-known throughout the cybersecurity industry. Not surprisingly, CISOs believe this problem will continue to worsen resulting in understaffed security teams defending organizations against sophisticated cyberattacks.
By AJ Yawn, Cloud Security Expert
The recent CISO Mag Cloud Security Survey demonstrated the concern senior executives have regarding the industry’s talent shortage:
- 45% of respondents stated that a skill gap in the security team is a top security concern
- 34% of respondents stated that personnel being insufficiently trained on cloud security is a top security concern
- 43% of respondents stated that a lack of skillset to understand security implications is a major concern
There is no magic bullet to solve the cybersecurity industry’s hiring and retention issues. However, I suggest CISOs and Senior executives consider the following three practices to help close the cybersecurity skills gap at their organizations.
Invest in Your Own People
The skills gap can be attributed to a self-inflicted wound — organizations are not investing in their current security employees. The employee training discussed here is not annual security awareness training but investment in upskilling your cybersecurity workforce. Organizations should be making monetary contributions to incentivize training such as reimbursement for certifications, paying for training resources, practice tests, promotions, pay raises, and more.
This investment may also involve cultural changes. The organization has to provide employees with time to spend on professional self-development. In their off time, employees should not be forced to choose between learning a new work-related skill or spending time with their families. A strong culture encourages and sets up systems to allow internal employees to work on personal development during work hours. This culture is okay with sending their best employees to training events that may take them away from the day to day operations, a week or more at a time.
The culture of relentlessly improving internal security professionals will have profound benefits for the organization. When hiring externally, organizations invest time and resources training new employees on internal business practices, tools, and culture. This is time and money that can be saved by investing the same time and resources into training internal employees who are intimately familiar with the business and tools.
Let’s make this concept tangible. An example organization (ABC Company) is hosted on Microsoft Azure and is considering expanding to a multi-cloud infrastructure. Management is planning to use Amazon Web Services (AWS) for its second cloud environment. ABC Company has a team of experienced Azure engineers and security professionals but no one comfortable leading an AWS migration project. In this situation, most organizations opt to hire an external AWS expert to lead and train their team.
There are benefits to hiring externally and, as I’ll discuss below, if an organization does hire externally they should clearly state the skills needed in the job description. However, this is a great opportunity to train an internal Azure engineer on AWS. Invest the time and resources in creating an internal multi-cloud and ABC Company expert. The benefits trickle down. ABC Company now has a multi-cloud expert to lead their migration to AWS as well as a more experienced team of Azure professionals who had to step up while the multi-cloud expert was being trained.
Change the Way Job Descriptions Are Written
When organizations do seek to fill cybersecurity positions from outside the company, creative job descriptions have been a hindrance to finding great candidates. Cybersecurity leaders must be intimately involved in creating, drafting, and refining job descriptions in order to attract the right candidate for the organization. Job descriptions that are poorly-worded, confusing, and unrealistic, will discourage qualified candidates from applying. Or worse, qualified candidates apply but are rejected by the applicant tracking system because they don’t meet arbitrary requirements that have little impact on a person’s ability to perform the necessary duties for the position.
CISOs and other cybersecurity hiring managers have a responsibility to maintain active involvement in the creating and publishing of job descriptions. By taking responsibility for the job description production process, security leaders can ensure that recruitment efforts are focused on the actual skills needed for the position, skills that are requisite for your budget, and the necessary duties. Job descriptions should not ask for an entry-level help desk candidate, offer to pay them below the average salary for an entry-level employee, and at the same time require 10 years of experience, 5 certifications, and a Master’s degree.
This does not make sense. Security hiring managers have an obligation to their organization and the cybersecurity industry to ensure job descriptions accurately reflect the needs for the position.
Hire More Minorities
It is impossible to solve the cybersecurity skills gap by continuing the same hiring and development practices in the industry. Studies have found that the U.S. cybersecurity industry has slightly higher representation (26%) than the overall U.S. minority workforce (21%). However, these studies revealed that minorities are not holding managerial positions, and they are being paid less than their white counterparts. Similarly, women in cybersecurity make up only 20% of the workforce and are paid less than their male counterparts on average. The lack of management positions, low percentage of women in the industry, and pay discrepancies are disturbing. Among the most disappointing data points, are the statistics of Black employees at top tech companies,
- 9% at Salesforce
- 8% at Facebook
- 4% at Slack
- 5% at Microsoft
- 6% at Twitter
- 6% of Google’s leadership is black
The industry can close the skills gap by hiring more women and minorities. Creating pipelines into the field from schools and regions where organizations do not currently invest time and resources should be a priority for cybersecurity leaders. Additionally, unconscious bias must be removed from hiring practices. These simple, essential steps will open the door for women and minorities to succeed in the cybersecurity workforce. A commitment to diversifying the field starts with individual CISOs finding new ways to attract, hire, and retain talented women and minorities.
Fixing the Talent Shortage Starts Now
Investing in internal employees, fixing job descriptions, and hiring diverse professionals are three actions CISOs and senior executives can take to shrink the cybersecurity skills gap. This problem will be solved at the individual practitioner and individual company level. Cybersecurity professionals are critically important. It is scary to think that, in times of increasing cybercrime, there will be 3.2 million unfilled cybersecurity jobs in 2021. To fix this, status quo hiring and development of cybersecurity professionals must change now, not only to close the gap but to protect our interconnected way of life.
About the Author
AJ Yawn is a cloud security subject matter expert that possesses over nine years of senior information security experience and has extensive experience managing a wide range of compliance assessments (SOC, ISO 27001, HIPAA, etc.) for a variety of SaaS, IaaS, and PaaS providers. He has earned several industry-recognized certifications, including the CISSP, AWS Certified Security Specialty, AWS Certified Solutions Architect-Associate, and PMP. AJ is involved with the AWS training and certification department, volunteering with the AWS Certification Examination subject matter expert program.
CISO MAG did not evaluate/test the products mentioned in this article, nor does it endorse any of the claims made by the writer. The facts, opinions, and language in the article do not reflect the views of CISO MAG and CISO MAG does not assume any responsibility or liability for the same. CISO MAG does not guarantee the satisfactory performance of the products mentioned in this article.