Security Staff Acquisition & Development, Networking

Solving the Cybersecurity Talent Shortage is a Matter of Attitude, Not Aptitude

Jesse Miller, CISO, Stratosphere Networks
Author: Jesse Miller, CISO, Stratosphere Networks

It’s reaching a “danger level” and ballooning at a “frightening pace.” That’s how news stories describe the cybersecurity talent gap, an international issue that has become the focus of numerous studies and reports as the demand for skilled IT security professionals outpaces the supply of qualified candidates.

The global shortfall of cybersecurity personnel reached approximately 3.12 million last year, according to the 2020 (ISC)² Cybersecurity Workforce Study. To adequately safeguard the vital assets of organizations around the world, the IT security workforce would need to expand by 89 percent, the study states.

At a time when businesses face an onslaught of increasingly sophisticated threats and the rise of remote work has created new points of vulnerability, this scarcity of knowledgeable security professionals has become a significant cause for concern. One in three IT decision-makers says the talent gap has made their organization a more attractive target for hackers, and one in four reports that a lack of cybersecurity staff has led to data loss from cyberattacks, according to the report “Hacking the Skills Shortage” from McAfee.

What’s the solution to this crisis threatening the data security of companies everywhere? We have to do something to ensure businesses have a fighting chance against the hordes of cybercriminals plotting against them. While it might seem like a lack of aptitude is at the heart of this predicament, the real root of the shortage is our attitude and a focus on current expertise instead of potential mastery.

What’s Behind the Cybersecurity Talent Gap

Generally, coverage of this issue details a lack of “qualified” candidates for cybersecurity jobs. The majority (70 percent) of cybersecurity professionals report that fewer than half of the people who apply for IT security jobs possess the necessary knowledge and skills, according to research conducted by ISACA, a global professional association with members who work in cybersecurity, infosec, governance, risk, assurance and privacy. Educational attainment doesn’t help much either: Only 27 percent of security pros say recent graduates with cybersecurity degrees have the soft and technical skills required for jobs in the field, but is this sentiment really accurate? Why do so many people who try to enter the field of cybersecurity – even after obtaining a relevant degree – fail to “make the cut?”

The boilerplate consensus reads something like this:

"The rapid pace of change in the IT security world and the non-stop emergence of new threats makes it incredibly challenging to become and remain an expert. Additionally, many sub-fields in the industry now require highly specialized training, Tim Herbert, executive vice president of research and market intelligence at CompTIA, told Channel Futures. That means degree programs quickly become outdated, and it’s subsequently difficult to obtain all the competencies needed to even get considered for a position."

How to Solve the Security Skills Shortage: Recognize Potential Instead of Searching for Pros

Hearing all of this, it can seem impossible to break into the field from the outside looking in, and in my experience talking to entry-level individuals in this position, can dissuade them from even trying – causing us to miss out on raw talent that would likely lead to rockstars in the field! That brings me to my point: Ultimately, there isn’t truly a talent shortage. Hiring managers need a mentality shift. There are smart and driven people out there who want to work in cybersecurity; they just need an entry point and some mentoring/guidance. Giving these potential pros the opportunity to learn and investing in training them will do much more to remedy your organization’s skill shortage than shutting them out and trying to attract the few already highly qualified security professionals – i.e., the unicorns. That’s no way to run a hiring program.

In a blog entry titled “Cyber Workforce Crisis and How to Solve It,” CompTIA suggests that employers can address the skills gap by encouraging continuing education and giving their staff members the support needed to complete IT certifications. Similarly, the Varonis blog entry “Solving The Cybersecurity Skills Shortage Within Your Organization” recommends identifying people with personality traits that will enable them to succeed in the role instead of focusing on technical skills. By altering our attitude in terms of our willingness to invest in training and who we classify as qualified, businesses can overcome the staffing crisis and build stronger security teams.

One example of this mindset in action is IBM’s New Collar program, which paves the way for people with “the right mix of skills and a commitment to lifelong learning” to land jobs in tech fields like cybersecurity, according to the IBM Training and Skills blog. At Stratosphere Networks, we’ve similarly created a pathway to help people in other roles who are interested in getting into cybersecurity develop the necessary capabilities. It’s comparable to the baseball world’s farm systems, which the MLB calls “the most efficient way to build a winning big league club.” It also helps that we foster a security-forward mindset throughout our entire organization. Everyone – from our sales and marketing staff to our admin department – is involved in data protection and breach prevention.

This not only opens the door for people performing other job functions to develop an interest in IT security but also makes our security team’s lives easier since they aren’t the only ones contributing to risk mitigation. At the end of the day, cybersecurity is a high-pressure and complex field, and we should do all we can to encourage and help those who want to work in the industry and provide much-needed reinforcements in the ongoing war against cybercrime.

Author Jesse Miller is CISO at Stratosphere Networks. Read more from Stratosphere Networks here.