Tackling the cybersecurity skills gap with a fresh approach to hiring talent
Current hiring practices, allied to a shortage of people and skills in cybersecurity, are making us all more vulnerable to cyberattacks.
The latest release from the Global Information Security Workforce Study (GISWS) calls for employers and recruiters to look to new recruitment channels and consider individuals with more diverse skillsets and non-technical backgrounds to attract and retain cybersecurity professionals.
Understanding the cybersecurity skills gap
As far as I can remember, cybersecurity has long faced a gap between the supply and demand of professionals, leaving businesses, and by extension all of us, vulnerable to cyberattacks. Last month saw the third release of data from the Global Information Security Workforce Study 2017: Benchmarking Workforce Capacity and Response to Cyber Risk, which was conducted by Frost & Sullivan for the Center for Cyber Safety and Education, with the support of (ISC)2, Booz Allen Hamilton and Alta Associates; offering up a deeper exploration of that growing cybersecurity skills gap and outlined recommendations to remedy this. The GISWS has tracked the state of the workforce over the past 13 years and this year’s report – which surveyed over 19,000 professionals (3,694 from Europe) from the cybersecurity profession – revealed a widening chasm: a projected shortfall of 1.8 million cybersecurity workers worldwide (350,000 in Europe) by 2022, if current hiring trends continue.
In Europe alone, 66% of respondents this year indicated that they felt their departments consisted of too few information security workers, with reasons for the workforce shortage ranging from a lack of qualified personnel (48%) to security workers being too difficult to retain (27%) and there being no clear information security career path (31%).
The GISWS report also revealed the security threats that were the top concerns of study participants in the region, which saw data exposure at the top of most people’s minds (39%, along with data exfiltration (29%), ransomware (28%), security misconfiguration (24%) and hacking (23%). The impact of such concerns has clearly played out in recent months, as the WannaCry and Petya attacks made ransomware a commonly recognised term, forcing many businesses around the world, including the NHS, to shut down operations.
Much work is yet to be done to secure businesses, government agencies and organisations of all sizes, which requires having a properly staffed, agile and reactive workforce.
Embracing a changing workforce
The recommendations in the GISWS report outline three areas of untapped talent: millennials, women, and people with an education or background from outside IT or the computer science domain.
As the fastest growing demographic, millennials will be critical for filling any employment gap, but I believe existing attitudes must change if we are to entice valuable candidates to our field. Recruiters are currently not hiring enough recent university graduates, instead opting for those with more prior experience and turning to their personal networks for talent to fill roles requiring experience – 92% of respondents indicated that experience was an important factor when making their hiring decisions.
Our study also revealed that women form just 7% of the workforce in Europe – a level that has remained virtually unchanged since 2004. There are also signs of a rampant gender pay gap, with a male professional in Europe earning £9,100 more on average than his female counterpart. This is despite Europe’s female cybersecurity professionals tending to be better educated, with a higher proportion of them occupying managerial positions.
A workplace where women are both paid less and more likely to be subject to discrimination can make it harder to promote such a profession to women. The lack of women also creates a self-perpetuating cycle, with few established female role models to encourage the new generation.
In addition, the study demonstrated that technical expertise is not a prerequisite to success in our field. Nearly a quarter of those working in the profession hold non-computing or information science degrees, and one in five had a job from a non-technical function before coming into the profession. These individuals are functioning at every level or practice and they report being paid more as well as feeling that they have more influence than their counterparts with a technical background.
Attract talent
As demand grows, employers will need to do more to find and attract talent and must be prepared to develop, not just buy it in experience. The study suggests doing so will engender loyalty: millennials, for example, reported valuing organisation training, as well as mentorship and leadership programmes, over pay.
Employers must make the effort to create inclusive workplaces that support and value people of all backgrounds. The women in the study also reported that sponsorship and mentorship programmes tie to the success and satisfaction of women at all levels. It is equally as important that organisations end pay inequity. Finally, the stats would suggest that there is a significant opportunity to draw from a wider set of backgrounds and degrees, including humanities and arts degrees, where there tend to be higher proportions of women.
All three areas require an investment in training and development. With unemployment in this sector reported at 1% and with salaries rising, recruiting experienced talent today could prove to be the costlier option in the longer term.
Fundamentally, this is an issue of economic and national security. The cybersecurity skills gap is growing wider every time we survey our workforce, and governments across the world are recognising that cyberattacks are critical national vulnerabilities. Attracting more varied backgrounds into the industry would not only significantly help reduce the shortfall in skills, but also provide the necessary basis for a safer world in today’s increasingly connected society.
The full report can be downloaded here: http://iamcybersafe.org/GISWS
Adrian Davis
Managing Director, EMEA
(ISC)2 www.isc2.org
