If you search the internet for “cybersecurity skills gap,” you’ll get so many results pages. This is definitely a hot subject in our industry. And it is often a matter of disagreement between safety professionals and human resources.
Is Cyber security skill gap real?
But before I get into the matter it would enable us to know what we mean by using the term “cybersecurity skills gap.” From the employers ‘ perspective, this means that potential applicants do not have the unique cybersecurity expertise they need and do not have the abilities to be recruited into new technology-related positions by the people they currently hire.
It can be a very difficult field as computer technology progresses so quickly and universities, colleges, and vocational schools often can not change their courses at the same time. The cyber threat environment can, therefore, change fast too!
The word “cyber security skills gap” may seem like a taunt from the viewpoint of many job seekers and security personnel, and myself and many of my colleagues I have spoken with.
Some of us have spent years in IT programs and years in IT courses and received different certifications by industry. And we don’t have any specific niche qualification or 10 years of Windows Server 2016 experience.
We have plenty of know-how and we fulfill many other job requirements, why do employers not give us a chance to learn the rest? Some others have had computer skills since their youth, but the expense of college and qualification exams can be unsurmountable when you start and have little resources. ⠀
The cybersecurity gap will harm those who want good jobs in the industry, but it hurts businesses and network security even more.
According to the Cybersecurity Workforce Report 2018 (ISC)2, globally, there were more than 2.9 million jobs related to cyber security. This number probably increased during the time it passed.
These are roles covering a wide range of functions from SOC analysts to DFIR, pentester and application security professionals. Failure to operate in this role, acknowledged by organizations as a requirement eventually decreases cybersecurity throughout the world, and companies lose enormous amounts of money in cyber attacks and data breaches.
I have my own views on this issue. But on Twitter, cybersecurity people often talk a lot about high expectations for posting jobs and their effect on the ability gap.
Shawn Thomas is the CEO of the SOC. He tweeted his exasperation with the conditions for publishing.
“Since your infosec entry-level job requires: a master. At least three certificates. Prefers to have two years ‘ experience.
Then it’s obvious that you will face difficulty to find the right candidate. I also have a buddy from the industry who has researched a lot about the skill gap.
Furthermore, he has expertise in recruiting cybersecurity positions, something I lack. He is a security specialist and hacker, and at so many security conferences he shares his expertise that it would annoy me to do the same thing.
He writes loads of posts about the skills gap on his blog, so I decided to learn from him a bit.
He acknowledges several factors in the cyber security skills gap issue, ranging from unreasonable job posting qualifications (“Must have a CISSP, a Master’s in Computer Science, and ten years of experience with Metasploit Framework 5.0. salary $40,000 per year.”).
Yet I wondered whether a corporate unwillingness to invest time and money on training could also be a factor.
He says, “Companies are not willing to invest in their employees ‘ training and this is certainly an important factor in the skills gap.
Training budgets have been one of those easily leveraged pools of money over the last few decades that take an early hit when cost cuts are needed.
Therefore, some companies tend to be afraid that even if they pay to train their employees, they will be worth something in the open market and leave the business, nullifying their investment.
What they do not see is that it helps them genuinely to stay by believing in these people and showing that they respect them.
I believe the HR boss will read this! Ping-pong tables may be good but it is much better to give your staff special training so that they can carry on more important positions in your organization.
Interviewers must also broaden their knowledge of how a good security professional looks like. They could look physically like anybody!
I also asked him about a term frequently used in HR, “culture fit.” “There is a lot of interest in the hiring process and indeed, the culture fit is one of them. Security and technology, in general, are based on diversity. More than that, we really need to move forward and be successful.
A combination of thoughts, experiences, and backgrounds helps to build better technology and better solutions to complex problems. Culture fit is an overused and abused concept.
As you pointed out, recruiters who don’t understand how to build a culture or don’t get well-trained to evaluate talent often fail to find anyone close to the people we have today and to identify it as a culture match. So here is an advice for you.
“(My advice) is to first invest in your men, and not just the security team, as we have mentioned. Develop effective skills development plans which encourage resources to move into security and then enable them from other non-security or even Non-IT positions.
Secondly, you must consciously work to remove prejudices in your jobs. Not only in the line of a race, gender, etc. but issues such as age, experience, etc. Be prepared to hire a person with purple hair or a full tattoo sleeve.
Limiting the pool statistically based on ridiculous standards is often a bad idea. Use remote-jobs, eventually. I can’t believe in 2020, but I am shocked how many jobs I see need a local in-office resource when the tech exists to do the same job from a remote location.
I heard of hiring managers who are fearful of handling remote people so they don’t encourage it.
In so many ways, it’s incorrect. “Personally, I think many companies just want to help narrow the skill gap and improve their company’s cyber security by hiring more workers.
Millions of unfulfilled cyber security jobs damage everyone concerned–people in the company, people in the industry, companies of all sizes in every industry and the security of everyone.
Fortunately, this is a problem that can be solved. Nonetheless, it takes a lot of team effort and a lot of open-mindednesses.
However, that is only my opinion and the thoughts of so many others in our sector.