The cybersecurity skills gap is not going away any time soon. Tim Bandos, CISO at Digital Guardian, explains how companies shouldn’t always rely on the same channels to look for employees. He says sometimes the perfect employee for the job is already in the company but just needs further training.
Much has been written about the cybersecurity skills shortage over the last ten years, but one thing’s for certain – it’s not going away any time soon. According to Gartner, 61% of businesses admit they are struggling to hire skilled security professionals, leading to the number of vacant positions worldwide currently topping four million. In the UK, the Government estimates that around 653,000 businesses (48% of all in the UK) have a basic cybersecurity skills gap in their workforce, while 408,000 (30%) have more advanced skills gaps. In short, there’s a big problem.
As an industry, this obviously presents a real and present danger, but how did we get into this position and more importantly, what can be done to resolve it? This article will look at some of the main challenges associated with filling cybersecurity vacancies, before examining how businesses can retain their existing staff more effectively and build happier, more productive teams.
Unsurprisingly, lack of experience is one of the biggest challenges to overcome
In many cases, the hardest roles to fill are those that require extensive hands-on experience, such as senior threat hunters and incident responders, because it takes many years to become an expert in these fields. While attending yearly SANS training courses can prove beneficial – and is highly recommended – it can’t replace the knowledge gained from researching and responding to incidents within a real world enterprise. It becomes even more difficult when trying to find qualified candidates with experience in responding to state-sponsored attacks. Understanding a threat actor’s tradecraft and knowing what to look for as it relates to TTPs (Tactics, Techniques and Procedures) is an incredibly valuable and sometimes a rarely acquired skill.
Cast recruitment nets wide, you never know what you might find
One mistake a lot of businesses make in their attempts to fill all kinds of cybersecurity positions is using the same old recruitment channels. Rather than posting up ads and hiring expensive recruitment firms, look within your own networks, as well as in less conventional places. Some of the best and most qualified job candidates I’ve come across were people I met at security conferences, threat intelligence forums and, ironically, even Twitter. Conventional job postings and recruitment firms definitely have a place, but in my experience, while they throw up a large number of candidates, few tend to have the necessary skills or experience needed for the advertised position. As such, looking elsewhere can be a much more fruitful way to find the right people for your business.
Retraining existing employees can be just as effective as hiring new ones
Sometimes the right person can be right in front of you but you just don’t realise it. Retraining employees rather than hiring new ones can yield several positive outcomes. It gives that employee new skills and possibly lights a new fire to keep them motivated. It also avoids having to spend time and money finding new candidates that may or may not work out. Additionally, current employees are already familiar with the company and culture, so they can immediately hit the ground running. As such, one of the first questions businesses should always ask themselves when looking to fill a position is, ‘could there be someone already here that we can repurpose and grow?’
When it comes to staff retention, money isn’t the only motivator
It goes without saying that pay is a big factor for any employee, but it’s not the only one. Many job applicants are also looking for positions where there’s scope to grow their knowledge and progress their careers as far as possible, rather than quickly hitting a glass ceiling. Doing the same tasks every day, month after month, gets boring fast and can soon lead to turnover, which is the last thing businesses need when qualified staff are already so hard to come by. Offering opportunities to work with great security tools or on mini-projects that they’ll enjoy will not only keep employees engaged, it will also improve overall team capabilities, resulting in a more collaborative environment. This not only helps attract additional new talent but retain it as well.
While the skills gap continues to pose major challenges throughout the cybersecurity industry, it doesn’t mean great people are impossible to find. Chances are, many of them already work for you! The key is to stop being so reliant on conventional channels and start thinking outside the box when it comes to recruitment. The same goes for retention, which is arguably even more important. While money is always a great motivator, so too is career progression, as well as the opportunity to work with great tools and colleagues. Get these things right and you’ll soon find the top talent starts coming to you.