The answer to the ongoing talent shortage could be right under the nose of those in the hiring seat – upskill your current workforce. Matias Madou, Co-founder and CTO at Secure Code Warrior, discusses the importance of training up current employees to enhance skills and development from within, contributing to an overall security-first culture.
CISOs face a number of challenges when it comes to attracting and recruiting talent. As technology rapidly advances and the demand for tech skills increases, the competition for talent is fierce. To hire the best, businesses will need to compete with a plethora of other firms looking to do the same thing.
Needless to say, this lets cybersecurity professionals pick and choose where they want to work and command incredibly high salaries that most firms are unable or unwilling to pay. CISOs looking to compete in that environment are in for a lot of stress and likely quite a few losses when trying to hire new cybersecurity personnel.
As a result, businesses are regularly on the search for new talent in order to meet staffing demands. In the UK alone, many companies still struggle to find employees with the technical expertise, incident reaction capabilities and governance capabilities required to handle their cybersecurity. In 2022, half (49%) of all UK cyber firms faced issues with security skills gaps, either among existing staff or among job applicants.
Keeping up with churn
The demand for talent and turnover in the tech market is immense. The number of organisations in need of developers continues to rise, with the talent pool struggling to keep up with demand.
From a developer perspective, this is a great opportunity to take advantage of a market where they are in a position of power to negotiate, selecting the roles they want. However, with the work and expectations of developers increasing in complexity, the jobs they manage can extend far beyond their capabilities. This results in burnout – and ultimately, leaving the role they chose as their next career step.
The disconnect between developer and manager expectations needs to be addressed to retain talent within organisations. For most modern companies, the developer is essential to all parts of the business. Instead of looking externally, CISOs should look inward and curate an environment where developers can thrive.
Building cybersecurity talent from within
Rather than competing for talent against other companies, CISOs should be thinking about the value of their current workforce. While there may be employees without a security background, with the proper training and support, they could shift to a new career in cybersecurity.
When you think about the modern worker, they are predominantly interested in an environment where they can learn and grow, developing a fulfilling career. CISOs should take advantage of this interest and identify individuals within their organisation that show potential to explore more cyber-related roles.
Tech organisations that already have software development or internal IT resources are already full of untapped security potential. These IT pros and developer teams should be proficient in coding and have an understanding of the digital landscape. Our State of Developer-Driven Security Survey found that just 8% of programmers believe that writing safe code and keeping vulnerabilities out of software was simple, and the vast majority of programmers saw the need for cybersecurity and were invested in learning more.
Creating a flexible education programme will be essential to upskilling these candidates. CISOs need to build a programme that encourages and rewards secure development. This could include creating or appointing security champions internally – these talented and security-aware developers distinguish themselves either in training or as part of newly-focused metrics evaluations. Appointed champions should also be willing to help other developers enhance their skills and improve the development community from within.
Create a tailored security programme
Creating a flexible learning programme isn’t a case of just throwing money at the solution. Poor, checkbox solutions where prospects watch a video and answer questions creates a tainted view of security education. In a complex field like cybersecurity, beyond a digital certificate, this hands-off type of training won’t be valuable for providing individuals with effective secure coding skills – it will also do little in terms of convincing auditors or regulators.
While 92% of developers expressed that security training was important, they want and need good learning pathways that speak to them and provide hands-on examples. Many developers suffer in silence over mediocre programmes that have them carry out compliance exercises that only waste their already limited time. CISOs should strive to ensure that their developers receive meaningful, job-relevant upskilling that provides value, raises code quality and delivers the kind of knowledge that ultimately drives an organisation’s security maturity.
For example, CISOs should explore a tiered learning approach, where topics can be broken down into discrete educational objectives and concepts. This approach adds newer, more advanced concepts layered on top of those already mastered, creating a clear path to success while keeping the level of challenge high.
Security departments are the organisations’ backbone and amidst the skills shortage in the tech market as a whole, companies should prioritise building a culture that encourages security best practices.
Creating a security-first culture
The cybersecurity skills shortage continues to create immense pressure on CISOs – and while it might seem like an easier option to look outward for new talent, it’s going to be much more effective to upskill internally. Not only does this help fill positions, but it also empowers employees, creating greater loyalty to the organisation.
It’s clear that the world is changing and businesses need to adapt to this evolution. CISOs are in a unique position to solve these problems for their organisation and establish their value. Investing in the right developer enablement not only builds the organisation’s capabilities internally but also opens the door to creating a security-focused culture that extends beyond the IT department, driving further value for the organisation at large.