Addressing the lack of qualified cybersecurity professionals - What can we do about it?

Every year security operations teams continue to report that one of the biggest obstacles they face when trying to protect their organization is the lack of qualified security staff. With the security threats targeting these organizations continuing to grow in sophistication, this deficiency has evolved from an inconvenience to a full-blown epidemic.

According to a 2018 ISACA survey, it is predicted the cybersecurity industry will experience a shortage of over 2 million security professionals by this year alone, and this number is only expected to increase in the years to come. Considering the world has become digitally connected in almost every aspect, it's unfathomable that the security community would be experiencing this type of crisis. So, what could the cause of this condition be, and is there any hope to close the gap?

Candidate education

The level of education a candidate possesses may be one of the most important elements to consider when hiring a new staff member. Over the last few decades, the need for higher education has switched from being a luxury only a few could afford to an absolute requirement for gainful employment. Unfortunately, even though our society has embraced the need for these greater educational requirements, not all forms of education are viewed as equal.

Typically, a college education is associated with the large 4-year institutions which have become commonplace. These institutions can also be broken down further based on prestige with the “Ivy League” tag being the highest level of achievement in the world of academia. However, when looking for qualified candidates, hiring managers should not look at just these 4-year institutions, but instead should also look to the technical and trade schools for assistance.

Historically, universities have focused on more theoretical knowledge. While this theoretical knowledge provides important lessons in critical thinking, it can leave some graduates underprepared for hands-on careers, such as those in the information security space. Trade schools, on the other hand, have always emphasized hands-on experience, which can sometimes better prepare graduates to hit the ground running in their new careers. Do not limit your candidate pool to just those applicants who have a 4-year degree from a college or university. By placing a limitation on your applicants, you may miss out on your next superstar.

Experience requirements

Experience requirements and education go hand in hand. Every organization wants to ensure its staff has the education and experience necessary to protect its businesses from the sophisticated threats it faces. Unfortunately, this becomes a catch-22 situation for new graduates who have a qualifying degree but possess no real-world experience. This restriction may prevent quality candidates from applying to open positions and leave vital positions unfilled.

If experience is non-negotiable, then produce the experience desired from the candidates by partnering with universities and trade schools. Through internships and work-study programs, organizations can train their prospects in their proprietary processes and procedures, scout out whether the candidate has what it takes to be brought on full-time, and the student gains the real-world work experience necessary to become gainfully employed.

Professional burnout

Potentially one of the most overlooked factors contributing to the skills shortage is professional burnout being experienced by current employees. The lack of staff and the growing number of security incidents has forced current employees to take on more responsibilities without a chance of reprieve. This has created not only professional burnout but also has caused morale to drop to an all-time low.

A lack of morale and inevitable burnout is a recipe for career suicide and may also be a reason why more individuals are not opting to join the security workforce. However, the industry as a whole can do something about it. Starting with each individual businesses’ security team, these factors can be prevented by taking a few simple steps:

Mentorship

Create a mentorship program within the organization. Partner junior security professionals up with their senior counterparts. This partnership provides a dual benefit where the junior professional gains the experience they need to become a more knowledgeable team member and the senior professional gets the help they so desperately need to keep from burning out. Pairing these two team members together will bring them closer and will help boost morale.

Mentorship also benefits the organization by showing potential applicants that they will be valued and that the organization is more than just a business, it is a team. Applying to a new company or for a new job naturally creates anxiety, but while researching the company and its culture, if an applicant can see that the organization values its people by providing on the job training and mentorship, they are more likely to envision a long-term career within that organization.

Automation

Automation’s very nature is to help people do more with less. By adopting automation into a security program, organizations can help free up their security staff to not only tackle more important tasks but also allow for a better work/life balance. This balance is what helps staff to stay sane and content with their current roles, without it the rate of burnout is far higher and more certain to happen.

Automation can be used in multiple areas of a security program such as automating the prioritization of security events and vulnerability assessment findings, incident response efforts, and tuning of security rulesets. By deploying an automation solution to help with these tasks, security staff can feel more fulfilled in their current roles and organizations can quickly recognize the value provided by their security programs.

These are just a few examples of why the security sector experiences talent shortage and what can be done to remedy the issue. However, just as every organization and its security needs are different, so are the reasons for their shortage. Regardless of the size and complexity of the security program, by widening the candidate scope to include those without a 4-year degree from a university, partnering with universities and trades schools for talent, creating a mentorship program, and finding areas where automation can take on some of the burdens, can all help to soften the blow that a large and growing number of organizations are experiencing when it comes to the talent shortage.