The need for talented cybersecurity professionals is on the rise, but a huge amount of job postings go unfilled. Why is that? Cybersecurity is in the midst of a “skills gap,” a situation where currently available candidates don’t meet the expectations of employers. DarkWeb estimates that:
- 3.5 million cybersecurity positions will be unfilled by 2021, up from just 1 million in 2016
- 40% of open security jobs received fewer than five applications
- 25% of priority security positions take at least six months to fill
Unfortunately, the alarming trend doesn’t end when a job is filled. Sixty percent of cybersecurity team leaders report that their staff can’t handle anything more complex than simple incidents. Even employed cybersecurity professionals may lack the skills and training they need to keep up with their work or may be mismatched for the role they were hired into.
What’s causing the infosec skills gap? It’s complicated. That’s why experts like Kelly Sheridan, reporter and staff editor for Dark Reading, make it their life’s work to research and write about it. Recently, she shared her insights with Infosec’s Cyber Work podcast.
Let’s take a look at some of the challenges employers are facing as they struggle to fill open cybersecurity jobs:
Is the technology moving too fast for people to keep their skills fresh?
In the cybersecurity world, up-to-date knowledge has a half-life of only two years. As a result, security and IT professionals are in a non-stop race to keep up with changing technology. This creates a gap between employer expectations and what candidates can realistically provide.
Traditional education is having trouble keeping up, too. Colleges design their curriculums to be completed in two or four years; by the time students graduate with cybersecurity degrees, some of their skills may already be old or outdated.
The future of tech education might not be so dire, though. Sheridan speculates that future generations may have better luck keeping up with emerging skills because they’ve been immersed in technology from a young age.
Are the qualified candidates out there but companies are not looking in the right place?
Cybersecurity doesn’t only face a skills gap; it’s also struggling with an inability to connect companies with the right candidates. Finding the right person for a cybersecurity job means breaking away from the traditional job board approach that many employers rely on. Where should hiring managers look instead?
Networks: Instead of hoping for applications to roll in once a job posting goes live, employers should tap into the networks of their existing team members. Who do they know who’s open to new opportunities? What skills do they have? Are they a good fit for the current opening? Employees have the power to introduce HR to candidates that aren’t active on job boards or LinkedIn.
Conferences: Tech people love conferences. Each year, dozens of cybersecurity conferences take place across the country, from national events like Black Hat Briefings and DEF CON to smaller regional and local conferences. In fact, regional conferences are a great way to meet local infosec professionals who may be interested in working for your company.
Internal teams: Unless an organization has a perfect internal candidate lined up, they tend to look elsewhere. However, the better option might be looking for internal team members who have the potential to succeed in cybersecurity. For example, someone on the IT team who has an interest in information security can be given additional training to prepare them for their new role in cybersecurity.
How can you prevent HR departments from chasing after “unicorn” candidates?
A unicorn candidate isn’t actually a unicorn (although that would be pretty cool). Instead, the term refers to the perfect person for a job: they check off every box in the job posting, from education to certifications and the full gamut of technical skills. However, they are similar to unicorns in one important aspect: they’re mythical!
One way to set more realistic expectations for candidates is to boost communication between security teams and HR. A common pitfall for cybersecurity hiring is that HR will re-purpose job descriptions from other companies that don’t reflect the needs of their own security team. For example, they might ask that an entry-level candidate have five years of experience or an unrealistic number of certifications.
Problems like this could be avoided by strengthening ties between HR and cybersecurity departments, in addition to better educating HR on what a strong but realistic candidate looks like.
Why are there so few cybersecurity professionals to fill these high-level positions?
High-level cybersecurity professionals are not easy to come by. According to a recent survey by DarkWeb, 37% of respondents said that it’s hard to fill upper-level positions. But what makes these jobs so hard to fill?
For upper-level roles, companies want tech professionals with a unique blend of skills. Not only do they want advanced technical skills, but strong people skills are also high on the wish lists. Companies need people who not only understand the technical side of security but can also convey it to the business in a way that non-technical staff understands. That’s not an easy combination to find!
Companies also struggle to find higher-level candidates with experience in their specific environment or industry niche. For example, a senior cybersecurity professional is hard enough to come by, but one with extensive experience in healthcare is nearly impossible. In heavily regulated industries like healthcare, hiring someone without industry experience would require extensive training to get them up-to-date on compliance concerns. In fact, it takes an average of one year to get a new hire up to speed, even though the average tenure in these roles is only 18 months. It’s a tough situation!
The future of the skills gap in cybersecurity
While there’s no quick fix for what’s happening in the cybersecurity hiring landscape, there are a few important questions that companies should ask themselves to best align their talent pipeline with their security needs. Knowing where to recruit cybersecurity experts and how to set realistic expectations for candidates are essential to filling empty roles. Be open to candidates who don’t check every single box on the job description but have the potential to grow into their new role.
To hear more of Kelly Sheridan’s thoughts on the future of cybersecurity journalism, watch the full podcast episode at YouTube.
- Security 101: How Businesses and Schools Bridge the Talent Gap, Dark Reading
- 5 Steps to Closing the Cybersecurity Skills Gap, Business and Tech
- Surviving the IT Security Skills Shortage, Dark Reading
- Your Employees Want to Learn. How Should You Teach Them?, Dark Reading