Three million empty seats: What can we do about the cyber skills shortage?
Jim Tiller, CISO at Nash Squared, shares his thoughts on how to fill the cyber skills gap. This article first appeared on ComputerWeekly.com.
Companies should look for candidates with the right skills potential, rather than insist they tick a hundred different security skills boxes
Cyber skills shortages have plagued the industry for years – and are not getting any better. Cyber Security Ventures has estimated that there were 3.5 million unfilled cyber roles in 2021 and that this number will stand unchanged in 2025. The problem may at least be stabilising, but it’s still a chronic shortage.
The problem is exacerbated by another worrying phenomenon that often goes almost unnoticed – cyber burn-out. One study found that 28% of cyber professionals plan to exit the industry in the next two years. Another found that 54% want to quit. It’s stressful and demanding work that takes its toll on professionals who are often over-worked in small teams.
In my view, there are three key reasons behind these persistent shortages. Firstly, demand for cyber professionals is rocketing as companies fight against the spiralling cyber threats from hackers, organised criminals and nation states. I don’t foresee any change in this – and in fact it may intensify.
Secondly, there are some barriers to entry that make the problem worse – namely, the perception that to work in cyber, you have to be highly technical. That is true for some roles, but the main skills needed are those that many people will already possess – critical thinking, problem solving, a love of learning, tenacity. Another barrier is diversity – failing to attract enough women and people from other groups.
Thirdly, there is what I call hyper-specialisation. The way cyber has developed means that the requirements for many roles have become incredibly specialised. Going back 15-20 years, there were three main types of cyber role: pen testers, infrastructure professionals (dealing with aspects such as firewalls and incident detection systems or IDS), and risk and compliance. The emphasis, or pendulum, used to swing between technology solutions and risk and compliance frameworks and processes.
In recent years, the pendulum has swung heavily towards technology solutions and hasn’t swung back again. As technology has developed (including artificial intelligence, machine learning and cloud), whole swathes of specialisations have sprung up – and even specialisations within specialisations – pen testers specifically for mobile applications, for example. There are 436 certifications you can do in cyber – and all of these cost quite significant amounts of money (and time/study).
Businesses are therefore trying to recruit people who tick all their hyper-specialisation boxes – exacerbating the shortage problem. They are never going to be able to assemble a small team that covers all the certifications between them.
Policy solutions needed
How can we solve this critical situation? Firstly, there is no doubt that we need concerted public policy solutions to attract more talented young people and career switchers into cyber. In the UK, for example, a study conducted on behalf of the Department for Digital, Culture, Media and Sport (DCMS) found that there is an annual shortfall of 10,000 people coming into the cyber talent pool.
There is a pressing need to expand entry routes into cyber through further and higher education options, training initiatives, bootcamps and employer-led models. The UK has launched a new breed of qualification for 17-18-year-olds, for example, T-levels, which includes cyber security.
Alongside this, we have to solve the diversity problem. Too few women are coming into cyber, despite the fact that many naturally possess skills strongly suited to working in the profession. It’s an issue that applies across technology. Too much talent is being missed – we need to change the narrative.
As the DCMS report notes, it is “time to scale up”. At a global level, the time has come to put new energy into building a stronger pipeline of talent into cyber so that entry-level positions can be filled and individuals can build their experience and specialisation over time.
Meanwhile, what does this mean for businesses that need cyber talent today? Although there is no silver bullet, I certainly believe that there are some key ways of maximising the chances of success.
As a minimum, make sure your job descriptions and adverts aren’t putting candidates off by demanding more of one person than is possible in terms of specialisations, certifications and experience. This is something I see time and again. Look for people with what I call the right “skills complexion” rather than insisting they tick a hundred different boxes. Word your ads accordingly – you’ll probably see a significant uplift in applications, and many of them could be good potential fits.
Don’t just tweak your ad wording, though – think about whether your requirements themselves are unrealistic. Look at other options – could you run more in-house training to develop existing team members or upskill new hires? A “train-to-hire” approach is proving a successful mechanism for some of the Big Four consultancies, for example.
More broadly, review your resourcing model in order to find the optimal balance. Think about what roles you need to be performed by permanent in-house staff, and what roles could be performed by contractors or third-party partners.
A strategic approach
Considering all these elements will help you elevate your approach to the strategic level. By this I mean, think about what you’re trying to achieve strategically for your security function over the next two to three years. Articulate this into a strategic roadmap. From this, you can create your talent roadmap alongside it, with full consideration of the resourcing mix.
Too many businesses I talk to are taking an incremental and ad-hoc approach to their security staffing – adding a role here and a role there, as the need arises. Get ahead of this. Plan ahead. Map your talent needs. It will have a surprisingly clarifying impact and will make your recruitment much more effective.
This is one of the goals of our vCISO practice at Nash Squared, helping you clarify your strategic approach and offering highly focused cyber recruitment services.
Having this clarity and structure will also communicate itself to candidates when you talk to them. If there is alignment between the security journey your business is on and their personal career journey, it will make you a much more attractive destination for them.
With ransomware rampant and cyber threats growing all the time – something that the advent of quantum computing will only make worse – there is an urgent need for organisations to get the fundamentals of their cyber security nailed down now.
For this, cyber talent is desperately needed – and we will only solve this through coordinated public and industry action at the macro level, and a focused, defined and strategic approach from business themselves.
Read more about security skill in our Digital Leadership Report.