The cybersecurity staffing and skills shortage is a well-known reality and the situation is predicted to get worse in the coming years.
There are many problems
There are several reasons for the current situation:
- Organizations are asking for too much and offering too little (money). Organizations are asking job candidates to have a lot of skills and experience, but offer meagre compensation.
- Organizations are discouraging many potential candidates from applying for jobs by asking for too many skills right off the bat.
- Security leaders are not actively recruiting (and they should be).
- By asking candidates to have security certifications, they are needlessly limiting the candidate pool to those who had the time, travel, and money necessary to achieve them.
- Most long-time infosec pros “stumbled” into the field, and security leaders can’t depend solely on that anymore.
Tips for finding, developing, and retaining cybersecurity talent
According to Forrester analysts, organizations must adopt more realistic expectations and more effective hiring practices:
- Don’t rely on experience and certifications, but on their ability and motivation to learn.
- Drop default requirements for college degrees (some big companies like Apple and Google already did that).
- Offer better compensation and perks (vacation time, flexible hours, etc.)
- See if some jobs can be performed remotely. If they can, you can recruit talent from all over the world.
- Narrow the “must have” list of skills for job candidates to five essential ones (the rest can be learned).
- Ask for skills that go beyond technical certifications and technical abilities.
- Take advantage of – or establish – apprenticeship programs.
- Search for potential candidates in less trawled spaces (e.g., military veterans who were not part of cyber units.).
- Search for local talent at regional security association events.
“Developing talent pipelines and training programs will reduce — or eliminate — the perception of scarcity in the market. Firms that build quality programs will find themselves with shortened hiring cycles, higher staff retention, and a better security program overall,” the analysts also advised in a recently released report.
To retain the infosec talent, organizations should also:
- Make sure that their security team knows that advancement is possible
- Let them build homegrown solutions, experiment with open source technologies, and engage in threat intel community sharing
- Use job sharing and rotation programs to broaden their skills.
“Send security personnel with scripting skills to ride along with application developers, and vice versa. Let S&R pros with skills in statistics sit beside data scientists, and send those with system administrator backgrounds to spend time with cloud administrators,” the analysts advise.
“These programs will introduce new roles to security team members, build culture through new perspectives, and identify potential new talent to the security team. This will help security team members who might otherwise get discouraged by the repetitive components to their jobs keep their advancement possibilities top of mind.”