How to tackle the cybersecurity skills shortage in the EU
The cybersecurity skills shortage is a global problem, but each region – including Europe or, more specifically, the EU – has distinct problems it has to tackle to solve it.
In this Help Net Security Dritan Saliovski, Director – Nordic Head of Cyber M&A, Transaction Advisory Services at Aon, offers some pointers, as well as advice to organizations on how to attract and retain the best cybersecurity talent.
The cybersecurity skills shortage is still a huge problem for global organizations. Is there a way to fix it?
To mitigate this issue, organizations must take a multi-pronged approach, including targeted training and education programs, incentives to attract and retain talent in the cybersecurity field, building a diverse and inclusive workforce, and investing in technologies that automate certain tasks.
Additionally, organizations can open the door to entry-level candidates by creating and promoting internship, apprenticeship, and entry-level positions, which provide opportunities for individuals to gain the necessary skills and experience to advance in the cybersecurity field. Collaboration between the private and public sectors, as well as the academia, is also crucial in addressing the skills shortage.
One example of a successful approach to addressing the cybersecurity skills shortage is IBM’s training program. IBM’s program exemplifies corporate responsibility and community engagement by providing cybersecurity education and training to less fortunate communities. Not only does this program address the skills shortage, but it also promotes social and economic empowerment. IBM’s commitment to building a more equitable and inclusive society serves as a model for other organizations to follow.
Another effective approach is the training programs provided by the big four consulting firms, such as Deloitte, EY, KPMG, and PwC. These firms are known for their rigorous and comprehensive training programs, which provide opportunities for entry-level candidates to join the firm through internships and entry-level positions. Once on board, these firms provide comprehensive training and development programs that help entry-level candidates grow and advance within the firm. This approach has been successful in developing a talented and skilled workforce, with many entry-level candidates going on to become partners and leaders within the firm. This approach serves as a clear example of how organizations can attract, retain and develop the next generation of cybersecurity professionals and leaders.
In conclusion, addressing the cybersecurity skills shortage requires a multi-pronged approach that includes targeted training and education programs, incentives to attract and retain talent, building a diverse and inclusive workforce, investing in new technologies, and opening the door for entry-level candidates.
Organizations must also collaborate with the private and public sectors and academia to address the skills shortage effectively. By following the examples of successful programs such as IBM’s and the big consulting firms, organizations can mitigate the cybersecurity skills shortage and build a strong and skilled workforce.
The EU is experiencing a specific shortage of cyber talent. Why is that the case? Can remote work solve this problem since the rest of the world is having similar issues?
My hypothesis on the skill shortage in the EU would focus on these key major points:
- Lack of standardization in cybersecurity education and certification, which makes it difficult for organizations to identify and attract qualified candidates.
- Limited pool of skilled professionals in the EU, as many talented individuals are attracted to other industries or choose to work in other regions with higher demand for cybersecurity professionals. According to a study by Eurostat, in 2019, the EU had a rate of 8% of ICT (Information and Communication Technology) professionals in the labor force, while the US had a rate of 9%.
- Increasing demand for cybersecurity professionals due to the growing threat of cyberattacks and the increasing complexity of cyber threats. This demand is further compounded by the EU’s stringent data protection regulations, which require organizations to have robust cybersecurity measures in place.
- Lack of salary appeal of cybersecurity in the EU compared to other countries like the US, which is a lack of motivation for individuals to enter the cybersecurity field in the EU. A study by (ISC)² found that the average salary for cybersecurity professionals in the US is $116,000, while in the EU it is $91,000.
Remote work could potentially help to alleviate the shortage of cyber talent in the EU by providing organizations with access to a larger pool of skilled professionals from around the world. Remote work allows organizations to hire individuals who may not be physically present in the EU, but who possess the necessary skills and qualifications to perform the role.
However, it is important to note that remote work alone may not fully solve the problem as there are other factors that contribute to the shortage of cyber talent such as lack of standardization in education and certification, limited pool of skilled professionals in the EU and lack of salary appeal.
Two challenges with this solution include the impact of personal income tax on the EU’s revenue and potential security clearances in the public sector.
- Remote work could raise issues related to personal income tax, as individuals may be earning income in one country while being taxed in another. This could have a significant impact on the EU’s revenue and may require changes to tax laws and regulations.
- Additionally, in the public sector, remote work could raise issues related to security clearances, as individuals may not be physically present in the EU and may not be able to obtain the necessary clearances to access sensitive information. This could pose a significant risk to the security of the EU and may require changes to security clearance procedures.
In order to fully address the shortage of cyber talent in the EU, a comprehensive approach is needed. This should include standardizing cybersecurity education and certification across the EU, encouraging more individuals to enter the cybersecurity field, consider tax reform, security clearance, and investing in training and development programs to help individuals acquire these skills.
What advice would you give to a newly appointed CISO with a healthy budget that needs to hire new members for his team? What do you think the best approach is to get the right people?
Building an effective cybersecurity team is not as simple as just hiring the best talent on the market.
To ensure that your organization’s security posture is strong from the start and that your cybersecurity strategy aligns with your organization’s overall objectives, it is important to first understand your organization’s governance, operating model, and Crown Jewels (critical assets that need to be protected). According to a study by Deloitte, identifying and protecting an organization’s assets is essential for an effective cybersecurity strategy. This supports the importance of understanding the critical assets that need to be protected in your organization before building your cybersecurity team.
To begin, I’d recommend to conduct a risk assessment to understand the current state of your organization’s cybersecurity posture. Identify gaps in your security program and prioritize areas that require immediate attention. This will help you to establish a clear roadmap for your team and to identify areas where new hires are needed to fill in the gaps.
When it comes to hiring new members for your team, prioritize the hiring of key positions first.
Identify the key positions that are essential for your organization’s cybersecurity strategy, such as threat intelligence analysts, incident responders, and security architects. These roles will be critical for protecting your organization’s assets and aligning your cybersecurity strategy with your organization’s overall objectives.
According to a study by McKinsey & Company, organizations that have a clear cybersecurity strategy that is aligned with their overall business objectives are better equipped to protect themselves from cyber threats. This emphasizes the importance of understanding your organization’s governance and operating model before building your cybersecurity team.
When looking for candidates, look for a mix of technical and non-technical skills. Cybersecurity is not just about technology, it’s also about people and processes. Look for candidates who have a combination of technical skills and non-technical skills, such as communication, problem-solving, and leadership. Additionally, consider hiring a diverse team. A diverse team brings different perspectives and experiences, which can lead to more effective and innovative solutions.
Consider hiring people with different backgrounds, experiences, and skill sets to bring different perspectives to your team.
Look for candidates with relevant certifications, such as CISSP, CISM, or CISA. These certifications demonstrate a certain level of knowledge and experience in the field. However, don’t overlook candidates without certifications but have the relevant experience. The shortage of millions of cybersecurity professionals highlights the importance of not just hiring the best talent on the market, but also of understanding your organization’s specific needs and gaps in order to effectively build a team that can protect your organization’s assets.
The cybersecurity industry is particularly prone to stress and burnout, and employee churn is high. What can people do to thrive in this industry in the long term?
Firstly, nobody is going to die, if you don’t fix a vulnerability (in 99% of cases)! Relax.
I’d like to actually put my focus more on what companies can actually do for their employees. However, before I do, I’ll answer the question; we professionals can do for ourselves is straightforward. While it may seem difficult, it’s something that will drastically change your success if you follow simple principles of your well-being.
Focus on achieving at least two of the following every day, and it will transform you personally and professionally!
- Aiming for 7-8 hours of sleep
- Regular physical activity
- Building and maintaining positive relationships
- Setting aside time each day to do something you enjoy
- Internalize your day
As a leader, I understand the importance of addressing stress and burnout in the cybersecurity industry. High employee turnover can be costly and detrimental to an organization’s overall cybersecurity posture. To address this issue, I believe in implementing a comprehensive well-being program for employees. This can include offering access to counseling services, providing education and resources on stress management, and promoting a culture of self-care and well-being. Additionally, encouraging a healthy work-life balance through flexible work arrangements and regular breaks and vacation can also help alleviate stress and burnout.
Furthermore, I believe in supporting professional development for employees, which can include investing in training, mentoring and professional development opportunities. Creating a positive work environment through open communication, valuing employee input and feedback, and supporting team building activities can also play a crucial role in keeping employees engaged and motivated.
Mental health support is also important, this can be achieved by offering an Employee Assistance Program (EAP) and providing access to a mental health professional. Regularly conducting employee engagement surveys to understand the factors that contribute to employee stress and burnout, and taking action to address any issues that are identified. This can include addressing the causes of burnout and stress, such as unrealistic deadlines, lack of autonomy, and poor management.
In addition, companies can also refer to studies and reports such as the “Stress in the Workplace” report by the American Psychological Association (APA) which shows that job stress is more strongly associated with health complaints than financial or family problems. The “Workplace Wellness Trends” report by the International Foundation of Employee Benefit Plans (IFEBP) states that companies with effective workplace wellness programs see a 28% reduction in sick leave and a 30% reduction in healthcare costs. the “Workplace Mental Health” report by the National Institute for Occupational Safety and Health (NIOSH) states that poor mental health can lead to a range of problems, including decreased productivity and increased absenteeism.
By taking these studies and reports into account, companies can gain a deeper understanding of the impact of stress and burnout on employee turnover and take effective steps to mitigate it.
How can an organization attract and retain the best talent? What should they offer besides adequate pay?
Attracting and retaining top talent is critical for organizational success. However, many organizations struggle with this due to the competitive nature of the job market and the changing expectations of employees. Adequate pay alone is not sufficient to attract and retain top talent. Organizations need to focus on creating a positive and inclusive company culture, align their mission and values with their employees’ personal values, offer a comprehensive benefits package, and provide opportunities for growth and development.
Studies and surveys, such as Glassdoor, Deloitte and Gallup, have found that a positive work-life balance, opportunities for growth and development, a positive company culture, and a clear mission and values that align with the employee’s personal values are important factors in attracting and retaining top talent. A positive and inclusive company culture is a key factor in attracting and retaining top talent, as 80% of survey respondents said that culture is a very important factor when evaluating job offers (Deloitte).
Aligning the company’s mission and values with the employees’ personal values can lead to increased employee satisfaction and retention (Gallup). A comprehensive benefits package, including health insurance, retirement plans, and flexible scheduling, can also be a factor in attracting and retaining top talent. (Mercer).
Creating a positive and inclusive company culture requires consistent effort from everyone in the organization. It starts with the leadership team setting the tone and setting the example for the rest of the organization. This can be achieved by fostering a culture of diversity and inclusivity, listening to employee feedback, and making changes accordingly to improve employee satisfaction.
The implementation of these changes requires a clear plan, consistent communication, and regular assessments. Organizations should create a taskforce to implement the recommendations and measure the effectiveness of the new policies. Communication is key, so it’s important to keep all employees informed of the changes and actively gather feedback.
In conclusion, attracting and retaining top talent is crucial for organizational success. Adequate pay alone is not sufficient to attract and retain top talent. Organizations need to create a positive and inclusive company culture, align their mission and values with their employees’ personal values, offer a comprehensive benefits package, and provide opportunities for growth and development. Implementing these changes will require a clear plan, consistent communication and regular assessments.