Five ways your business can bridge the cybersecurity skills gaps to find and keep top talent - Image by Gerd Altmann from PixabayWe hear a lot about the cybersecurity skills gap, which the latest research puts at 3.4 million globally. There are lots of reasons why organisations find themselves dealing with a skills deficit – from an actual dearth of qualified talent to internal factors including turnover, lack of budget/competitive wages, limited opportunities for growth and promotion, and lack of training.

One aspect that is within a company’s control, but is often unremarked, is unrealistic hiring practices. While this can be a problem across all sectors – after all, every business wants to be sure they get highly experienced people on board – there seems to be a particular issue around cybersecurity hiring.

It’s not uncommon for companies to require three to five years of experience for an “entry-level” cybersecurity position. Why does this happen?

  • Is this because budgets are misaligned with needs?
  • Are internal training programmes insufficient or non-existent?
  • Do companies not appreciate that applicable experience can come through many different avenues and take many different forms?
  • Are hiring managers lacking information about universities’ newly emerging, rigorous cybersecurity programmes?
  • Is there a prevailing belief that the high-stakes nature of cybersecurity means you need battle-hardened veterans, rather than new recruits, on the front line of cyber defence?

Whatever the reason, these positions often go unfilled or result in high turnover. Here are five things employers can do to expand their workforce and lay a solid foundation for the future growth of their security teams.

Consider cybersecurity degrees an important component of the experience journey.

The number of universities in the UK offering degrees in cybersecurity (or computer science with a cybersecurity specialism) is rising rapidly. Over thirty institutions offer degree-level courses or higher. Many are certified by the NCSC. Several courses include industrial placement allowing students to gain real-world experience that they can bring immediately to post-graduate employment.

There is growing grassroots interest in taking computer science and cybersecurity degrees. Analysis of government statistics by EngineeringUK reveals that entries into single science subjects are rising at GCSE level, and Maths was the most commonly taken A Level subject in 2022. This should translate into more candidates opting for technical or science-based degrees, including computer science and cybersecurity.

Build a strong internship programme.

Internships and degree apprenticeships are becoming an increasingly popular route as an alternative to full-time university education. The bonus of these is that they enable businesses to identify talent at an early stage. Companies can partner with educational institutions to offer placements or run programmes in-house to bring on talent.

It is a tactic already employed in the mainframe sector, where an ageing expert demographic threatened a real resource crisis. Now several mainframe operators and the businesses that support them are investing in young talent to fill the gap. It is a great way to see if there’s a match between the organisation and the candidate and build a pipeline of talent to fill open entry-level positions.

Look for candidates from within.

Turnover often happens because employees become bored or don’t see opportunities to move up. And the costs to companies can be surprising—33% to 200% of the departing employee’s salary to replace them. Training is a win-win as it can help reduce the skills deficit and increase retention.

Companies don’t even have to invest heavily in building their own educational programmes. Instead, enable employees to develop baseline technical and cybersecurity skills through the online courses available from well-respected groups including: CompTIA Security+, ISACA Cybersecurity Fundamentals, and (ISC)2 Systems Security Certified Practitioner (SSCP).

Recognise the value of related work experience to the field of cybersecurity.

Any type of on-the-job experience that focuses on troubleshooting issues and working with customers, such as working on the help desk, translates well into working in cybersecurity. Learning how to get to the root of a problem and dealing with upset customers gives job applicants a solid foundation to build on.

Candidates with experience in service and support roles bring valuable skills, including listening and empathy, as well as troubleshooting and decision-making capabilities. These are important in several areas, including testing, quality assurance (QA) and product development.

As is often evident across the employment market, skills can be taught, but attitude is harder to develop. If a prospective candidate has the right attitude and empathy to make a good cybersecurity specialist, they shouldn’t be discounted simply because they don’t have this or that technical qualification.

How advertisements are framed is also essential if organisations want to attract a wider pool of candidates. Focusing on personal attributes rather than a rigid adherence to qualifications can bring more women and underrepresented groups to the table. With diverse businesses proven to do better than their monocultural counterparts, it is well worth considering changing up your advertisements to attract more applicants.

Automate various elements of cybersecurity.

ThreatQuotient’s 2022 State of Cybersecurity Automation Adoption report finds that organisations are becoming more confident in automation with over 84% of companies having some level of trust in automation outcomes. Consider using a balanced approach to automation where you automate repetitive, low-risk, time-consuming tasks. Allow human analysts to lead irregular, high-impact, time-sensitive investigations with automation simplifying some of the work.

This reduces the number of entry-level people required. It can also reduce the risk of employee burnout by allowing analysts to focus on more rewarding higher-value activities. In fact, organisations report that employee well-being and retention are regularly used as part of their cybersecurity automation ROI calculations.

Additionally, simplify complexity by adopting cybersecurity automation platforms with low- or no-code interfaces. Users with varying skill sets can access automation through solutions that offer a choice of no code with a simplistic playbook builder. Alternatively, they can use standard formats like JSON or YAML for more advanced requirements.

Conclusion

We’ve been talking about the cybersecurity skills gap for years. However, breaking it down into smaller, more approachable pieces can make a difference. The following will serve as a starting point for organisations to close the skills gap and enhance overall cybersecurity efforts:

  • Rather than focusing solely on experienced professionals, start by recruiting entry-level candidates with realistic expectations.
  • Offer strong internship programmes and prioritise internal training and professional development to cultivate the next generation of security leaders.
  • Utilise automation and simplification wherever possible to simplify various aspects of cybersecurity.

ThreatQThreatQuotient’s mission is to improve the efficiency and effectiveness of security operations through a threat-centric platform. By integrating an organisation’s existing processes and technologies into a single security architecture, ThreatQuotient accelerates and simplifies investigations and collaboration within and across teams and tools. Through automation, prioritisation and visualisation, ThreatQuotient’s solutions reduce noise and highlight top priority threats to provide greater focus and decision support for limited resources.

LEAVE A REPLY

Please enter your comment!
Please enter your name here