The cyber security skills gap is a global problem
By 2025, there will be 3.5 million cyber security jobs open globally, representing a 350% increase over an eight-year period, according to Cybersecurity Ventures. Yet, the barriers to entry remain firmly in place for many people wanting to get into cyber security roles and it would seem that the very organisations which need to hire people are making it difficult to fill these posts.
Experience as a barrier to entry
Lack of experience is the main barrier to entry into cyber security roles as organisations have high expectations for past training. There is often an expectation for even “entry-level” candidates to have gained several years’ experience in the field and hold advanced qualifications, yet the salary on offer doesn’t reflect this. It is the responsibility of the organisation, especially those with large IT departments and cyber teams to train entry-level employees on the job. Organisations should also recognise the value that non-experienced people can bring to the job by looking beyond their limited experience and focusing on their skillsets. Cyber security teams need people with strong problem-solving and communication skills with excellent attention to detail. Once someone with these traits is identified, they can usually be trained once in post. Lack of experience is not always a barrier when recruiting for CISOs however. In contrast to job advertisements for entry-level positions, it is concerning that current CISO recruitment adverts don’t always focus enough on experience and qualifications and organisations appear to be hiring CISOs as a tick box exercise. Organisations run the risk of inadvertently, or even deliberately, attracting candidates who might be blamed if things go wrong and used as scapegoats in the event of a destructive cyber attack.
Spotlight on diversity and inclusion
Cyber security requires teams from different countries and cultures to work together to defend against new and dangerous threats. However, there is a widely recognised lack of diversity and inclusion in cyber security. A diverse cyber workforce brings a wide range of viewpoints which help organisations identify and solve a variety of problems with creative, cost-effective solutions. Whilst an attacker need only find one way into a system, cyber
security teams must find and block all of them which is very difficult without a diverse mindset building defences. Given the vast growth in the number of cyber security jobs post-pandemic, organisations that are not inclusive will struggle to recruit into their cyber teams.
Diversity in cyber security doesn’t just encompass sex, gender, religion and cultural background. It is essential that diversity also includes embracing neurodiversity with companies encouraging a culture which welcomes neurodivergent individuals. At the 2022 InfoSecurity Europe conference, Pete Cooper, deputy director of Cyber Defence in the Cabinet Office, highlighted the need for the cyber security sector to recruit a diverse range of people to help foster different perspectives and the ability to spot both opportunities and challenges, bolstering a business’s agility and resilience. A career in cyber security typically requires logic, discipline, curiosity and the ability to solve problems and find patterns. The cyber security industry offers a wide variety of jobs and career paths for people who are neurodivergent, particularly for roles in threat analysis, threat intelligence and threat hunting.
Why people leave cyber security roles
People want to be engaged, challenged, educated and fulfilled at work. When a company recruits someone just to look after their cyber security, they often get bored and frustrated. Small and medium organisations often only have a very small team or even just one person working in cyber security which can be very isolating and offers very few opportunities to learn. In contrast, working for a managed service provider means you have many customers and the opportunity to learn from them as well as the wider internal team around you. When organisations try and build their own internal cyber security teams, they run the risk that work becomes about management and meetings, leaving little time to complete projects. This often builds dissatisfaction and is a common driver for people to look for a new role elsewhere.
Another driver for cyber security professionals to leave their roles is when their job doesn’t provide variety and interest. If all they are doing is ‘alert bashing’ which, without the right automation requires analysis, this can be a source of great frustration.
The dangers of overwork
When cyber security is done in-house, stress and burn-out
become more likely for cyber security professionals. Unless an organisation is
very large, it will struggle to build a cyber team working 24/7 or operating
internationally and provide cover for shifts, illnesses and employees’ annual
leave when needed. One recent report found that security leaders work an
average of 11 hours extra per week, with one in 10 leaders working up to 24
hours extra a week. It is little wonder that people then struggle to switch off
from their jobs once they are home.
Aside from relaxing stringent entry requirements, being
more inclusive and making sure staff are not overworked, here are some other
steps organisations can take to make sure they recruit and retain their cyber security
hires.
Consider hiring an expert
Often, small businesses don’t have the budgets to address
cyber security in the way they want to or need to. Business owners often
believe that they need a technical person in place but businesses can benefit
from hiring a CISO to bring a holistic and proactive approach to implementing
information security. A CISO can analyse an organisation’s cyber risk, put a
strategy in place and identify the right team to handle cyber security issues.
If budgets are tight, CISOs are available as a virtual service (vCISOs) and
demand has been growing significantly since the pandemic for this service. With
a CISO at the helm of your organisation’s cyber security management, it is more
likely that the right security team hires and investment will be made.
Automation is not a magic pill
Don’t assume that your cyber gaps can be solved by
automation as this isn’t the silver bullet many organisations imagine it to be.
Automation can certainly help and it is essential for Managed Service Providers
as it frees up staff to do other, more interesting work. Automation requires an
experienced automation team working 24/7 which is only possible in large
organisations working at scale. You can’t just automate processes and forget
about them as, after a period, it may not be appropriate to do this any longer.
It is worth noting that some of the biggest outages that happen are caused by
automation failures. If a one-man band has automated a cyber security process
for an organisation and it fails, then they are often the only person who can
fix it too.
Put a cyber security strategy in place
Organisations should have a cyber strategy allocating the
appropriate time and budget to cyber security. This enables the cyber security
team to do their job and not just be in meetings all day. Security teams cannot
and should not work in isolation either – they need other teams to cooperate
with them such as the network and helpdesk teams. When organisations don’t have
a cyber strategy, the cyber security team can end up working on projects or
solving issues, which aren’t even in their job description.
Recruit for the people, train for the skills
People are the key to a successful cyber security
operation for any organisation – not the technology in place. If organisations
focus on hiring the right people with the aptitude and personal skillset to do
the job, they can train them once in post. It is crucial to get the human
element of cyber security right and there’s a long way to go before
organisations crack this nut.