Hack The Cybersecurity Skills Gap

Close the cybersecurity skills gap by hiring and retaining the right people.

The cybersecurity talent shortage is no secret to anyone in the industry, and it doesn't seem to be going away any time soon. According to Cybersecurity Ventures, the number of unfilled cybersecurity jobs worldwide grew by 350% between 2013 and 2021, from 1 million to 3.5 million. They also predict that the same number of jobs will still be open in five years. Organisations are honing in on the cybersecurity talent shortage problem, knowing that it can leave them vulnerable, "It's front of mind for all the boards and oversight committees we present to", said PwC's Chris Hall. 54% of companies, including those anticipating revenue declines, are planning to increase their tech spending to prioritise cybersecurity. Yet, the questions many cybersecurity leaders find themselves asking are how to attract the right talent and whether upskilling or recruiting is a better option. Luckily, we're here to demystify the process and help you retain and hire the best talent.


CRACKING THE CODE TO THE SHORTAGE OF CYBERSECURITY PROFESSIONALS

The need for cybersecurity professionals has been accelerating faster than companies can hire—and that demand is expected to continue.

There is a global shortfall of 2.72 million qualified cybersecurity workers, according to the 2021 Cybersecurity Workforce Study by the International Information System Security Certification Consortium (ISC). Cybersecurity professionals stated in the study that the cybersecurity skills gap is the number-one obstacle to addressing the security needs of their organisations. Further, 60% of respondents report that their organisation is at risk due to a cybersecurity staffing shortage. Thus, a cybersecurity talent shortage could be genuinely detrimental to organisational success.

TOP 5 CAUSES OF THE CYBERSECURITY SKILLS SHORTAGE

Organisations are competing against each other to hire the best candidates from the scarce talent pool. Thus, cybersecurity salaries keep increasing, making organisations unable to hire as many workers. The result is that the current workforce are assigned more tasks, causing burnout, according to research done by Information Systems Security Association (ISSA).
However, there’s more to the cybersecurity skills gap than burnout. Here are the top five causes:

• The rising demand for cybersecurity talent. Organisations are becoming completely dependent on technology, and technology is constantly evolving, so securing today's systems and data against cyber attacks is more difficult than ever. The result? Organisations need larger cyber workforces with a bigger pool of skills, and they simply can't find what they're looking for. In fact, the biggest cybersecurity skills gap exists across various key roles, from cloud security specialists, to penetration testers. With the demand being highest for cloud security specialists and security operations (SOC analysts).

Cybersecurity Skills Gap - Fortinet

● The cybersecurity talent pool lacks diversity

According to a workforce study from (ISC), only about 25% of the global cybersecurity workforce are women. Additionally, 7 out of 10 leaders worldwide say that hiring women and new graduates are among their top three challenges and 61% say that hiring minorities is also a top challenge.

● Employers have unrealistic expectations

Cybersecurity job descriptions usually demand college degrees, multiple certifications and years of experience in various security disciplines. This discourages many candidates who could be good fits for the organisations from applying because they think they're underqualified. As for those who do apply, many of them never hear back, highlighting a major problem in cybersecurity recruiting methods. With that being said, the importance of certification must never be understated. 79% of organisations surveyed by Fortinet said that having certifications increased cybersecurity awareness and boosted the performance of duties. It makes sense that 81% of organisations look for certified professionals when hiring. In fact, 91% of organisations claimed that they would be willing to fund an employee to earn a cybersecurity certification.

● Employees aren't keeping their skills up to date

Burnout is a common issue in the cybersecurity industry. Employees are so overworked that they usually lack the opportunities to learn new skills, attend cybersecurity training, take online courses or acquire new certifications.

● Cybersecurity experts are switching careers

A 2022 survey commissioned by Trellix found that over one-third of the cybersecurity workforce is planning to shift careers. This is an alarming statistic, showing a major employee retention problem. This is largely due to constant staffing shortages and the immense pressure of many cybersecurity jobs. According to the Trellix survey, cyber security professionals expressed their top three frustrations with the industry:

○ 35% said the lack of a clear career path
○ 31% stated the lack of societal recognition of their work and lack of support from their employers to develop their skills.
With more people leaving the field, cybersecurity talent shortages are magnified, which makes even more professionals leave the field, creating a loop that’s difficult to break.

HOW TO CLOSE THE CYBERSECURITY SKILLS GAP

You'll want to hit the sweet spot between hiring skilled professionals and retaining existing talent. What if we told you that you can minimise cyber risks at your organisation while hiring fewer people and cutting costs? That's what McKinsey did, by devising the talent-to-value protection strategy. The essence of this approach is to preplan your cybersecurity recruiting method and tailor hiring to your company's holistic cybersecurity needs. You would need to hire or upskill based on the most crucial cyber initiatives. Doing so entails defining your priorities, assessing risks, and filling those roles based on skills and qualifications that reduce risks and protect business value.

HOW TO IMPLEMENT TALENT-TO-VALUE PROTECTION

You can implement the talent-to-value protection strategy using three steps. Firstly, you'd have to identify the most crucial cybersecurity activities based on your organisation's needs. Secondly, you'd have to define the most important roles that maximise risk reduction. Thirdly, create job descriptions for the important roles, and decide whether upskilling or hiring is the best option for each position.

1- Identify priority cybersecurity activities

Using risk-modeling and assigning scores to potential vulnerabilities is at the core of the talent-to-value protection framework. This allows you to build a list of activities to pinpoint the key priorities needed to execute your security strategy. You should assess risk based on business or operational impact. Risk scores combine the likelihood and intention of an attacker's actions, and the extent of a company's vulnerability to that particular risk. For instance, a technology organisation found that cloud compromise was one of its biggest threats after conducting risk-modeling. So it had to prioritise activities that minimised that risk, including implementing cloud security controls over on-premise ones. Using risk-modeling allowed the company to match activities with the roles they needed to hire, which required upskilling and outsourcing.

2- Determine priority roles

Define and prioritise the security roles your organisation needs to meet the top risk-based priorities. For instance, the aforementioned company had to prioritise filling cloud security roles to implement critical cloud controls at the soonest. After defining your priority roles, you can then create job descriptions for what the company needs in each role.

3- Create job descriptions and determine whether to upskill or hire

Once you've identified your priority roles, you need to determine whether they should be filled by hiring new talent or upskilling current employees. One way of doing that is to create a job and role architecture that is linked to the organisation's security services catalog. You can build a security service catalogue around key groups like cybersecurity operations, engineering, governance, and service groups like cloud security or data governance. The purpose of the job and role architecture is to organise jobs in families, positions, functions and roles. You can use popular frameworks like NIST/NICE to assign categories and speciality areas for desired roles.

You must then create a detailed job description outlining skills, tasks, and the background of the person who will fill the role. Once job descriptions are completed and priority roles have been identified, leaders can determine who in their current cybersecurity team would be a good fit for those roles. This should be the first step before hiring externally since upskilling is often faster and cheaper than recruiting. If upskilling isn't possible, however, then leaders can use their newly defined job descriptions to hire the right candidates.

PLACE DIVERSITY AT THE HEART OF YOUR HIRING PROCESS

Demanding a minimum of a 4-year bachelor's degree and years of experience instantly limits the pool of talent to choose from. Formal education isn't always indicative of a candidate's skills, for instance, Forbes reported that 80% of ethical hackers are self-taught. PwC recommends searching for candidates with more diverse backgrounds, including minorities and women who are still underrepresented in the industry despite their qualifications. Fortunately, it looks like there's an upswing in diversity, as 89% of global organisations are including explicit diversity objectives in their hiring plans.

RETAIN TALENT

On average, CISOs stay in a position only for an average of 24 to 48 months, according to a study by Enterprise Strategy Group and Information Systems Security Association. While the majority left for positions with battery salaries and benefits, 36% left because they weren't a good fit for the company, and 34% left because they lacked a voice in decision-making.

The key is to manage your hires' expectations about the role and company culture from the get go. It's also important not to overload the cybersecurity team with excessive responsibilities and long hours. Burnout is a common cause for quitting, with 65% of cybersecurity professionals stating that they thought of quitting their jobs because of increased levels of stress, pressure, and mental health struggles.

Additionally, the importance of training your staff cannot be overstated. Upskilling your existing cybersecurity employees is your weapon against the rampant talent shortage. These employees already know the company's priorities and processes, and could add more value when given the opportunity to upskill into more specialised roles. Additionally, upskilling helps retain employees by showing them that the company trusts them, cares about their professional development, and gets them more involved in key processes as they climb up the ladder. Upskilling entails giving employees the changes to get certified, improve their skills, and enhance their professional development. Plus, offering organisation-wide cybersecurity training to technical and non-technical staff is key to developing essential cyber-hygiene skills.

UPSKILL YOUR STAFF AT BLACK HAT MEA

Join us at Black Hat MEA, the region's biggest cybersecurity conference designed to get you ahead of dark criminal networks. If you or your team members are looking to gain reputable cybersecurity certifications like the OSEE and OSCP certifications, then Black Hat MEA is the place to be. Get trained on the hands of 100+ elite ethical hackers and 50 Black Hat trainers to safeguard your organisation. Not only that, but you'll also get to network with and attend speeches given by the infosec community's leading CISOs and influencers. Black Hat MEA is co-organised by The Saudi Federation for CyberSecurity, Programming and Drones (SAFCSP) as a part of Vision 2030, with the aim of protecting the Kingdom's ambitious projects to promote a digitally robust future.

GETTING TO THE ROOT OF THE PROBLEM

The cybersecurity skills gap is putting companies, government entities, and educational institutions at risk because they have weaker security in place than they should. This predisposes them to increased likelihoods of data breaches, privacy violations, financial fraud, and other serious consequences.
Bridging this massive gap entails understanding why the cybersecurity skills shortage exists and persists and then taking proactive steps to change how you hire and retain talent.