Even as the country potentially faces increasing numbers of Covid-19 cases, unemployment numbers have been falling. However, one sector that has been largely unaffected by the novel coronavirus has been cybersecurity, and even with shutdowns this year, the talent shortage has neared “danger level” by some estimates.
According to new data from CyberSeek, from October 2019 to September 2020, there were 166,000 openings for information security analysts, but only 125,570 workers employed in those positions. The situation is more dire for cybersecurity, which had more than half a million unfilled positions this year.
On average cybersecurity roles now take 21% longer to fill than other IT jobs.
There are efforts underway to address the shortfall. Earlier this year the Cybersecurity Talent Initiative was launched by Partnership for Public Service, in conjunction with Mastercard, Microsoft, Workday, and CyberVista, to address the shortage of cybersecurity workers.
Addressing Skills Gap
The shortage of workers is just one part of a very serious problem facing the cybersecurity sector. Another factor is “cybersecurity workforce development,” which is just a fancy way of suggesting that skills can be improved.
“The cybersecurity skills gap has become even more of a concern during the current pandemic and work from home migration,” explained Chloé Messdaghi, VP of strategy at Point3 Security.
“The lack of talent that many companies face is exacerbated by two factors: the barriers to communication and interaction that many security teams are now facing, and the prospects of burnout because so many teams are working so hard to compensate for that lack of communication,” Messdaghi told ClearanceJobs. “Also, working from home has eliminated the barriers between work hours and downtime, and too many companies are expecting their cybersecurity employees to be available on demand, whenever needed, which is inherently more stressful.”
Old Dogs, New Tricks
However, there is more to it than just learning a new skill, because training is commonly tied with very specific technology.
“Employers understandably seek workers who can step in and immediately manipulate one or another system, so a certification for that tech is reasonably good assurance of what an employee could accomplish,” said Jim Purtilo, associate professor of computer science at the University of Maryland. “But the nature of technology, especially with cyber security, is that it changes fast.”
There are other concerns, including who would pay for ongoing training to enable workers to keep pace with new capabilities and to stay ahead of would-be intruders.
“The half-life of credentialing in yesterday’s tech is pretty short, so if industry is scrambling to find prepared workers then this tells me industry isn’t investing as much into in-service training as it might,” Purtilo told ClearancesJobs. “It takes time and effort to stay up to date, and I bet companies that regularly invest in their people have a more stable workforce. If you churn staff as quickly as you churn tech then no wonder it’s a challenge to find workers.”
Education versus Training
There is also an important distinction between education and training. Training often involves immediacy, but when it is conducted without the perspective and soft skills brought out by proper education, those workers won’t be as resilient in the face of change.
“Higher education needs to up our game on what are enduring values which should be part of every cybersecurity education,” added Purtilo. “Industry will then get far more mileage out of investments in tech training and certifications.”
Finding the Right Candidate
Because of the great shortage of cybersecurity workers, many companies are now seeking individuals who express interest in changing careers. This presents opportunities for those eager to learn, but often drive may not be enough for them to succeed – and again this cohort could be trained rather than properly educated.
That may not be an ideal solution towards addressing the need to better educating individuals for something as important as cybersecurity.
“There is certainly a talent shortage, but there’s also a serious problem of talent recognition,” suggested Messdaghi. “In too many organizations, cybersecurity candidate screening is conducted by people with little background in security, and who rely solely on resumes and credentials – important data, but which do not reflect a candidate’s actual skills and initiative.”
A major issue is that a poor fit to the organization’s challenges can often result in cybersecurity talent turnover at rates significantly higher than in other areas of a company. This can come about as workers feel unable to do the job, but also from companies that find some individuals aren’t up to the task at hand.
“The commercial, industrial and public sectors are all learning that if they don’t invest in cybersecurity, they ultimately don’t have a viable organization, product, or service,” Messdaghi noted. “Up until recently, the senior staff didn’t see money coming in as a result of security, so they haven’t invested in it. In that regard, the public sector is very much like the private sector.”
Plagued by Gatekeeping
As with other sectors of the IT world, cybersecurity is now increasingly plagued by gatekeeping. The talent may be emerging – and even able to keep up with the latest technology– but is unable to be hired for a number of reasons. Security clearance remains an issue, but there are other factors.
“There is more cybersecurity talent emerging and ready, but hiring them through old methods is ineffective,” said Messdaghi. “A better approach is to offer skills assessments and measure talent before starting the interview process, during the earliest phase of recruitment. This puts resumes in better perspective, and recognizes helps to attract far more diverse talent.”
Messadaghi also suggested that state and local governments also need to invest in their teams – both to heighten readiness and also, because it’s far more effective to upskill their people than it is to hire new talent. “Information security (Infosec) has a huge representation problem, and that’s due in part to the fact that agencies and departments organizations aren’t proactively looking for talent, or investing in the talent they have,” she added. “People are forgetting one thing: gatekeeping is real in cybersecurity and it persists because people are basing hiring on resumes.”
One suggestion that the experts suggest is for hiring to utilize a gamified assessment, which can introduce some elements of gaming – such as progressing through levels or earning points – to create a more engaging test when seeking the right candidate.
“A gamified assessment approach allowed us to not only pick someone with the right skillset but also to assess their drive and initiative to complete the challenges and that’s the kind of leadership that we really needed,” said Brian Hubbard, director of commercial and cybersecurity at Edwards Performance Solutions.
This hands-on approach can help cultivate and measure talent, but it can also enable cybersecurity professionals to continually “upskill” with engaging, gamified challenges.
“This can help them keep pace with the constantly shifting threat landscape,” said Messadaghi. “That goes double for employee retention – upskilling through gamification is a commitment to employee advancement, and is incentivizing. It’s so much easier to continually upskill cybersecurity professionals and train users to ward against attacks than it is to clean up after them.”