Current approaches to cybersecurity are not delivering strong results. Many organizations continue to view cybersecurity as a cost rather than a strategic and necessary investment to mitigate risk. Despite rising levels of data breaches, the potential loss of millions of dollars and critical damage to brand reputation, many business leaders have either not opted in or been able to allocate the right resources at the right levels. [i]
Companies across the globe are struggling to find, hire, and retain a cybersecurity team equipped with the experience and specific skillset to protect the software, data, and intellectual property of their business. The first challenge is that the pool of qualified talent is shallow. The second challenge is that this small market is highly competitive for the companies that need talent. Together, they pose a serious threat to the resiliency of some of our most important global enterprises.
The Limited Talent Pool: In its simplest form, cybersecurity recruitment is a problem of supply and demand. There are currently 286,000 open cybersecurity jobs globally. By 2022, that shortage will explode to 1.8M cybersecurity workers. There simply are not enough cybersecurity professionals to fill positions.
For that dangerous reality, we only have ourselves to blame. We’ve excluded roughly half the population through cultural practices of gendering and stereotyping of the occupation. Cybersecurity firm Kaspersky Lab recently reported that “most women decide against careers in the field before they’re 16 years old.”
Unfortunately, the talent pool challenges don’t stop at gender issues. Individuals who have pursued a formal education in computer science or the like, often emerge with little to no practical knowledge or experience that qualifies them to work in the field because their time has been focused almost entirely on academic learning.
“In a lot of ways, cybersecurity – the technical disciplines – is white-collar work that needs to be trained like blue-collar jobs.”
– Terry McGraw, Vice President, SecureWorks
Hiring and Retaining Talent Takes Resources: The increasing need to invest in cybersecurity can be a costly shift for an organization. In the UK last year, cybersecurity salaries rose about 9% – compared to a national average of 2.7%. The rapidly rising salaries of cybersecurity professionals can incite sticker shock, particularly if those in charge of hiring and funding workforce expansion lack sufficient awareness of how critical this role is. In addition, the hiring process can be time intensive. More than half of companies report the process of filling a cybersecurity opening takes three to six months.
Once hired, retaining a cybersecurity expert is no easy feat. As a discipline that attracts the intellectual challenge-seeker, staring at a single system day in and day out is a sure way to lose your best talent. There needs to be a clear development path that continues to challenge the professional.
There is no singular solution when it comes to a company’s need for cybersecurity capability. The following approaches offer potential ways to make cybersecurity achievable for most organizations.
The Return of the Apprentice: Though fairly obscure in the U.S., the apprenticeship model may find a comeback with the cybersecurity talent pool. This model helps solve the lack of real-world experience by hiring inexperienced workers and paying them to learn on the job. What’s really cool about this approach is that it can help make technology jobs more accessible to those who live outside the usual privileged cohort, while recognizing the value of in-field experience. Companies like Midwest Cyber Center (MC2), a St. Louis non-profit, identify talent and leverage grant funds to bring companies eager professionals willing to learn cybersecurity on the job.
Calling in Crowdsourcing: Cybersecurity crowdsourcing companies are offering rewards to ethical hackers who report flaws in company hardware, software, and system networks. By leveraging the gig economy, companies can access extensive talent to strengthen and secure their business with little long-term investment. This model has significantly contributed to the cybersecurity workforce, making it a noteworthy strategy for numerous businesses.
“More than just your internal security team, you get the experience and diversity of hundreds of hackers all going after one target”
– Jay Kaplan, Co-founder and CEO, Synack
Elevate the Experts: The conversation around security has been changing, and the way in which we explain the value of cybersecurity has and will continue to evolve. Though leaders generally agree that cybersecurity is of increasing importance to the health of their company, most organizations have yet to restructure their management to address the rising concern. In many companies, security is not represented at the executive table – robbing the function from getting the attention and resources it needs. Bringing security into the conversation at the highest level will become of increasing importance, particularly if global threats and enterprise risks continue to expand at their current rate.
If you’re not completely satisfied with your company’s cybersecurity capability, consider addressing the challenges through collaborative workforce models that account for your needs. This resource issue is not a line item to approve. It is an investment in your future.
It’s time to rethink the profile of your most valuable cybersecurity resource – your workforce.
{{cta(‘b1d0efef-1663-4f2f-91aa-1cddb265d3db’)}}
[i] All quotes and data are from a CXO Magazine eight-part report, The Race to Build a Cyber Workforce. Published by Northeastern University.
About the Authors