Recruiting for IT roles is tough. Recruiting for IT security roles is even tougher. ISACA found that 20 percent of companies took six months to fill their open roles with qualified candidates, and that 62 percent had teams that were understaffed. Similarly, ISC2 announced that the cybersecurity skills gap currently stands at 2.7 million roles that are not filled worldwide.
In theory, the data presented by ISACA and ISC2 implies that there are lots of opportunities to those with the right skills. The reality, however, is that ‘the right skills’ means different things to different people. We have to ask ourselves the following questions: Are we doing our teams and organizations a disservice by looking to fill these roles in the wrong way, potentially ignoring the wealth of talent that exists? And, can looking at diversity and inclusion initiatives help to fill those gaps more effectively?
In order to solve this talent problem, we have to first look at what the issues affecting organizations are. In working with companies and partners for the past few years, the biggest pain point that security leaders mention is the lack of entry-level talent. The primary concern is that there are not enough people entering the market that can fill entry level or junior security roles.
This has become such an issue that it is now leading to more problems recruiting mid-tier analysts and those with experience into roles. Because the pipeline has been so poor, the number of people being promoted into mid and senior level positions has slowed down. Couple this with more competition for people with those more advanced skills, and an increased willingness to let people work remotely, and there is a huge fight going on for highly qualified professionals.
However, this is not the full picture. There is a war for existing talent that already fits roles and that has gained experience. And while there are concerns around finding people for entry-level positions, the reality is that the qualifications listed for those roles require more direct experience – even at the entry level. This can cause candidates with the right set of skills and aptitude to self-select out of applying for these roles, which drastically reduces the talent pool.
In the Decrypting Diversity report, the UK’s National Cyber Security Centre and KPMG found that the percentage of women in the survey was over a third - 36 percent - and those from LGBTQ backgrounds was around ten percent. These are positive indicators for diversity in the overall IT security sector. However, the percentage of young people in the security sector was significantly low - only one in twenty of those surveyed were between 18 and 24.
Evaluating recruiting approaches and processes is a starting point to solving this problem around talent. Rather than exclusively evaluating candidates based on rigid job specifications and technical skills, we should also consider effective methods for assessing things like aptitude and commitment. This not only highlights candidates that are more willing to work and be successful in their long-term careers, but also helps spot those who come from groups that tend to be less represented.
This involves looking beyond the CV. It means putting more work into attending and supporting events aimed at diversity in security, and it means looking beyond the IT security talent pool for those that are willing to learn and develop the necessary skills. Looking out for those with general IT network and systems administration skills can help, and partnering with universities that offer industry placements can also be effective.
Another contributing factor to the growing skills gap is the sometimes, negative perception associated with training and educating employees. Some security companies believe that any investment in training ultimately benefits other companies that then try to poach staff. While this is certainly a risk, there is also a great deal of risk in leading a security team that is not properly trained, or limiting employee growth based on fear of them leaving the organization.
In fact, training and education can be leveraged as a retention tool and positioned to employees as part of a growth plan, which should ultimately encourage them to stay. Security leaders should shift to an enablement mindset and seek to continuously train and develop their security teams over time. As Sir Richard Branson commented: “Train people well enough so they can leave, treat them well enough so they don’t want to.”
Security today is essential to how companies run their operations. The cost of attacks like ransomware continues to rise, and no company can afford to have security program gaps that go unaddressed – whether related to people, process, or technology. This includes talent management and can start with encouraging more job seekers to submit themselves for roles, even if they don’t think they meet all of the requirements listed in a job description.
Original Publication: PCR Magazine