In the conversation revolving around cybersecurity and the shortage of workers, one thing that gets tossed around a lot is the cybersecurity skills gap. Many cybersecurity leaders are feeling the pinch to recruit and retain workers that have the right abilities, but is this fact or fiction?
The answer is that it depends on the skills desired for the position and involves technical and people skills. So, where are the biggest gaps, and how can you develop these in your people?
In this post, we’ll dive into some data related to the cybersecurity skills gaps. Then, we’ll look at solutions to bridge it.
What Are Cybersecurity Leaders Saying About the Skills Gap?
The profession of cybersecurity is in a state of decline. The 2022 (ISC)² Cybersecurity Workforce Study reported that the industry needs 410,695 people to meet demand in the U.S. This shortage of workers is a cause of great concern for many reasons, including that it’s putting organizations at greater risk of cyberattacks. In fact, 74% of survey respondents said the problem is at least a moderate risk. The leading reason for the gap, according to the report, is a lack of qualified talent. As a result, 62% of organizations are investing in recruiting and hiring, and another 64% are doing the same for training.
What Do People Need to Be Qualified?
So, what skills are these people without that defines them as not qualified? If you look at education, 88% of cyber professionals responding to the workforce study had at least a bachelor’s degree, with 48% having a master’s or higher. This would indicate proficiency and deep knowledge of hard skills. When asked about the qualifications that are the most important, hiring managers ranked these the highest:
- Strong problem-solving skills
- Relevant IT or cybersecurity experience
- Knowledge of basic and advanced cybersecurity concepts
- Strategic thinking skills
Cybersecurity certifications trended down as a must-have for employment, as did educational requirements. What we can gather from this data is that attractive qualifications have shifted to focus on soft skills, experience, and fundamentals.
Another report from the ISACA revealed that 55% of cybersecurity leaders believe candidates aren’t qualified. Those respondents did emphasize experience and training but also prioritized education and certifications. These responses are somewhat in conflict, specifically prioritizing credentials and education. These will always be things that can demonstrate a person’s technical aptitude. It depends on the degree and the certification, as often these people can be paper tigers—they look great on paper but don’t have the practical knowledge to be effective and high performing.
Qualified ultimately comes down to the skills someone possesses. These can be the result of earning a degree or certification. Others we learn through life and work experience. So, where is the real skills gap?
The Cybersecurity Skills Gap Reality: It’s More About the People Skills
A cyber professional can be the literal smartest person in the room when it comes to understanding all the technical aspects. They may be up-to-date on the attacks hackers are launching, the latest cybersecurity automation tools, and have superior knowledge about the cloud or controls. From the ISACA report, cyber managers listed these as the most significant skills gaps:
- Interpersonal skills, including critical thinking, problem-solving, collaboration, and attention to detail
- Cloud computing
- Security controls knowledge related to endpoints, networks, applications, and implementation
- Coding abilities
- Software development capabilities such as languages, machine code, testing, and deployment
- Data-focused areas such as classification, collection, processing, and structure
- Network aptitudes regarding architecture and network components
- Pattern analysis
- System hardening
- Hardware, software, and file system devices
This list has soft and technical skills but soft was at the top for cyber leaders. Looking more specifically at the interpersonal skills they favor, it aligns with qualifications.
They need people to apply their cybersecurity knowledge with better people skills to ensure teams can work together to solve problems and not let things fall through the cracks. To do this, technical folks must be great communicators and collaborators, which is often tricky. Are these even skill sets someone can develop?
When assessing the cybersecurity skills gap, soft skills are the biggest challenge. So, how do you bridge the gap? There are many strategies to take that require a shift in perspective regarding talent acquisition and improving the abilities of your current staff.
Bridging the Cybersecurity Skills Gap Strategies
There are two concepts at play. First, you need a recruitment strategy to find and develop people with hard and soft skills who demonstrate great potential. Second, you need a plan to help current employees grow their people skills, so they can thrive and be successful.
Reframing Your Recruitment Strategy
If you want to improve your talent acquisition pipeline, you’ll need to adjust your parameters. A focus on skills-based hiring is the first step. In this framework, you’re putting less importance on a degree and more on the person’s ability to do the work based on their attributes.
To do this, you have to look at more than their resume. Not every person is going to have every qualification, especially hands-on experience. They can’t get it if no one gives them a shot. You can use some different assessments to understand someone’s potential.
Once you begin interviewing, you’ll have the opportunity to evaluate their communication and problem-solving skills by asking questions about these two things, such as:
- How did you communicate with stakeholders regarding a challenge in a project?
- In what ways do you use critical thinking when faced with a problem?
They could be a great performer in your organization if you see something in them. If they don’t have every credential you expect, you can help them obtain it while they learn on the job.
Remember that new people may be entering cybersecurity as their second act. They may have a lot of great experience in other fields that are transferrable soft skills. These are people likely worth adding to your team. If they have the motivation and desire, they will continue to hone their technical skills.
Continuing to Develop People Skills for All Your Technical Folks
Whether someone started yesterday or 10 years ago, they must continue a journey to improve their soft skills. A lack of focus on this can have detrimental consequences. You may have enough people that know cyber in theory, but their inability to connect and communicate can elevate risk.
As a framework to do this, I developed the Secure Methodology™. It’s a seven-step process that cyber leaders can use to transform black-and-white technical people into those that see the gray in situations by becoming better at interpersonal skills.
Here’s a preview of the steps and how they bridge the cybersecurity skills gap.
The journey starts with Awareness, which applies to the self and others. When this isn’t present, people do not understand their behaviors or that they are causing conflict, friction, and resentment. Moving people into an awareness state helps them gain more respect for others, which is key to a high-performing team.
Mindset is the next step; the goal is to move a person from a fixed mindset to a growth one. With this shift, people become more open and willing to see the many sides of an issue. Supporting this with the 7 Levels Deep exercise is a good foundation.
Acknowledgment is something cyber leaders must initiate. When you acknowledge people for their work, you’re creating a culture of trust and transparency. It can be a good tactic to combat burnout, or the persistent thinking cyber professionals have that they must know everything and can do anything. If people admit they don’t know, they can be open to learning and growing.
Communication is the most vital soft skill and is part of every exchange we have in life. Technical folks that rely on geek speak and non-inclusive language aren’t good communicators. In fact, most people will feel they are being condescending and rude. That’s not the communication skills you want to see in your people! In this stage, you apply activities and exercises that focus on listening as much as talking. If you prioritize communication, it becomes part of your culture and is in continuous development.
You may not think that Monotasking is a preferred skill. After all, most people are multitasking all day long, but it can lead to more stress and errors. Introducing the concept to your team may be met with resistance. Explain why working without distractions is important, as it builds the attention to detail skill set that matters considerably in cybersecurity.
In the Secure Methodology, cognitive empathy is the focus. It describes when you can understand another’s feelings and points of view. This capability is crucial in communication and collaboration. Seeking this out in new hires and working to help people improve it are a big win in the skills gap.
Kaizen is a Japanese term meaning “continuous improvement.” It’s a step that’s never over, as you want your staff to continue to improve their hard and soft skills. To align with this, they must be comfortable with adaptability and flexibility.
The Cybersecurity Soft Skills Gap Is Fact; Close It With the Secure Methodology
Closing the skills gap takes time and commitment. With the Secure Methodology, you have a framework to support your efforts. Get more details on how it helps by learning about the Secure Methodology course.