One of the most important topics in cybersecurity is the talent shortage. Reports and data back up the consensus that we don’t have enough people for all the jobs and that new generations aren’t entering the field. Further, CISOs and other cyber leaders have noted it’s one of their biggest challenges. Finding qualified people has become a barrier to building and evolving cyber resilience. The cybersecurity skills gap runs parallel with this, as many cyber professionals or aspiring ones don’t have the qualities employers want.
This cycle of shortages and gaps will continue, leaving organizations facing greater risk in cyber operations. So, what’s the answer? There is no quick fix to this dilemma. However, there may be something we’re all overlooking — reskilling and upskilling talent. Making this investment in people develops them into capable cybersecurity specialists who possess both the soft and technical skills a company needs to survive and thrive in the modern age of business.
What Are the Cybersecurity Skills Gaps?
Overall, we can look at the industry and see it’s woefully understaffed. The ISC 2022 Cybersecurity Workforce Study made headlines with its findings that over 3.4 million jobs in the industry remain unfilled. As a result, these organizations feel the consequences of straining existing resources, inability to conduct risk assessments, and greater risk.
It doesn’t necessarily mean there aren’t people who want to work in cybersecurity. Although, it’s hard to be too optimistic about younger generations joining the field, as millennials and Gen Z aren’t flocking to be cyber experts. In fact, less than 12% of the workforce is 34 or younger!
The bigger problem is the gap in hiring people who can hit the ground running. They aren’t meeting the expectations of those employing them, with 55% of cyber leaders stating applicants aren’t well qualified. So, what qualifications do they think candidates need? Here’s what they said, in order of importance:
- Prior hands-on cybersecurity experience
- Hands-on training
- Employer recommendations
- University degree
- Association membership
But how well do these things determine if someone can do the job? It’s hard to get hands-on experience or training without a starting point. Credentials don’t always equate to someone with the right skills. We’ve previously discussed the term “paper tigers” and how they don’t represent “quality.” Rather, paper tigers have all the right credentials on paper but don’t have the aptitude or ability to be successful cyber professionals.
A university degree can be the same as credentials. A four-year degree doesn’t make someone qualified, either. I would argue that expecting a college education is a problem in cybersecurity recruitment, which 52% of organizations require. There are many bright and capable people out there that you’re dismissing.
The Biggest Skills Gaps: Soft and Hard Skills
In the same research, cyber leaders also noted the biggest skills gaps:
- Soft skills (e.g., communication, flexibility, leadership)
- Cloud computing
- Security controls (e.g., endpoint, network, application, implementation)
- Coding skills
- Software development-related topics (e.g., languages, machine code, testing, deployment)
- Data-related topics (e.g., characteristics, classification, collection, processing, structure)
- Network-related topics (e.g., architecture, addressing, networking components)
- Pattern analysis
- System hardening
- Computing devices (e.g., hardware, software, file systems)
Soft skills, the number one cybersecurity skills gap, isn’t surprising. Without these capabilities, it doesn’t matter how technically gifted someone is; they’ll flounder and actually cause problems in the organization. When asked specifically what soft skills they find attractive, leaders said communication, critical thinking, problem-solving, collaboration, and attention to detail.
Developing these isn’t a priority for most credential or educational institutions. I suppose they think the working world will figure this out and help workers cultivate it. Except most aren’t, so the cycle of bad hiring continues.
All this data emphasizes that we’re at a crossroads in the industry. You do have control here to break the cycle with upskilling and reskilling, focusing on hard and soft skills.
Upskilling and Reskilling to Build a Better Pipeline of Cybersecurity Talent
The strategies and decisions you make today regarding recruitment and hiring impact the short and long-term. If you’re going to keep a pipeline running, you will have to look outside the normal parameters. Finding people passionate about cybersecurity and helping them become adept at it will serve you well. Here are some tips on how to implement this into your hiring plan.
Look for internal talent.
There may be people within your organization now wanting to pursue cybersecurity. They may be in a non-technical position now, but they have potential. Creating a mentorship program within your company could build this bridge. Encourage those interested in the field to express their interest and join the community. Assess them based on their soft skills and capacity to learn technical knowledge. If you find some great people to develop, the business could pay for specific courses to help them level up their hard skills. Once they have the basics, continue to support them through learning and training.
Evaluate your current entry-level staff and their gaps.
You’ve likely hired some entry-level positions as of late. You saw their potential and recognized their abilities, but you also knew things were missing. Those can include soft and hard skills. Building a relationship with them and understanding their motivations and career goals can inform whom to invest in with upskilling and reskilling opportunities. If you invest in them, they’ll feel valued and appreciated, which will go a long way toward cybersecurity retention.
Stop looking at only a resume.
A resume is a piece of paper with a quick summary of what someone has accomplished. It’s not their whole story. It’s too easy to reject resumes based on if they have the right keywords or phrases. Pay more attention to their abilities, aptitudes, and attitudes. How can you do this? Consider a short questionnaire that peels back the layers and gives you more insight. You may be passing up great candidates otherwise.
Develop every team member’s people skills.
The last piece of advice is to focus on people skills development. You may think it’s an impossible task, and getting people to change and grow is hard. I found it to be such a deficit in the field that I created the Secure Methodology™. It’s a seven-step guide that helps cyber leaders transform technical folks into excellent communicators, problem solvers, and collaborators. Here’s a preview of what each step entails and why it supports upskilling and reskilling.
We start with Awareness, which includes being cognizant of the self and others. When it’s absent, people don’t realize the impact of their behaviors, which can cause conflict and resentment. If you can move people into a state of awareness, they’ll have greater respect for others and think more intentionally about how they act.
A fixed mindset does no one any good. Encouraging people to shift to one of growth is good for everyone. In this step, I recommend the 7 Levels Deep exercise. From this, you can understand motivations and why people act as they do, which can break the fixed mindset.
Acknowledgment starts with you and is an act of appreciation. When you create a culture where this exists, it will strengthen trust and confidence. It’s also about redefining cybersecurity culture from one where the expectation is that technical people know everything and can do everything. All that does is create burnout. People need grace and also need to know you can give it to them.
Communication is the number one soft skill for a reason — it’s the core of everything in life. If communication is poor, rude, non-inclusive, or nonexistent, you have breakdowns that elevate risk and animosity. In this step, you’ll be using activities to get to the root of communication, which is just as much about listening as talking. Creating a space where communication is expected, transparent, and honest could be the greatest upskilling you provide to someone.
Monotasking focuses on the details, another soft skill missing in candidates. If you’ll recall, in acknowledgment, we discussed how cyber professionals couldn’t do everything. So, with this step, you will introduce monotasking and blocking off time on their schedules to complete one thing without distractions. The result will likely be greater productivity.
In the Secure Methodology, cognitive empathy is the learning. It’s understanding someone’s feelings and perspectives and is key to communication and collaboration. Once people grasp how important this is in work and life, they often have “aha” moments and finally realize how critical it is to be open to the views of others.
Kaizen is a Japanese term that translates to “continuous improvement.” So, this step continues forever and can teach people how to be adaptable and flexible. They can continually improve soft and technical skills throughout their career.
Reskill and Upskill With the Secure Methodology
If you want to reimagine how your recruit, hire, and retain, the Secure Methodology is a vital resource. Reskilling and upskilling are possible with this framework. Learn more by checking out the Secure Methodology course today.