Confronting the skills gap is a challenge that has many in the cybersecurity industry confounded. With overworked security teams, an ever-expanding threat landscape and widening attack surfaces, the growing gap poses a serious challenge to the future of the security workforce.

The International Information System Security Certification Consortium (ISC2) looked at the cybersecurity skills gap more completely in its recent report, “Cybersecurity Workforce Study.”

Rather than making its calculations solely by subtracting supply from demand, the study looked at the percentage of companies that currently have open positions and considered the estimated growth of different-sized organizations. This builds an estimated gap based not only on current openings, but also future staffing needs.

“This more holistic approach to measuring the gap produces a more realistic representation of the security challenges — and opportunities — that both companies and cybersecurity pros are facing worldwide,” the ISC2 report said.

3 Out-of-the-Box Ways to Close the Cybersecurity Skills Gap

Sixty-three percent of the more than 1,400 respondents confirmed that their company has a shortage of staff dedicated to cybersecurity. Because of the shortage, 59 percent believe their companies are at moderate or extreme risk of cybersecurity attacks.

The good news is that there are ways to close, or at least narrow, the skills gap. For 48 percent of ISC2’s respondents, plans to increase cybersecurity staffing over the next 12 months are in the works. Whether it’s investing in cybersecurity awareness training, broadening the talent pool or partnering with local colleges and universities, organizations are getting creative when it comes to recruiting and retaining talent.

1. Expand Educational Resources

With an eye on the future of the cybersecurity industry, New York University (NYU) launched a citywide effort called Cyber NYC, according to NYU News. The goal of the initiative is to help fill the industry’s skills gap by providing educational training in cybersecurity.

“New York City needs to be ambitious about cybersecurity because our future depends on it,” said James Patchett, president and CEO of New York City Economic Development Corp. (NYCEDC) in a press release. “Cyber NYC will fuel the next generation of cybersecurity innovation and talent, leveraging one of the world’s greatest threats to create a major economic anchor and up to 10,000 quality middle-class jobs.”

2. Hire From the Public Sector

Another recently published ISC2 report, titled “Building a Resilient Cybersecurity Culture,” found that employees at government agencies bring a lot to the talent table. As such, many organizations have started recruiting directly from governmental organizations.

Of the 250 participants in the study, 50 percent of private organizations have successfully recruited talent from a government agency. Not surprisingly, the salary a private company can offer is attractive to those government workers who have undergone extensive training in the government’s battle against nation-state threat actors and organized cybercrime.

“One of the biggest draws to private industry, according to 67 percent of respondents, is salary,” the report said. “It’s no secret private companies generally pay better than government agencies, so it stands to reason many recruits from the government would welcome higher pay. Other deciding factors for government recruits include having a great leadership team (60 percent) and working for a mission-based organization (59 percent).”

3. Promote STEAM Education

While cybersecurity has long been a highly technical career, the roles and responsibilities of job categories has expanded to the point that many of the jobs that need to be filled actually require nontechnical skills.

“The solution to the talent gap is understanding the roles and responsibilities for each position in the field of cybersecurity, so we can train people,” said Deidre Diamond, CEO and founder of CyberSN. “We haven’t had a common language to work from. Bridging the talent gap requires extreme focus on creating a common language.”

To advance talented candidates into both traditional and nontraditional roles while fostering inclusive hiring practices, Diamond co-founded Brainbabe. Through their work, the leaders of Brainbabe have found that teaching companies to shift from a focus on science, technology, engineering and mathematics (STEM) fields to STEAM (the “A” is for “all”) is a critical step toward narrowing the skills gap.

Executives and hiring managers need to understand the value of inclusion. Being inclusive means being open to the contributions of all candidates, regardless of the boxes they check on a traditional job application.

It’s Time to Reach Across the Skills Gap

At the 2018 Security Congress, Diamond noted that studies have already produced data to support the fact that a diverse team is better at problem solving because it can see everything from a 365-degree view.

If the industry is serious about hiring for perpetually vacant positions, it’s incumbent upon those in executive leadership positions to cast a wider net in their talent searches. Whether by offering greater educational opportunities or inviting broader skill sets, the only way for organizations to fill security jobs is to take a more open approach. It’s time to reach across the gap.

More from CISO

Who Carries the Weight of a Cyberattack?

Almost immediately after a company discovers a data breach, the finger-pointing begins. Who is to blame? Most often, it is the chief information security officer (CISO) or chief security officer (CSO) because protecting the network infrastructure is their job. Heck, it is even in their job title: they are the security officer. Security is their responsibility. But is that fair – or even right? After all, the most common sources of data breaches and other cyber incidents are situations caused…

Transitioning to Quantum-Safe Encryption

With their vast increase in computing power, quantum computers promise to revolutionize many fields. Artificial intelligence, medicine and space exploration all benefit from this technological leap — but that power is also a double-edged sword. The risk is that threat actors could abuse quantum computers to break the key cryptographic algorithms we depend upon for the safety of our digital world. This poses a threat to a wide range of critical areas. Fortunately, alternate cryptographic algorithms that are safe against…

How Do You Plan to Celebrate National Computer Security Day?

In October 2022, the world marked the 19th Cybersecurity Awareness Month. October might be over, but employers can still talk about awareness of digital threats. We all have another chance before then: National Computer Security Day. The History of National Computer Security Day The origins of National Computer Security Day trace back to 1988 and the Washington, D.C. chapter of the Association for Computing Machinery’s Special Interest Group on Security, Audit and Control. As noted by National Today, those in…

Emotional Blowback: Dealing With Post-Incident Stress

Cyberattacks are on the rise as adversaries find new ways of creating chaos and increasing profits. Attacks evolve constantly and often involve real-world consequences. The growing criminal Software-as-a-Service enterprise puts ready-made tools in the hands of threat actors who can use them against the software supply chain and other critical systems. And then there's the threat of nation-state attacks, with major incidents reported every month and no sign of them slowing. Amidst these growing concerns, cybersecurity professionals continue to report…