How close are we to addressing the most critical cybersecurity workforce issues? And how can leaders in security and human resources improve their ability to fill vacant jobs in cybersecurity? (ISC)2‘s latest “Cybersecurity Workforce Study” offers a clear picture of just how many jobs in cybersecurity are unfilled, how those vacancies can create ripple effects in the existing workforce and what strategies should be employed to close the gap.
The State of the Cybersecurity Workforce
If the topic of finding and retaining cybersecurity talent is a regular concern for your organization, you’re not alone. In the U.S., (ISC)2 estimated there are around 805,000 people employed in cybersecurity roles, with a backlog of nearly 500,000 unfilled positions. Globally, the gap is significant, with more than 4 million cybersecurity jobs going unfilled, which means the current global workforce of around 2.8 million people would almost need to double to account for all positions.
NIST’s own CyberSeek tool, a heat map that shows national and state-by-state job vacancies, presents slightly higher numbers for the U.S. According to NIST, there were over 504,300 job openings from October 2018 through September 2019, up from 313,000 job openings last year (Sept. 2017 to Sept. 2018). The NIST tool reports that there are nearly 1 million people working as cybersecurity professionals in the U.S. currently.
Unsurprisingly, most respondents in (ISC)2‘s study pointed to the lack of skilled, experienced cybersecurity staff as one of their top concerns. Gartner confirmed that in the last quarter of 2018, the talent shortage became the top risk. And this cybersecurity workforce gap isn’t just an issue for hiring managers and cybersecurity leaders — it has a direct effect on current cybersecurity professionals in the form of added stress and burnout.
The impact on work-life balance is an issue that is unlikely to be resolved unless organizations improve their ability to fill the multitude of open jobs in cybersecurity. How exactly can security leaders and HR departments do this? Here are a few strategies to consider.
Workforce Strategy 1: Take Care of Your Existing Employees
As the often cited, spot-on business quote goes, the CFO asks the CEO: “What happens if we invest in developing our people, and they leave us?” The CEO answers: “What happens if we don’t, and they stay?”
Your organization has already invested significantly in finding and onboarding your current employees, and the best way to leverage that investment of time, resources and money is to ensure that it delivers in the long term. The workforce study reported that only 65 percent of current cybersecurity professionals want to continue working in this field — will business leaders be content to let the other 35 percent simply evaporate from their organizations? Why are these employees considering leaving the field? Burnout and misalignment on job responsibilities are likely key factors in their thinking.
While 56 percent reported their day-to-day work matched their expectations, 28 percent reported that their current role was only “moderately close” to where they were expecting to be. Another 15 percent reported a strong misalignment between their job and their expectations. To help bring employee expectations into alignment with their responsibilities and ensure that their concerns are being handled properly, cybersecurity departments must ask:
- How often are security managers and HR staff meeting with current security employees?
- How are concerns being received? Do employees feel like they are being heard?
- Are workers’ concerns being resolved sufficiently and in a timely fashion?
The report also pointed to the value of establishing clear career paths as a way of taking care of your workforce. Only half of the report’s respondents had a clear idea of their cybersecurity career path at their current organization. Leadership should work closely with HR to review roles and responsibilities regularly and communicate cybersecurity career path options clearly. If you wait until an employee signals they’re about to leave, it will likely be too late. Instead, organizations should leverage any opportunity to collect feedback about expectations and aspirations so management can support the career goals of their cybersecurity personnel.
Another way to demonstrate organizational support is to establish professional mentorship programs and renew your organization’s commitment to investing in ongoing training and professional development. Employees whose organizations paid for cybersecurity certifications displayed “significantly higher job satisfaction rates than their peers” who worked for employers who didn’t. A majority of security professionals (59 percent) are either already working on their next certification or planning to do so within a year. Let these employees know you fully support their efforts, and talk to the rest about developing their plans to pursue certifications or explore other avenues for professional development.
Workforce Strategy 2: They’re Already Working for You
You may find it effective to look within your own organization for potential sources of cybersecurity talent. If you are open to hiring for cybersecurity roles from within, are your current employees aware that you would consider them? Only 40 percent of people working in cybersecurity got there by pursuing a degree in traditional computer science or security, so there’s no reason to overlook prime candidates who could be part of the other 60 percent. Organizations likely can’t afford to overlook such candidates, as (ISC)2‘s research showed that two-thirds of businesses now prioritize promoting from within.
But where can you find those internal gems? The report suggested looking for people with a grasp of how data flows through your organization, people who are familiar with concepts like data privacy and data security, and people with backgrounds in compliance, quality control or law. On the technical side, look for “IT generalists” who are eager to continue learning and growing.
Positions in cybersecurity are plentiful, and their duties are constantly expanding, so be sure to showcase the various roles people can occupy in your organization regularly. Be sure to include both technology-facing cybersecurity roles and those which are more focused on people and business factors. The report also listed some hot areas of professional development to support, including:
- Cloud computing
- Governance, risk management and compliance (GRC), and risk assessment, analysis and management
- Threat intelligence and analysis
- Security engineering and administration
Workforce Strategy 3: Widen Your Aperture, Be Realistic
As the saying goes, the definition of insanity is doing the same thing repeatedly and expecting different results. There simply aren’t enough people graduating with four-year degrees in cybersecurity or closely related fields to meet current demands, let alone future forecasts.
But if a candidate has a security or networking certification, why not give them a go — or, at least, an interview? If that candidate has an aptitude for the work and a passion for continuous learning, they might be right for your business, regardless of the specifics of their background. Organizations can’t afford to wait for the perfect applicants. Instead, they must widen their workforce apertures and adjust their minimum qualifications to a realistic standard.
Another area where organizations need to accept the market reality is cybersecurity salaries. Applicants don’t take well to demands for certifications and a decade or two of experience when they’re being offered a salary that’s only a fraction of what the position is truly worth. Do your research and provide competitive salary offers so you don’t waste your own time and the time of your applicants. The result of wasted time could be a mad dash to hire consultants, which may leave you paying considerably more for cybersecurity services without the peace of mind that comes with investing in quality staff.
Yes, the state of the cybersecurity workforce leaves a lot to be desired — the number of job openings and unfilled positions is vast and measures in the tens or hundreds of thousands for most countries. However, this challenge can be addressed by building better pathways to jobs in cybersecurity, opening workforce input filters, highlighting opportunities for growth and education, and taking care of our existing security professionals.
InfoSec, Risk, and Privacy Strategist - Minnesota State University, Mankato