February 3, 2023 By George Platsis 4 min read

As new cybersecurity threats continue to loom, the industry is running short of workers to face them. The 2022 (ISC)2 Cybersecurity Workforce Study identified a 3.4 million worldwide cybersecurity worker gap; the total existing workforce is estimated at 4.7 million. Yet despite adding workers this past year, that gap continued to widen.

Nearly 12,000 participants in that study felt that additional staff would have a hugely positive impact on their ability to perform their duties. More hires would boost proper risk assessment, oversight, patching of critical systems and proper system configuration.

Many factors have contributed to this gap in essential cybersecurity workers. Some of the top reasons the survey identified were a lack of internal promotion opportunities, struggles with turnover and attrition, budget issues and a lack of qualified talent. But what defines “qualified talent” in cybersecurity today?

The industry has two options. The first is to cut the pie by continuing to focus on degree and certification holders. The other is to make a bigger pie by widening the talent pool and offering on-the-job training to applicants with the passion and mindset to succeed.

Looking for talent in all the wrong places?

The term “cybersecurity” has been overly mystified. Does it involve a reclusive hoodie-wearing night owl? A math whiz writing complex code or working with cryptography?

Unfortunately, misconceptions and complexity have built a wall around the industry. This, at least in part, may explain the high percentage of people with university degrees working in cybersecurity fields. In fact, 82% of the workforce have a Bachelor’s or Master’s degree.

That level of formal education may have been necessary in the past, but the industry requires all types of workers right now. The first step to closing that worker gap will be to ensure that the public understanding of “cybersecurity” is demystified. Core skills aren’t coding or highly advanced math; core skills are problem-solving, investigative thinking, dedication and hard work.

The making of a cybersecurity specialist

Recently, the Australian Signals Directorate (ASD) identified that a “cybersecurity specialist” is “just your average person” that can come from varying backgrounds. This is completely true, especially when key cybersecurity tasks today revolve around monitoring, detection and the ability to spot anomalies. Contrary to popular thinking, cybersecurity is not a bunch of blinking lights and super-secret artificial intelligence — though there are elements of that.

The cybersecurity industry could be morphing into a 21st Century version of manufacturing and assembly lines. Yes, there are still skilled labor requirements. But there is still no substitute for “hands-on keyboard” or “taking live fire” during an incident response case. That comes through experience.

Therefore, this begs the question: Who is better suited for a cybersecurity position? Somebody with a high school diploma but has managed computers and IT systems since they were a teenager, making mistakes along the way but solving them with passion and curiosity? Or a person with a cybersecurity degree who read about the field in a book, spending limited time with hands on a keyboard?

Focus on the person, not the paper

Let’s return to the (ISC)2 study. Participants are trending towards practical skills and experience as more important qualifications. Certification, degrees and training are nice, but problem-solving abilities and related work experience are what employers are looking for. Interestingly, certifications are seen to be more valuable for skills growth than a means to jump into a career in cybersecurity.

It almost feels as though there is an elephant in the room: are we considering the right people for cybersecurity jobs, especially for entry-level jobs?

Granted, some positions require a strong mix of experience, paper qualification and/or validation, and years of battle hardening. For instance, a CISO or senior-level SOC analyst will almost certainly have done time in the trenches.

But some positions grant some low-risk, hands-on experience. If an organization finds a candidate with sincere curiosity, problem-solving skills and the appropriate soft skills, their paper qualifications may not matter. Rather, what will determine success is the organization’s ability to train the individual on the necessary tools and the core technical competencies required to complete the job. A curious person with problem-solving skills can figure out the rest. Just do not leave them hanging because they may suffer from burnout.

Training can bridge the gap

Back to the assembly line analogy: Let’s say you are new to the machinery or protocols in a manufacturing shop. If you can be trained, shadow somebody more experienced for a period of time and have the right work ethic you can pick up the skills and excel. It’s the same principle in cybersecurity.

This is how to bridge the gap, especially in the short term. Waiting three to seven years for individuals to complete advanced degrees may no longer be practical, given the high demand. Technologies will change and there is no guarantee of “hands on keyboard” battle scars.

It’s time to start thinking outside the box. Pitch these two scenarios to a hiring manager today:

  1. Individual A works on IT systems and remotely manages a SIEM. They have no certifications or paper qualifications but have worked like this for a couple of years, come highly referred as a dedicated worker, are dependable and require little oversight.
  2. Individual B completed a Bachelor’s degree in computer science and a Master’s degree in cybersecurity. They also have completed some basic cybersecurity certifications but have no previous work experience or references.

Based on these surface descriptions, who are you inclined to interview first for a cybersecurity job?

The pathway to filling future needs

The above example is not a knock on those seeking university degrees or certifications; rather, it is a reality check. If 80% of workers in the industry have university degrees and there are not enough people to meet the need, well, you need to start looking elsewhere to fill the gap. Otherwise, expect retention problems.

For hiring managers, that will mean carefully crafting your requisitions and keeping your expectations in check. These new hires will be your apprentices for a while. Know that if you get them early, reward them with the opportunity and treat them right, you may also be filling a long-term need.

More from CISO

Making smart cybersecurity spending decisions in 2025

4 min read - December is a month of numbers, from holiday countdowns to RSVPs for parties. But for business leaders, the most important numbers this month are the budget numbers for 2025. With cybersecurity a top focus for many businesses in 2025, it is likely to be a top-line item on many budgets heading into the New Year.Gartner expects that cybersecurity spending is expected to increase 15% in 2025, from $183.9 billion to $212 billion. Security services lead the way for the segment…

On holiday: Most important policies for reduced staff

4 min read - On Christmas Eve, 2023, the Ohio State Lottery had to shut down some of its systems because of a cyberattack. Around the same time, the Dark Web had a “Leaksmas” event, where cyber criminals shared stolen information for free as a holiday gift. In fact, the month of December 2023 saw more than 2 billion records breached and 1,351 disclosed security incidents, according to research from IT Governance — an increase of 332% and 187%, respectively, over the month of…

Overheard at RSA Conference 2024: Top trends cybersecurity experts are talking about

4 min read - At a brunch roundtable, one of the many informal events held during the RSA Conference 2024 (RSAC), the conversation turned to the most popular trends and themes at this year’s events. There was no disagreement in what people presenting sessions or companies on the Expo show floor were talking about: RSAC 2024 is all about artificial intelligence (or as one CISO said, “It’s not RSAC; it’s RSAI”). The chatter around AI shouldn’t have been a surprise to anyone who attended…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today