As new cybersecurity threats continue to loom, the industry is running short of workers to face them. The 2022 (ISC)2 Cybersecurity Workforce Study identified a 3.4 million worldwide cybersecurity worker gap; the total existing workforce is estimated at 4.7 million. Yet despite adding workers this past year, that gap continued to widen.

Nearly 12,000 participants in that study felt that additional staff would have a hugely positive impact on their ability to perform their duties. More hires would boost proper risk assessment, oversight, patching of critical systems and proper system configuration.

Many factors have contributed to this gap in essential cybersecurity workers. Some of the top reasons the survey identified were a lack of internal promotion opportunities, struggles with turnover and attrition, budget issues and a lack of qualified talent. But what defines “qualified talent” in cybersecurity today?

The industry has two options. The first is to cut the pie by continuing to focus on degree and certification holders. The other is to make a bigger pie by widening the talent pool and offering on-the-job training to applicants with the passion and mindset to succeed.

Looking for talent in all the wrong places?

The term “cybersecurity” has been overly mystified. Does it involve a reclusive hoodie-wearing night owl? A math whiz writing complex code or working with cryptography?

Unfortunately, misconceptions and complexity have built a wall around the industry. This, at least in part, may explain the high percentage of people with university degrees working in cybersecurity fields. In fact, 82% of the workforce have a Bachelor’s or Master’s degree.

That level of formal education may have been necessary in the past, but the industry requires all types of workers right now. The first step to closing that worker gap will be to ensure that the public understanding of “cybersecurity” is demystified. Core skills aren’t coding or highly advanced math; core skills are problem-solving, investigative thinking, dedication and hard work.

The making of a cybersecurity specialist

Recently, the Australian Signals Directorate (ASD) identified that a “cybersecurity specialist” is “just your average person” that can come from varying backgrounds. This is completely true, especially when key cybersecurity tasks today revolve around monitoring, detection and the ability to spot anomalies. Contrary to popular thinking, cybersecurity is not a bunch of blinking lights and super-secret artificial intelligence — though there are elements of that.

The cybersecurity industry could be morphing into a 21st Century version of manufacturing and assembly lines. Yes, there are still skilled labor requirements. But there is still no substitute for “hands-on keyboard” or “taking live fire” during an incident response case. That comes through experience.

Therefore, this begs the question: Who is better suited for a cybersecurity position? Somebody with a high school diploma but has managed computers and IT systems since they were a teenager, making mistakes along the way but solving them with passion and curiosity? Or a person with a cybersecurity degree who read about the field in a book, spending limited time with hands on a keyboard?

Focus on the person, not the paper

Let’s return to the (ISC)2 study. Participants are trending towards practical skills and experience as more important qualifications. Certification, degrees and training are nice, but problem-solving abilities and related work experience are what employers are looking for. Interestingly, certifications are seen to be more valuable for skills growth than a means to jump into a career in cybersecurity.

It almost feels as though there is an elephant in the room: are we considering the right people for cybersecurity jobs, especially for entry-level jobs?

Granted, some positions require a strong mix of experience, paper qualification and/or validation, and years of battle hardening. For instance, a CISO or senior-level SOC analyst will almost certainly have done time in the trenches.

But some positions grant some low-risk, hands-on experience. If an organization finds a candidate with sincere curiosity, problem-solving skills and the appropriate soft skills, their paper qualifications may not matter. Rather, what will determine success is the organization’s ability to train the individual on the necessary tools and the core technical competencies required to complete the job. A curious person with problem-solving skills can figure out the rest. Just do not leave them hanging because they may suffer from burnout.

Training can bridge the gap

Back to the assembly line analogy: Let’s say you are new to the machinery or protocols in a manufacturing shop. If you can be trained, shadow somebody more experienced for a period of time and have the right work ethic you can pick up the skills and excel. It’s the same principle in cybersecurity.

This is how to bridge the gap, especially in the short term. Waiting three to seven years for individuals to complete advanced degrees may no longer be practical, given the high demand. Technologies will change and there is no guarantee of “hands on keyboard” battle scars.

It’s time to start thinking outside the box. Pitch these two scenarios to a hiring manager today:

  1. Individual A works on IT systems and remotely manages a SIEM. They have no certifications or paper qualifications but have worked like this for a couple of years, come highly referred as a dedicated worker, are dependable and require little oversight.
  2. Individual B completed a Bachelor’s degree in computer science and a Master’s degree in cybersecurity. They also have completed some basic cybersecurity certifications but have no previous work experience or references.

Based on these surface descriptions, who are you inclined to interview first for a cybersecurity job?

The pathway to filling future needs

The above example is not a knock on those seeking university degrees or certifications; rather, it is a reality check. If 80% of workers in the industry have university degrees and there are not enough people to meet the need, well, you need to start looking elsewhere to fill the gap. Otherwise, expect retention problems.

For hiring managers, that will mean carefully crafting your requisitions and keeping your expectations in check. These new hires will be your apprentices for a while. Know that if you get them early, reward them with the opportunity and treat them right, you may also be filling a long-term need.

More from CISO

Bringing threat intelligence and adversary insights to the forefront: X-Force Research Hub

3 min read - Today defenders are dealing with both a threat landscape that’s constantly changing and attacks that have stood the test of time. Innovation and best practices co-exist in the criminal world, and one mustn’t distract us from the other. IBM X-Force is continuously observing new attack vectors and novel malware in the wild, as adversaries seek to evade detection innovations. But we also know that tried and true tactics — from phishing and exploiting known vulnerabilities to using compromised credentials and…

What’s new in the 2023 Cost of a Data Breach report

3 min read - Data breach costs continue to grow, according to new research, reaching a record-high global average of $4.45 million, representing a 15% increase over three years. Costs in the healthcare industry continued to top the charts, as the most expensive industry for the 13th year in a row. Yet as breach costs continue to climb, the research points to new opportunities for containing breach costs. The research, conducted independently by Ponemon Institute and analyzed and published by IBM Security, constitutes the…

Cyber leaders: Stop being your own worst career enemy. Here’s how.

24 min read - Listen to this podcast on Apple Podcasts, Spotify or wherever you find your favorite audio content. We’ve been beating the cyber talent shortage drum for a while now, and with good reason. The vacancy numbers are staggering, with some in the industry reporting as many as 3.5 million unfilled positions as of April 2023 and projecting the disparity between supply and demand will remain until 2025. Perhaps one of the best (and arguably only) ways we can realistically bridge this gap is to…

Poor communication during a data breach can cost you — Here’s how to avoid it

5 min read - No one needs to tell you that data breaches are costly. That data has been quantified and the numbers are staggering. In fact, the IBM Security Cost of a Data Breach estimates that the average cost of a data breach in 2022 was $4.35 million, with 83% of organizations experiencing one or more security incidents. But what’s talked about less often (and we think should be talked about more) is how communication — both good and bad — factors into…