The cybersecurity talent gap is real. The 2019/2020 Official Annual Cybersecurity Jobs Report predicts that there will be 3.5 million security jobs left unfilled globally by 2021. The cybersecurity profession hit a 0% unemployment rate and the pay is good. So, why are security leaders struggling to fill positions? It could be because they are looking for the perfect candidate that doesn’t exist. Meanwhile, their newest security team member may already be working in their company.

Unrealistic Guidelines for Cybersecurity Professional Careers

Traditionally, the standard for entry-level cybersecurity professionals was five years of experience and several certifications, most specifically the Certified Information Systems Security Professional (CISSP) certificate. Even interns, who work with a company, have a tough time getting hired. Those who put in five years in the field and gained the certification typically aren’t looking for entry-level jobs.

Job descriptions also don’t match the actual duties. Cyber threats constantly shift, and technology is constantly updated. So, there needs to be a lot of flexibility in the search. Unfortunately, job descriptions are often written by people who aren’t working in the field. They follow a basic template, both overestimating and underestimating the actual needs of the position.

Finally, there is a tendency to overlook talent who don’t check off all the right boxes. Anyone who has attended a security conference knows how homogeneous the demographic is. Most climb the same ladder to get to the job. But, defining what that ladder is means a lot of potential great hires are ignored.

Looking Right in Front of You

Because cybersecurity is time-sensitive and requires urgent attention, decision-makers need to be creative about developing a security team. Looking internally should be the first option, and that means looking beyond IT.

Cybersecurity requires a variety of skills. Technical skills are taught. Soft skills, such as communication, writing, problem solving, management and work ethic, come naturally. Every security team needs someone who can work directly with the organization’s entire staff and clearly articulate security problems and behaviors; someone who is approachable; someone who isn’t afraid to take the lead and fix a problem. Most importantly, this will be someone who already has an interest in cybersecurity and follows good cyber hygiene practices.

Behavioral analytics is also a popular function in attack prevention. While this can be done with artificial intelligence (AI) tools, it also helps to have a human who can provide security awareness training and be able to detect what employee behaviors could predicate potential threats.

How to Find the Right Future Cybersecurity Professional

How do you figure out who in the company is a good candidate for a cybersecurity career? One way is to create a company-wide security team with one or two representatives from each department. Work with department heads to find out who meet some of the criteria you’re looking for — someone good with computer technology, is a self-starter and can communicate security issues back to co-workers. As the team meets regularly, you’ll learn who has the right characteristics like passion, strategic thinking and creativity to understand the mind of a threat actor.

Putting together a security team will help you build a cybersecurity culture within the company. Everyone should be cyber aware and be doing their part to protect corporate assets from threats. Use incentives and rewards to encourage the type of culture. Take note of who is succeeding in practicing good security habits. They also could be future security professionals.

Finally, work with corporate leadership to offer the type of formal technical training that the potential security professional will need. It could be a couple of courses in security for IT workers already adept with computer skills, or more in-depth technical training in computer architecture, cloud computing, programming and specific training your company needs.

The cyber skills gap isn’t going to disappear overnight, but you can reduce unfilled entry-level positions in your company by taking a hard look at the talent already in house.

More from CISO

Ransomware Renaissance 2023: The Definitive Guide to Stay Safer

2 min read - Ransomware is experiencing a renaissance in 2023, with some cybersecurity firms reporting over 400 attacks in the month of March alone. And it shouldn’t be a surprise: the 2023 X-Force Threat Intelligence Index found backdoor deployments — malware providing remote access — as the top attacker action in 2022, and aptly predicted 2022’s backdoor failures would become 2023’s ransomware crisis. Compounding the problem is the industrialization of the cybercrime ecosystem, enabling adversaries to complete more attacks, faster. Over the last…

2 min read

Do You Really Need a CISO?

2 min read - Cybersecurity has never been more challenging or vital. Every organization needs strong leadership on cybersecurity policy, procurement and execution — such as a CISO, or chief information security officer. A CISO is a senior executive in charge of an organization’s information, cyber and technology security. CISOs need a complete understanding of cybersecurity as well as the business, the board, the C-suite and how to speak in the language of senior leadership. It’s a changing role in a changing world. But…

2 min read

What “Beginner” Skills do Security Leaders Need to Refresh?

4 min read - The chief information security officer (CISO) was once a highly technical role primarily focused on security. But now, the role is evolving. Modern security leaders must work across divisions to secure technology and help meet business objectives. To stay relevant, the CISO must have a broad range of skills to maintain adequate security and collaborate with teams of varying technical expertise. Learning is essential to simply keep pace in security. In a CISO Series podcast, Skillsoft CISO Okey Obudulu recently said,…

4 min read

The Needs of a Modernized SOC for Hybrid Cloud

5 min read - Cybersecurity has made a lot of progress over the last ten years. Improved standards (e.g., MITRE), threat intelligence, processes and technology have significantly helped improve visibility, automate information gathering (SOAR) and many manual tasks. Additionally, new analytics (UEBA/SIEM) and endpoint (EDR) technologies can detect and often stop entire classes of threats. Now we are seeing the emergence of technologies such as attack surface management (ASM), which are starting to help organisations get more proactive and focus their efforts for maximum…

5 min read