There’s good news, and there’s bad news. The good news is that the number of cybersecurity professionals has reached an all-time high. According to (ISC)2’s annual Cybersecurity Workforce Study, 4.7 million people currently work in a security-related job.

The bad news: the study also found a worldwide gap of 3.4 million cybersecurity workers. 70% of those surveyed also said they think their organization’s security team is understaffed, decreasing its effectiveness.

As cyberattacks grow increasingly sophisticated and threat landscapes expand, organizations need to get creative in their cybersecurity approach. It’s not enough to reset the parameters on building skill sets. We need to start reimagining what internal cybersecurity programs should look like from the ground up.

Cybersecurity is all about people

Cyber skills shouldn’t just be reserved for experienced and well-trained cybersecurity professionals. While the security team is running the show, their job is primarily to focus on the technology side of things.

But most cyber incidents are the result of human error or ignorance about best security practices. Unfortunately, sometimes the workplace culture doesn’t encourage employees to come forward when they see or do something unusual. That helps threats slip under the radar until it’s too late.

Security best practices only work when everyone is a part of the solution. This is even more important in the context of our current cybersecurity staffing shortages. Doing more to make security an “all hands on deck” atmosphere will help close the skills gap.

Certification for beginners

One of the biggest hurdles in closing the talent gap isn’t a lack of people with the right skills, but rather unobtainable standards for employees just beginning their careers. Too many entry-level positions want new hires to have certifications like Certified Information Systems Security Professional (CISSP) or Certified Information Security Manager (CISM). However, most prerequisites for taking the certification exams include several years of job experience (many require five years), are expensive (costing hundreds of dollars) and are difficult to pass on the first attempt. Then, once someone achieves certification, they aren’t applying for entry-level positions.

This approach has kept out many potential cybersecurity professionals who are just beginning their careers. Recognizing the certification roadblock in the talent gap, (ISC)2 jump-started a new initiative called One Million Certified in Cybersecurity. Participants enroll as an (ISC)2 candidate, where they will get free training in a self-paced course and a free exam opportunity. Once certified, the participant will have access to the professional development opportunities and resources that other certified professionals have. While the overall objective is to increase the available skilled labor needed in entry-level positions and beyond, it is also an opportunity for more people to explore a cyber career without spending thousands of dollars. Most importantly, it should offer employers confidence when bringing in less experienced talent.

“Employers need confidence that when hiring new entrants into the field they have a solid grasp of the right technical concepts, and a demonstrated aptitude to learn on the job,” (ISC)2 asserted, adding that with the creation of such a certificate, it will enable job candidates to “demonstrate to employers their familiarity with foundational cybersecurity concepts as determined by cybersecurity professionals and practitioners already in the field.”

Rethinking security awareness training

Security awareness training doesn’t work. A study from Elevate Security found that, while security training does slightly lower phishing click rates in simulations, it has little to no effect in real-world attacks when that training really matters. Periodic online quizzes or annual lectures aren’t moving the needle.

A different style of training may make a bigger difference. When users understand the consequences of their actions and how to decrease risk, they become partners with cybersecurity professionals. The goal is to reduce human-caused incidents so the security team can focus on the tech side of the job. But first, users need to be better engaged in their awareness training activities.

During the Insider Risk Summit, the Head of Trust Culture and Training with Atlassian, Marisa Fagan, said that training should be fun. When training is enjoyable, employees feel like they are a part of something important to the company. According to Fagan, effective security training should be relevant and fast-paced and add an element of storytelling. You want to have employees talking about the session and sharing what they learned in casual conversations.

Fagan suggested training films that are actual movies; they have an action film’s drama and excitement but are tailored to highlight your organization’s security concerns. They’re much more engaging than a PowerPoint presentation, and that makes the training stick.

Changing behavior to bridge the gap

Reframing cybersecurity while dealing with a skills shortage will involve changing overall behavior. Just as security awareness training must be encouraging in order to be effective, enforcing security best practices will rely on user experience. You want users to reach the point of making better decisions and regularly doing the right thing, according to Ira Winkler, field CISO and vice president with CYE, who spoke at the 2022 (ISC)2 Security Congress.

Security teams can take steps to embed cybersecurity into job functions and modify IT interfaces to encourage behaviors that reinforce good security habits. Overall, employees should be “caught” doing the right things and rewarded for it, rather than punished for doing the wrong thing.

The skills shortage is not going to disappear overnight. However, with steps such as improving security awareness training or accepting beginner certifications as an entry-level qualification, organizations can adjust their approach to their cybersecurity posture and build a foundation that supports the cybersecurity team.

More from CISO

Bringing threat intelligence and adversary insights to the forefront: X-Force Research Hub

3 min read - Today defenders are dealing with both a threat landscape that’s constantly changing and attacks that have stood the test of time. Innovation and best practices co-exist in the criminal world, and one mustn’t distract us from the other. IBM X-Force is continuously observing new attack vectors and novel malware in the wild, as adversaries seek to evade detection innovations. But we also know that tried and true tactics — from phishing and exploiting known vulnerabilities to using compromised credentials and…

What’s new in the 2023 Cost of a Data Breach report

3 min read - Data breach costs continue to grow, according to new research, reaching a record-high global average of $4.45 million, representing a 15% increase over three years. Costs in the healthcare industry continued to top the charts, as the most expensive industry for the 13th year in a row. Yet as breach costs continue to climb, the research points to new opportunities for containing breach costs. The research, conducted independently by Ponemon Institute and analyzed and published by IBM Security, constitutes the…

Cyber leaders: Stop being your own worst career enemy. Here’s how.

24 min read - Listen to this podcast on Apple Podcasts, Spotify or wherever you find your favorite audio content. We’ve been beating the cyber talent shortage drum for a while now, and with good reason. The vacancy numbers are staggering, with some in the industry reporting as many as 3.5 million unfilled positions as of April 2023 and projecting the disparity between supply and demand will remain until 2025. Perhaps one of the best (and arguably only) ways we can realistically bridge this gap is to…

Poor communication during a data breach can cost you — Here’s how to avoid it

5 min read - No one needs to tell you that data breaches are costly. That data has been quantified and the numbers are staggering. In fact, the IBM Security Cost of a Data Breach estimates that the average cost of a data breach in 2022 was $4.35 million, with 83% of organizations experiencing one or more security incidents. But what’s talked about less often (and we think should be talked about more) is how communication — both good and bad — factors into…