There’s good news, and there’s bad news. The good news is that the number of cybersecurity professionals has reached an all-time high. According to (ISC)2’s annual Cybersecurity Workforce Study, 4.7 million people currently work in a security-related job.

The bad news: the study also found a worldwide gap of 3.4 million cybersecurity workers. 70% of those surveyed also said they think their organization’s security team is understaffed, decreasing its effectiveness.

As cyberattacks grow increasingly sophisticated and threat landscapes expand, organizations need to get creative in their cybersecurity approach. It’s not enough to reset the parameters on building skill sets. We need to start reimagining what internal cybersecurity programs should look like from the ground up.

Cybersecurity is All About People

Cyber skills shouldn’t just be reserved for experienced and well-trained cybersecurity professionals. While the security team is running the show, their job is primarily to focus on the technology side of things.

But most cyber incidents are the result of human error or ignorance about best security practices. Unfortunately, sometimes the workplace culture doesn’t encourage employees to come forward when they see or do something unusual. That helps threats slip under the radar until it’s too late.

Security best practices only work when everyone is a part of the solution. This is even more important in the context of our current cybersecurity staffing shortages. Doing more to make security an “all hands on deck” atmosphere will help close the skills gap.

Certification for Beginners

One of the biggest hurdles in closing the talent gap isn’t a lack of people with the right skills, but rather unobtainable standards for employees just beginning their careers. Too many entry-level positions want new hires to have certifications like Certified Information Systems Security Professional (CISSP) or Certified Information Security Manager (CISM). However, most prerequisites for taking the certification exams include several years of job experience (many require five years), are expensive (costing hundreds of dollars) and are difficult to pass on the first attempt. Then, once someone achieves certification, they aren’t applying for entry-level positions.

This approach has kept out many potential cybersecurity professionals who are just beginning their careers. Recognizing the certification roadblock in the talent gap, (ISC)2 jump-started a new initiative called One Million Certified in Cybersecurity. Participants enroll as an (ISC)2 candidate, where they will get free training in a self-paced course and a free exam opportunity. Once certified, the participant will have access to the professional development opportunities and resources that other certified professionals have. While the overall objective is to increase the available skilled labor needed in entry-level positions and beyond, it is also an opportunity for more people to explore a cyber career without spending thousands of dollars. Most importantly, it should offer employers confidence when bringing in less experienced talent.

“Employers need confidence that when hiring new entrants into the field they have a solid grasp of the right technical concepts, and a demonstrated aptitude to learn on the job,” (ISC)2 asserted, adding that with the creation of such a certificate, it will enable job candidates to “demonstrate to employers their familiarity with foundational cybersecurity concepts as determined by cybersecurity professionals and practitioners already in the field.”

Rethinking Security Awareness Training

Security awareness training doesn’t work. A study from Elevate Security found that, while security training does slightly lower phishing click rates in simulations, it has little to no effect in real-world attacks when that training really matters. Periodic online quizzes or annual lectures aren’t moving the needle.

A different style of training may make a bigger difference. When users understand the consequences of their actions and how to decrease risk, they become partners with cybersecurity professionals. The goal is to reduce human-caused incidents so the security team can focus on the tech side of the job. But first, users need to be better engaged in their awareness training activities.

During the Insider Risk Summit, the Head of Trust Culture and Training with Atlassian, Marisa Fagan, said that training should be fun. When training is enjoyable, employees feel like they are a part of something important to the company. According to Fagan, effective security training should be relevant and fast-paced and add an element of storytelling. You want to have employees talking about the session and sharing what they learned in casual conversations.

Fagan suggested training films that are actual movies; they have an action film’s drama and excitement but are tailored to highlight your organization’s security concerns. They’re much more engaging than a PowerPoint presentation, and that makes the training stick.

Changing Behavior to Bridge the Gap

Reframing cybersecurity while dealing with a skills shortage will involve changing overall behavior. Just as security awareness training must be encouraging in order to be effective, enforcing security best practices will rely on user experience. You want users to reach the point of making better decisions and regularly doing the right thing, according to Ira Winkler, field CISO and vice president with CYE, who spoke at the 2022 (ISC)2 Security Congress.

Security teams can take steps to embed cybersecurity into job functions and modify IT interfaces to encourage behaviors that reinforce good security habits. Overall, employees should be “caught” doing the right things and rewarded for it, rather than punished for doing the wrong thing.

The skills shortage is not going to disappear overnight. However, with steps such as improving security awareness training or accepting beginner certifications as an entry-level qualification, organizations can adjust their approach to their cybersecurity posture and build a foundation that supports the cybersecurity team.

More from CISO

CEO, CIO or CFO: Who Should Your CISO Report To?

As we move deeper into a digitally dependent future, the growing concern of data breaches and other cyber threats has led to the rise of the Chief Information Security Officer (CISO). This position is essential in almost every company that relies on digital information. They are responsible for developing and implementing strategies to harden the organization's defenses against cyberattacks. However, while many organizations don't question the value of a CISO, there should be more debate over who this important role…

Everyone Wants to Build a Cyber Range: Should You?

In the last few years, IBM X-Force has seen an unprecedented increase in requests to build cyber ranges. By cyber ranges, we mean facilities or online spaces that enable team training and exercises of cyberattack responses. Companies understand the need to drill their plans based on real-world conditions and using real tools, attacks and procedures. What’s driving this increased demand? The increase in remote and hybrid work models emerging from the COVID-19 pandemic has elevated the priority to collaborate and…

Why Quantum Computing Capabilities Are Creating Security Vulnerabilities Today

Quantum computing capabilities are already impacting your organization. While data encryption and operational disruption have long troubled Chief Information Security Officers (CISOs), the threat posed by emerging quantum computing capabilities is far more profound and immediate. Indeed, quantum computing poses an existential risk to the classical encryption protocols that enable virtually all digital transactions. Over the next several years, widespread data encryption mechanisms, such as public-key cryptography (PKC), could become vulnerable. Any classically encrypted communication could be wiretapped and is…

6 Roles That Can Easily Transition to a Cybersecurity Team

With the shortage of qualified tech professionals in the cybersecurity industry and increasing demand for trained experts, it can take time to find the right candidate with the necessary skill set. However, while searching for specific technical skill sets, many professionals in other industries may be an excellent fit for transitioning into a cybersecurity team. In fact, considering their unique, specialized skill sets, some roles are a better match than what is traditionally expected of a cybersecurity professional. This article…