August 27, 2021 By David Bisson 4 min read

It’s time to look at the industry skills gap differently. More and more digital native young people could potentially be coming into the industry with the right skills, but several elements block their progress. Professionals already in place need to smooth the road for them. That might involve changing some assumptions about hiring, but in the end, it could be the solution to the skills gap problem.

In brief, what is the skills gap? Well, there are more jobs than qualified people to fill them. Open cybersecurity positions increased by 350% between 2013 and 2021. That brought the total number of unfilled security positions up to 3.5 million. Today, there are 2.5 million more vacant cybersecurity jobs than there were in 2014.

Reframing the Cybersecurity Skills Gap

So, there’s no disputing that there are open cybersecurity jobs. And desired skills are in short supply. Many people tend to see the latter as the cause of the former.

But that’s just it. These are ‘desired’ skills for that particular job in that company or agency, and they’re part of the skills gap too. They are not skills that are absolutely necessary for someone to land a position in the security industry more generally. Netskope’s chief information security officer, Lamont Orange, agreed when he wrote for TechCrunch that many hiring managers shortchange themselves by looking for professionals who, at one point, trained on all the technologies used by the organization. Preferences such as these are just not realistic. These types of applicants just don’t exist.

That means the people with the power to hire have an opportunity — if not an imperative — to reframe the cybersecurity skills gap. Given the difficulties they’re having in filling out their workforce, they’re not going to be able to find someone who meets every criterion by their first day on the job. So, they need to think about finding someone who can learn and grow into the role as their needs change. In particular, they need to look to individuals who want to improve their skills and who have something new that others in the organization don’t have.

How to Hire Despite the Skills Gap

Both of the traits discussed in the previous section fit young people. They’re digital natives who have grown up adapting to new technologies, which lets them keep up with the changing industry. What’s more, many young people view cybersecurity favorably. Over half (57%) of under-25s told Kaspersky that they consider hacking to be an “impressive” skill, for instance.

But there’s a problem. Digital criminals are taking up defenders’ time, thus making it difficult for them to train young people. RSA called it a “classic Catch-22” where organizations don’t teach and where young people decide to avoid the field after seeing this. It’s a self-perpetuating cycle that contributes to the skills gap, as well. Fewer young people who are engaged in the field means less creative thinking about solving challenges. This contributes to more time lost to defending against or responding to attacks and not enough time spent on training young people.

In the absence of meaningful guidance, some young people even find themselves on the other side of the law. Just under a quarter (23%) of young participants in Kaspersky’s survey said that they know someone who’s engaged in cyber-related activities that could be illegal. For the sake of their own security, it’s important for organizations to harness young people’s interest in this field and direct it towards making the internet a safer place.

Closing the Skills Gap With the Right Training

Cybersecurity training for young people can take on multiple forms. It can begin with building a cybersecurity foundation in a formal K-12 classroom setting.

That being said, formal classroom training can accomplish only so much. Young people can’t learn how an adversary thinks from reading a textbook. They also can’t learn what a job in the field might actually entail. For that kind of learning, young people need to look for opportunities outside of the classroom.

Apprenticeships and internships are a good choice. After all, they’re the best way to get real-world experience. That’s good for both the students and the industry, and is another way to close the skills gap.

“After doing my [Business and Technology Education Council qualification] in computer studies I got an apprenticeship, learning on the job while studying part-time for my degree,” Maxine Holt, senior research director at Omdia, told Global Security Mag. “I also got to work in other parts of the business, which really helped me understand how they interacted with IT.”

Apprenticeships and internships are generally suited to older students who are deciding whether to get a degree or what specific field to study. What about younger students who might not even know the industry exists?

Team-related activities are good for this. Some, like IBM’s CyberDay4Girls, use 1-3 hour activity kits. This particular kit educates pre-teen and teenage girls about the internet of things, cryptography and other topics. They can also take on a format like Cyber Security Challenge U.K.’s Cyber Centurion where teenagers form teams and compete against each other as they learn about networking, defense and cybersecurity on different operating systems.

A Holistic Approach to Cybersecurity Training

Apprenticeships, internships, awareness initiatives and competitions can all help organizations educate young people about potential opportunities in the cybersecurity sector. None of those training methods are mutually exclusive, either. Organizations can pursue all the above with sponsorships and community outreach programs.

In response to the events of 2020, many organizations accelerated their journey to embrace their own digital transformations. They also opened themselves to new opportunities and new risks. Organizations can use that to close the skill gap and fill their open security positions. They themselves are on a journey, too, with their security needs always changing. They don’t need someone who satisfies only a snapshot of their current security posture. They need someone who is willing to grow with them on their security journey. That’s why training young people could be one of the smartest investments they make for the future of their security.

More from CISO

Overheard at RSA Conference 2024: Top trends cybersecurity experts are talking about

4 min read - At a brunch roundtable, one of the many informal events held during the RSA Conference 2024 (RSAC), the conversation turned to the most popular trends and themes at this year’s events. There was no disagreement in what people presenting sessions or companies on the Expo show floor were talking about: RSAC 2024 is all about artificial intelligence (or as one CISO said, “It’s not RSAC; it’s RSAI”). The chatter around AI shouldn’t have been a surprise to anyone who attended…

Why security orchestration, automation and response (SOAR) is fundamental to a security platform

3 min read - Security teams today are facing increased challenges due to the remote and hybrid workforce expansion in the wake of COVID-19. Teams that were already struggling with too many tools and too much data are finding it even more difficult to collaborate and communicate as employees have moved to a virtual security operations center (SOC) model while addressing an increasing number of threats.  Disconnected teams accelerate the need for an open and connected platform approach to security . Adopting this type of…

The evolution of a CISO: How the role has changed

3 min read - In many organizations, the Chief Information Security Officer (CISO) focuses mainly — and sometimes exclusively — on cybersecurity. However, with today’s sophisticated threats and evolving threat landscape, businesses are shifting many roles’ responsibilities, and expanding the CISO’s role is at the forefront of those changes. According to Gartner, regulatory pressure and attack surface expansion will result in 45% of CISOs’ remits expanding beyond cybersecurity by 2027.With the scope of a CISO’s responsibilities changing so quickly, how will the role adapt…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today