Light Dark
August 27, 2021 By David Bisson 4 min read
CISO
Security Services

It’s time to look at the industry skills gap differently. More and more digital native young people could potentially be coming into the industry with the right skills, but several elements block their progress. Professionals already in place need to smooth the road for them. That might involve changing some assumptions about hiring, but in the end, it could be the solution to the skills gap problem.

In brief, what is the skills gap? Well, there are more jobs than qualified people to fill them. Open cybersecurity positions increased by 350% between 2013 and 2021. That brought the total number of unfilled security positions up to 3.5 million. Today, there are 2.5 million more vacant cybersecurity jobs than there were in 2014.

Reframing the Cybersecurity Skills Gap

So, there’s no disputing that there are open cybersecurity jobs. And desired skills are in short supply. Many people tend to see the latter as the cause of the former.

But that’s just it. These are ‘desired’ skills for that particular job in that company or agency, and they’re part of the skills gap too. They are not skills that are absolutely necessary for someone to land a position in the security industry more generally. Netskope’s chief information security officer, Lamont Orange, agreed when he wrote for TechCrunch that many hiring managers shortchange themselves by looking for professionals who, at one point, trained on all the technologies used by the organization. Preferences such as these are just not realistic. These types of applicants just don’t exist.

That means the people with the power to hire have an opportunity — if not an imperative — to reframe the cybersecurity skills gap. Given the difficulties they’re having in filling out their workforce, they’re not going to be able to find someone who meets every criterion by their first day on the job. So, they need to think about finding someone who can learn and grow into the role as their needs change. In particular, they need to look to individuals who want to improve their skills and who have something new that others in the organization don’t have.

How to Hire Despite the Skills Gap

Both of the traits discussed in the previous section fit young people. They’re digital natives who have grown up adapting to new technologies, which lets them keep up with the changing industry. What’s more, many young people view cybersecurity favorably. Over half (57%) of under-25s told Kaspersky that they consider hacking to be an “impressive” skill, for instance.

But there’s a problem. Digital criminals are taking up defenders’ time, thus making it difficult for them to train young people. RSA called it a “classic Catch-22” where organizations don’t teach and where young people decide to avoid the field after seeing this. It’s a self-perpetuating cycle that contributes to the skills gap, as well. Fewer young people who are engaged in the field means less creative thinking about solving challenges. This contributes to more time lost to defending against or responding to attacks and not enough time spent on training young people.

In the absence of meaningful guidance, some young people even find themselves on the other side of the law. Just under a quarter (23%) of young participants in Kaspersky’s survey said that they know someone who’s engaged in cyber-related activities that could be illegal. For the sake of their own security, it’s important for organizations to harness young people’s interest in this field and direct it towards making the internet a safer place.

Closing the Skills Gap With the Right Training

Cybersecurity training for young people can take on multiple forms. It can begin with building a cybersecurity foundation in a formal K-12 classroom setting.

That being said, formal classroom training can accomplish only so much. Young people can’t learn how an adversary thinks from reading a textbook. They also can’t learn what a job in the field might actually entail. For that kind of learning, young people need to look for opportunities outside of the classroom.

Apprenticeships and internships are a good choice. After all, they’re the best way to get real-world experience. That’s good for both the students and the industry, and is another way to close the skills gap.

“After doing my [Business and Technology Education Council qualification] in computer studies I got an apprenticeship, learning on the job while studying part-time for my degree,” Maxine Holt, senior research director at Omdia, told Global Security Mag. “I also got to work in other parts of the business, which really helped me understand how they interacted with IT.”

Apprenticeships and internships are generally suited to older students who are deciding whether to get a degree or what specific field to study. What about younger students who might not even know the industry exists?

Team-related activities are good for this. Some, like IBM’s CyberDay4Girls, use 1-3 hour activity kits. This particular kit educates pre-teen and teenage girls about the internet of things, cryptography and other topics. They can also take on a format like Cyber Security Challenge U.K.’s Cyber Centurion where teenagers form teams and compete against each other as they learn about networking, defense and cybersecurity on different operating systems.

A Holistic Approach to Cybersecurity Training

Apprenticeships, internships, awareness initiatives and competitions can all help organizations educate young people about potential opportunities in the cybersecurity sector. None of those training methods are mutually exclusive, either. Organizations can pursue all the above with sponsorships and community outreach programs.

In response to the events of 2020, many organizations accelerated their journey to embrace their own digital transformations. They also opened themselves to new opportunities and new risks. Organizations can use that to close the skill gap and fill their open security positions. They themselves are on a journey, too, with their security needs always changing. They don’t need someone who satisfies only a snapshot of their current security posture. They need someone who is willing to grow with them on their security journey. That’s why training young people could be one of the smartest investments they make for the future of their security.

 |  |  |  | 
David Bisson
Contributing Editor

More from CISO
April 9, 2024

Why security orchestration, automation and response (SOAR) is fundamental to a security platform

3 min read - Security teams today are facing increased challenges due to the remote and hybrid workforce expansion in the wake of COVID-19. Teams that were already struggling with too many tools and too much data are finding it even more difficult to collaborate and communicate as employees have moved to a virtual security operations center (SOC) model while addressing an increasing number of threats.  Disconnected teams accelerate the need for an open and connected platform approach to security . Adopting this type of…

April 2, 2024

The evolution of a CISO: How the role has changed

3 min read - In many organizations, the Chief Information Security Officer (CISO) focuses mainly — and sometimes exclusively — on cybersecurity. However, with today’s sophisticated threats and evolving threat landscape, businesses are shifting many roles’ responsibilities, and expanding the CISO’s role is at the forefront of those changes. According to Gartner, regulatory pressure and attack surface expansion will result in 45% of CISOs’ remits expanding beyond cybersecurity by 2027.With the scope of a CISO’s responsibilities changing so quickly, how will the role adapt…

February 21, 2024

X-Force Threat Intelligence Index 2024 reveals stolen credentials as top risk, with AI attacks on the horizon

4 min read - Every year, IBM X-Force analysts assess the data collected across all our security disciplines to create the IBM X-Force Threat Intelligence Index, our annual report that plots changes in the cyber threat landscape to reveal trends and help clients proactively put security measures in place. Among the many noteworthy findings in the 2024 edition of the X-Force report, three major trends stand out that we’re advising security professionals and CISOs to observe: A sharp increase in abuse of valid accounts…

Topic updates

 Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today
© 2024 IBM Contact Privacy Terms of use Accessibility Cookie Preferences
Sponsored by si-icon-eightbarfeature