Earlier this month, I had the privilege to attend the IBM Security Summit in New York. Among the many great presenters and events during the day was a panel discussion on new and better ways to tackle the cybersecurity skills gap facing governments, industries and academia, and how a new collar approach can help.

The need for skilled cybersecurity talent is growing at an exponential rate, and traditional solutions can only address it in a linear manner. We’ve been working on this problem for years, with not enough progress.

Filling the Skills Gap With a New Collar Approach

The truth is we can’t outrun the skills gap. The panel explored some solutions to this challenge — namely, how we can educate and hire differently — looking at both the supply and demand side of the equation.

Shamla Naidoo, IBM’s vice president for IT risk and chief information security officer (CISO), hosted the panel. She was joined by Casey O’Brien, executive director and principal investigator at the National CyberWatch Center, an organization focused on education and research to improve the information security workforce. Pete Herzog, managing director of ISECOM, an open security research community and nonprofit organization, and founder of Hacker Highschool, also contributed to the discussion.

During the panel, IBM Security announced a new collaboration with Hacker Highschool. As part of the effort, IBM will provide guidance and tools for a new lesson focused on the skills needed for an entry-level security operation center (SOC) analyst.

Read the report: Addressing the Skills Gap with a New Collar Approach

What’s Working Today?

Naidoo tried to uncover what is working, what isn’t working and what industry is currently struggling with. She noted that cyber competitions seem to be making a dent in the skills gap. These competitions allow students to demonstrate their security knowledge and skills, both individually and collectively as a team. They also offer sponsoring companies, which often recruit directly from the competitions, an opportunity to see how students react in high-pressure situations.

Another idea that received applause was an increased focus on recruiting and retaining more woman in the field. This is a well-known problem in the IT industry in general, but it is particularly acute in cybersecurity. There is a long way to go, but shedding more light on the issue is a good first step.

What Can We Do Better?

Next, the panel turned to the supply side of the equation, discussing the fact that not every cybersecurity job opening needs to be filled by someone with a bachelor’s degree. Some roles just require someone with the right skills and aptitudes — the cornerstone of a new collar approach.

Security leaders can cast a wider net when recruiting and hiring staff members by tapping the mature network of community college cybersecurity programs, which have been evolving over the past 10 years. The panelists noted that the community college brand is not well-understood in the industry, and many security professionals harbor inaccurate preconceived notions about students and programs at these institutions.

The panel further emphasized that the community college space has produced valuable innovations around workforce development in recent years. Security leaders should draw from these untapped pools of not only younger recruits, but also mature professionals with applicable experience.

Nurturing Undervalued Professional Qualities

The panelists then discussed what kind of cybersecurity professional we should be developing. Given the volatility of the threat and technology landscapes, how can we future-proof the professionals we are educating?

The panel suggested infusing real-world experience into cybersecurity education, not just theoretical concepts. First and foremost, students must understand how things work. This aligns with the need to encourage resourcefulness in aspiring security professionals — that is, the ability to find and develop solutions on their own, despite the overwhelming volume of information available at their fingertips today.

Naidoo said she looks at security talent in IBM from two different perspectives: skills and experience, and natural ability. The right candidate has not one or the other, but a blend of both. Sometimes, she said, we focus too much skills and experience to the detriment of aptitude, which could be considered even more important.

Like the rest of the industry, Naidoo’s team has struggled to find and recruit security talent. She has a team of roughly 250 security professionals responsible for securing all of IBM. For her, it not just about the numbers — it’s about changing hiring and recruiting practices and revolutionizing the way her teams do their work.

Closing the Skills Gap

The panelists agreed that security leaders need to educate and train differently, develop new ways of working, and seek out new people and places to hire.

To start, we need to change our hiring and recruiting practices altogether. We must include people with military experience, community college degrees, liberal arts degrees and even aspiring security professionals with no degrees at all in our hiring searches. O’Brien mentioned that he had heard from a large defense contractor that some of its best red-team members are not engineers or coders, but actually music majors — specifically, composition majors.

Companies also need to bring their HR folks into the conversation and encourage them to work closely with the C-suite and those on the ground doing the work. Together, these parties should brainstorm new ways to identify talent.

It’s important to realize that enthusiasm, resourcefulness and curiosity are just as important as technical skills. Technical needs will evolve over time, but the fundamentals will always be the same. Security leaders should devise new ways to foster these intangible qualities.

Finally, don’t expect every potential hire to possess every technical skill under the sun. Naidoo builds teams of five to seven people with complementary skills so they can continue to work together when the environment shifts. An individual team member might be teaching one minute, then learning the next. With a new collar workforce, security teams can fight today’s threats more effectively and evolve along with the cybercrime and technology landscapes.

Read the complete report: Addressing the Skills Gap with a New Collar Approach

More from CISO

Everyone Wants to Build a Cyber Range: Should You?

In the last few years, IBM X-Force has seen an unprecedented increase in requests to build cyber ranges. By cyber ranges, we mean facilities or online spaces that enable team training and exercises of cyberattack responses. Companies understand the need to drill their plans based on real-world conditions and using real tools, attacks and procedures. What’s driving this increased demand? The increase in remote and hybrid work models emerging from the COVID-19 pandemic has elevated the priority to collaborate and…

Why Quantum Computing Capabilities Are Creating Security Vulnerabilities Today

Quantum computing capabilities are already impacting your organization. While data encryption and operational disruption have long troubled Chief Information Security Officers (CISOs), the threat posed by emerging quantum computing capabilities is far more profound and immediate. Indeed, quantum computing poses an existential risk to the classical encryption protocols that enable virtually all digital transactions. Over the next several years, widespread data encryption mechanisms, such as public-key cryptography (PKC), could become vulnerable. Any classically encrypted communication could be wiretapped and is…

6 Roles That Can Easily Transition to a Cybersecurity Team

With the shortage of qualified tech professionals in the cybersecurity industry and increasing demand for trained experts, it can take time to find the right candidate with the necessary skill set. However, while searching for specific technical skill sets, many professionals in other industries may be an excellent fit for transitioning into a cybersecurity team. In fact, considering their unique, specialized skill sets, some roles are a better match than what is traditionally expected of a cybersecurity professional. This article…

Laid Off by Big Tech? Cybersecurity is a Smart Career Move

Big technology companies are laying off staff as market conditions change. The move follows a hiring blitz initially triggered by the uptick in pandemic-powered remote work — according to Bloomberg, businesses are now cutting jobs at a rate approaching that of early 2020. For example, in November 2022 alone, companies laid off more than 52,000 workers. Companies like Amazon and Meta also plan to let more than 10,000 staff members go over the next few years. As noted by Stanford…