Much has been written about the growing talent gap in cybersecurity. Why in such a lucrative and rewarding career field is there so much need for additional and more qualified talent? And what can actually be done to fill this gap?
Just a few weeks ago the International Information System Security Certification Consortium (ISC2) published a report showing that in 2020 there were 700,000 cybersecurity professionals added to the labor force. That is an increase of 25% from 2019 payroll numbers. However, to meet security requirements and staffing needs the field still needs to grow by an additional 89% worldwide.
With such a large talent need it makes you wonder what it happening in the marketplace. What is the real reason there is a huge gap to be filled? Is it because the demand for talent simply outpaces the number of people wanting to work in cybersecurity? Is it because the available talent isn’t adequately trained? Or could it be related to companies not understanding their true cybersecurity needs? Is the current data breach of United States government computer systems that have impacted more agencies across the federal government and more than 50 companies, an example of how we simply don’t realize our true needs when it comes to keeping our information secure?
Over the past year, we’ve been monitoring job postings on the web or social media, especially those looking to hire for entry-level positions, such as cybersecurity analysts. Many of them, though not all, have requirements that are far beyond the possibilities of someone who is just starting their career. Among the most common job requirements are candidates who have: a bachelor’s degree, several years of experience, and knowledge in advanced cyber skills. In practice, however, a cybersecurity analyst or Jr. Engineer should have skills and knowledge of how operating systems work, an understanding of hacking processes, computer scripts, and diverse systems, as well as network administration.
Most industries have figured out what the background requirements are for their entry-level jobs. Most career paths have entry-level requirements of one or two years of experience that can be traded for certain education accomplishments. But in cybersecurity, we know many who are wondering why there truly is no such thing as an entry-level job. Perhaps we need to re-think this model.
Here is a typical job posting for an entry-level cyber analyst.
How does someone get experience as a cybersecurity architect in a large corporate environment if that very same experience is necessary to get your foot in the door in the first place?
As an industry we need to have a better understanding of what our skill needs are and how to hire for those skill needs. Just like other industries we need to train from the ground up and prepare our employees for more complicated job functions later in their career. If we don’t give our cyber professionals time to grow into their jobs, we are destined to continue to be staffed with individuals who aren’t prepared for pending attacks, and simply not enough people in the cybersecurity workforce.
There is little doubt that we need to collectively dig deeper into organizational and industry needs and better understand what skills a person has to have in order to be successful in an entry-level job and then those jobs to follow as their skills and experience expand. Is it possible that job postings like the above should be different?
As cybersecurity architects and trainers we need to help create more realistic expectations, more effective training programs and have a better sense of what cyber threats are out there and how we combat them. We need to know what our needs are so that we can close the talent gap in a faster and more effective way. We believe there are at least two ways we can help:
- We mentioned it before, creating an industry and organizational awareness of what cybersecurity needs exist and what a cybersecurity entry-level role means and what a typical career path looks like. What are the hard and soft skills set associated these roles and typical career paths?
- Promote apprenticeship programs that offer on-the-job experience and cybersecurity certifications. We need to let people grow into their jobs. To do this, we need new career development programs that both help an employee grow while also ensuring that employees have the skills to protect his or her organization.
We don’t know if this will be easy or hard, but we do know that we can’t continue with our current skill training model. The cybersecurity demands are growing much faster than our current talent pool is. It’s time to look in the mirror and figure it out.