There’s quite a bit of evidence to show that the number of unfilled cyber security vacancies is increasing and it’s taking longer for companies to find the right candidate to join their team, however there are definitely areas where the industry can improve to reduce this skills gap. My personal opinion is that the cyber security skills shortage is a lot smaller than people suggest but then I suppose I take the Baloo approach… take a look under rocks and plants, take a glance at the fancy ants then maybe try a few!
I’ve previously written about the importance of cyber security job descriptions and interview questions to make sure you’re attracting the right sort of talent. Again, the same applies as a starting point to reduce the skills shortage within cyber security; get the adverts right, you attract more talent, get the interview questions/process right and you’ll have more people in your talent pool.
“You can’t win anything with kids…”
Alan Hansen’s famous quote in reference to the golden generation at Manchester United can definitely be applied to show that the cyber security skills shortage is a myth. The answer to solve the skills shortage can be found within the younger generation; helping them get into the industry and getting them ‘work ready’ through multiple programmes.
Take the Cyber First programme from the NCSC, a fantastic programme to help young people explore their passion for cyber security by getting them involved in a broad range of activities, helping to hone their skills to enter into the cyber security industry. Yes you might not be able to hire an 11 year old straight away (pretty sure there’s laws against that!) however what you can do as an organisation is get involved early in a youngsters career, help them develop their skills and then, when they are ready for the world of work, you’ve got a cracking option to improve your cyber security team.
Other than that, look at dedicated cyber security university programmes; talent who are already engaged in the industry. You’ve got Universities like Oxford, Edinburgh Napier and Royal Holloway, who have courses approved by GCHQ, where there’s a massive talent pool for companies to find new cyber security professionals in. You’ve also got places like University of South Wales who are now offering degrees where graduates get hands on training and industry specific course material from companies like Airbus, General Dynamics, Alert Logic and QinetiQ – they get commercial projects from cyber security companies so the transition into the ‘real world of work’ isn’t such a drastic leap.
Have you tried not looking for the magical unicorn?
I see this as a big issue within the cyber security industry and why we hear about the so-called cyber security skills shortage; companies want the perfect candidate, who can do everything on day one rather than looking at the potential of staff. Nine times out of ten, companies are looking for candidates to be able to do every bit of the job description they’ve written, they aren’t willing to take the time to really look at a candidate’s skill set and think of how easily it could develop within a role. For example, say a company is looking for SIEM experience, but a candidate has only worked with network monitoring solutions like Solarwinds; is there much of a crossover? Or is it simply teaching them the functionality/capability of a system and letting them develop their skills?
As well as this, that magical unicorn cyber security job description you’ve written is putting off potential candidates and giving them a mindset of “I don’t have enough experience to apply” – again, yes they might not be the 100% fit on their first day but if you can give them the opportunity, they can do 80% of the work, and they want to develop further within the industry why wouldn’t you give them the chance to shine… and solve the cyber security skills shortage at the same time.
Look for an Arnie Schwarzenegger…
Think of this man’s career; Mr Universe, Mr Olympia, Conan the Barbarian, the Terminator, comedic actor (Twins, Jingle all the Way, Kindergarten Cop!), Governor of California, investor within Planet Hollywood, back to action super star. Yes, his physique helped to open new doors for him, but his skill set has crossed multiple boundaries and given him multiple career paths.
So, a way to stop the cyber security skills shortage, look for candidates who might not have 10 years’ experience in cyber security but can cross over easily. With the softer skills involved, a network engineer could cross over into a security engineer (NOC to SOC), a developer could be pretty good at reverse engineering and malware analysis, a QA Tester could pick up the Penetration Testing suite… If someone has a technical background, transferable skills and a passion for the industry why wouldn’t they be able to join your cyber security team.
All the cyber ladies, all the cyber ladies…
Now put your hands up… I know it’s cheesy but there’s a message in here, what I see as one of the major factors for addressing the cyber security skills shortage… diversity. There are big advocates within the industry (Jane Frankland, Jenny Radcliffe, Mivy James to name a few) for getting more females into the cyber security industry; their mentality being different to the gung-ho approach of males, bringing in different skill sets to compliment the current workforce. With this, we can look at reducing the current skill shortage.
Looking deeper into utilising diversity to bridge the skills gap you’ve got initiatives like the IASME Community SOC championed by Emma Philpott, or the strategy driven by Titania to promote neurodiversity within the workplace; believing that they can bring fresh ideas in the way they approach work.
Break away from tradition…
You’ve been hiring IT professionals for years, you’ve got adverts out on all of the well-known job boards, you’ve recently placed your first advert on LinkedIn, you’ve got nice shiny social media posts pointing people to apply… any minute now a flood of eager cyber security professionals, 100% spot on for your team, are going to be clawing at the door and fighting for the chance to work with you. Sadly, you’ll be waiting a long time (unless your global brand has a ridiculous reach – hello Zuckerberg, Bezos and Gates…!)
My advice, look in avenues that not every company does and again, there’s a good chance for you to reduce the cyber security skills gap within your company. Think of things like Immersive Labs (training platform for cyber security skills), Hack the Box (a playground for Penetration Testers), get yourself to industry events like InfoSec (just make sure to take a bag for all the swag giveaways!) or join local meetups like Cyber Wales or Cyber Scotland Connect – these are the rocks and plants Baloo finds the best ants, and you can do the same with your cyber security talent searches.
It’s not just Jerry Springer who can have a final thought…
As I said earlier, there’s evidence to suggest that there is a cyber security skills shortage however, I don’t think it’s as bad as it seems; to me there’s plenty of talented people that can help reduce the gap. What the industry has to do is to help uncover them and bring them into the market; promote diversity, look at crossing over skill sets (internal or external candidates), reduce your expectations for that magical unicorn, help bring those in education through to the industry and break away from tradition. To steal a well-known phrase “every little helps” and will reduce the cyber security skills shortage.
If you are struggling to find the right cyber security talent please get in touch. In our experience the cyber security skills shortage isn't as prevalent as it may seem.
Written by Jonathan Stock, Cyber Security Recruitment Consultant