You don’t have to go far to find cybersecurity professionals who are facing skills shortages, but the problem has several dimensions that have to be understood and mapped out before we can start to figure out possible solutions. As the founder of a management consultancy firm that specializes in cybersecurity, there are three key factors I believe leaders must consider.
1. Lack of education isn’t the only thing hindering talent acquisition.
First of all, the problem is absolutely real, but I believe it goes far beyond a lack of education or training opportunities. As such, acting at those levels only will not fix it.
From my perspective, the cybersecurity skills gap has its roots in the avalanche of cyberattacks we have seen over the past decade, as well as the awakening of most industries to the reality and virulence of cyber threats. Many firms that did not have a cybersecurity practice 10 years ago now have one or are building one. This is creating an escalating demand for cyber talents at all levels, including chief information security officers, developers, architects, trainers, auditors and pen testers.
But the fact that the demand for talent outstrips the supply is not the only factor here. In fact, I believe the cybersecurity industry has a perennial image problem. In my experience, many people see it as a complex technical niche or as a role where you always have to say “no.”
Of course, those are clichés, but the security industry and its tech vendors do little to redress them. Just look at the imagery often used when discussing cybersecurity: You often see a padlock and/or someone in a hooded sweatshirt to represent a hacker. Based on my observations, the imagery is also often male-dominated and coupled with the already-prevalent lack of diversity in tech and in STEM. I doubt this acts as an attractive factor for women.
I believe those are the cornerstones of a talent acquisition problem, and it can only be dealt with by moving away from the purely technical positioning of cyber roles, showcasing the full spectrum of jobs and careers the industry can offer and pushing forward role models from more diverse backgrounds.
2. Repetitive entry-level jobs make it difficult to retain talent.
Yet, higher demand for cybersecurity workers and the industry’s image problem is still only one side of the whole skills gap landscape. The cybersecurity industry has a talent retention problem as well, which I find is also rooted in a different set of factors.
From my perspective, many entry-level jobs are simply too repetitive and boring. This is a direct consequence of the fact that many security operational processes have been reverse-engineered organically and tactically to accommodate countless tools. Without any overarching view in many cases, they have remained excessively manual and are often inefficient and disjointed.
Nobody joins cybersecurity to cut and paste data into spreadsheets or produce reports designed to tick a few boxes. But that’s the life of many young analysts, so they often leave as soon as they find something more attractive, and they don’t come back.
3. At a higher level, CISOs are feeling a different type of pain.
I’ve observed that many CISOs have been forced into a constant firefighting mode by the seemingly nonstop cyberattacks of the past 10 years. Now that the penny is dropping in the boardroom and the “when-not-if” paradigm is taking root, they are being pushed into an impossible role—one where they are expected to be credible one day in front of the board, the next in front of pen testers, the day after in front of regulators or auditors and so on.
I believe firefighting technical problems does not lead to the development of the type of managerial experience or political acumen that is now expected of many CISOs. Many struggle with a situation for which they have been poorly prepared by the past decade, and stories abound of mental health challenges and burnout.
Those aspects are more difficult to deal with than the talent acquisition aspects because here, it is cybersecurity practices that need to change. It has to start with decluttering cybersecurity estates and streamlining processes around fewer tools. Clever automation is key, as this can help reduce the number of tools in use and optimize process efficiency.
The objective here should be to free up time for a smaller number of analysts to perform less repetitive tasks so that they can be involved in the more challenging roles for which they have been hired. Perhaps you can look toward threat intelligence or incident forensics, for example. From my perspective, successful action at this level would have an impact on acquisition and retention rates.
At the top, cybersecurity functions have to be reorganized and redistributed to remove excessive dependency on key profiles and other bottlenecks. The profile of the CISO also needs to be raised—at least in large organizations—and the role has to be seen as a true leadership role that orchestrates work across a team of experts, as well as across the firm and its supply chain.
In many cases, organizations might need to expand the cybersecurity team, but this should also force companies to redesign it functionally and in a structured way around some form of operating model. This would help them move away from the legacy and project-led type of approach still prevailing in many firms today.
Overall, the cybersecurity skills gap is not a fatality, but it is key to look at it in all its dimensions before jumping to ready-made solutions. Dealing with it might involve facing a number of deep-rooted and inconvenient truths for many organizations and the security industry at large.