The global COVID-19 pandemic instantly reshaped the working culture on a global level. While businesses that deliver products and services personally struggled to survive, IT operations in medium and large companies continued to function on a remote basis. However, cybersecurity concerns have been rising exponentially with a sudden increase in data breaches, which is much easier for attackers to perform on personal devices, not protected by local network capabilities. Therefore, the cybersecurity workforce continues to be in high demand. Although, it appears that this niche is approaching a serious hiring and retention crisis.
Let’s look at what challenges human resource departments have to deal with when it comes to hiring cybersecurity professionals and what opportunities they explore to overcome the shortage of talent.
Highly skilled security professionals are really appreciated and they have the freedom to choose between different employees that compete by offering higher and higher salaries. However, there is a very small number of cybersecurity superstars while the industry needs much more specialists, from junior to senior level. As a result of talent shortage, senior professionals often end up having too much work on their plate, which is quite dangerous for the security posture of the companies they work for because lots of security alerts are left unrevised. At the same time, while many companies report financial losses during pandemics that negatively impacted the hiring process, cyber experts expect their salaries to rise even more.
An example of efficient use of highly skilled talent that benefits the industry on a global level is a Threat Bounty program launched by SOC Prime. This company launched a Detection as Code platform where thousands of companies can find timely detection rules mapped to MITRE ATT&CK and based on vendor-agnostic Sigma notation. All these rules are written on a regular basis by seasoned cybersecurity professionals from all over the world who have been in the industry for many years and already gained a solid reputation in the field. Any security team can access this detection content, thus saving time for seeking cybersecurity superstars and reducing important metrics like mean time to detect. Another interesting solution for saving time and effort for cyber professionals is to use automated tools. For example, Uncoder.IO is a free online translation engine that instantly converts generic Sigma-based detections, search queries, API requests, filters, and more into a variety of vendor-specific formats.
Cybersecurity Skills Gap
According to ISACA’s report, the skills gap in the cybersecurity field continues to grow simultaneously with organizations struggling to hire and retain the right people. The average time it takes to hire a cybersecurity professional is no less than six months. Out of 2,000 respondents, 63% have understaffed security teams. Specifically, 46% of organizations find it the most difficult to fill legal compliance positions while 55% are struggling to fill technical privacy roles. Along with that, 60% of businesses admit that it’s hard to retain cybersecurity personnel, that’s a 7% increase since last year.
But, what are the reasons that make this niche so volatile? Why do security specialists keep leaving their workplaces in a search of something better? When researchers asked cyber workers, here’s what they found. As much as 59% leave because they are being recruited by other companies, with 48% stating poor financial incentives as a weighty reason to go. Next, limited promotion and self-development opportunities were mentioned by 47% of employees, a high level of work stress mentioned by 45% of respondents, and a lack of management support was stated by 34% of professionals.
Back to a skillset gap, the biggest gaps were identified in the field of soft skills like communication, leadership, and problem-solving (54%), and cloud computing (54%).
How to Overcome the Cybersecurity Talent Shortage
The situation might seem critical, yet there is a number of solutions to cybersecurity talent and retention issue.
University graduates might be a lucrative source for highly skilled cybersecurity professionals. Companies should explore the possibilities of hiring students as well as college graduates without work experience for entry-level positions. Experts mention that for broadening the hiring horizons, it is most likely required to implement systemic changes in the organizations’ hiring pipelines.
Diversity in hiring seems to be another critically important issue. A recent study from Trellix shows that 91% of respondents believe that more efforts should be directed toward hiring people that represent diverse backgrounds. The research indicates that most professionals in cybersecurity are straight white males. If companies encourage specialists from minority groups and specific population groups like people with autism, veterans, and alternative genders to apply for cyber roles, they will get an incentive to come and stay in the industry.
Free education can also facilitate resolving the hiring crisis. Large multinational companies like Microsoft have already launched training programs that are conducted across the world including in under-represented regions like Asia and South Africa (that also happen to have an increased cyber threat risk). Also, they work with community colleges to bridge the skills gap.