Despite recent high-profile tech industry layoffs, demand for cybersecurity professionals remains high yet unfilled. With so many tech industry workers looking for their next job, why aren’t these displaced workers being recruited?
The answer might be found by better matching less likely candidates to retrain as cybersecurity techs. Demand for cyber workers grew by 25% in 2022, and much commentary exists about the need to hire cybersecurity talent from non-traditional backgrounds, like bartenders or schoolteachers.
According to data released in late January from the cybersecurity workforce analytics site developed in a partnership by the National Initiative for Cybersecurity Education at NIST, CompTIA, and Lightcast, the total number of employed cybersecurity workers held fairly steady in 2022 at around 1.1 million. The number of online job postings edged lower from 769,736 to 755,743 in the 12 months ending December 2022.
“Despite concerns about a slowing economy, demand for cybersecurity workers remains historically high. Companies know cybercrime won’t pause for a market downturn, so employers can’t afford to pause their cybersecurity hiring,” said Lightcast Vice President of Applied Research-Talent Will Markow.
According to Lightcast data, each of the first nine months of 2022 set records for the highest monthly cybersecurity demand since 2012 but cooled in November and December. A key indicator is the ratio of currently employed cybersecurity workers to new openings, which indicates how significant the worker shortfall is.
The supply-demand ratio is currently 68 workers per 100 job openings, edging up from the previous period’s ratio of 65 workers per 100 openings. Based on these numbers, nearly 530,000 more cybersecurity workers in the U.S. are needed to close current supply gaps.
Some industry researchers suggest that hiring cybersecurity talent from non-traditional backgrounds, like bartenders or schoolteachers, is an ideal outside-the-box solution.
Unrealistic Idea Given Tech Barriers
Other cyber pros contend that such a solution does not align with the reality of the industry. Mainly, the barriers to entry remain too high, with many organizations still using antiquated hiring methods, such as requiring certifications that are impossible to get without work experience.
Lenny Zeltser, CISO at cybersecurity asset management company Axonius, and instructor at cybersecurity training, certifications, and research firm SANS Institute, also finds it surprising that no one seems to be talking about how hard it is to move up the hierarchy once you land a cyber position in the first place.
There is little to no guidance on how to move from cyber practitioner to chief information security officer or CISO. Many organizations lack standards and structure around how to pay cyber practitioners, and many employees know the only way to move up is to move to other companies, he reasoned.
Folks are simply starting the conversation in the wrong place, Zeltser offered. Companies first must address what he calls the “cybersecurity careers gap” before the cyber industry can begin to close the skills gap.
Learning computer security skills is not the primary issue, he said. Numerous avenues exist for motivated people to gain the needed skills. The problem is the expectations for what skills are required.
“I believe a lot of opportunities for people to get security skills exist. So that leads me to consider that maybe there is something more to this,” Zeltser told TechNewsWorld.
“Maybe we have unrealistic expectations for whom we are looking.”
Forget Ideal Candidates
Perhaps the typical unicorn position where companies want a security professional that can do everything is the culprit, he noted. It is such a specialized field that contains many specialized subsets, and it is hard to be an expert at everything within cybersecurity.
“We are just not sufficiently open to people entering the field with unusual non-technical backgrounds,” Zeltser mused.
He offered an example from his previous roles within the industry. Hiring managers with little variation want their hires to do X, Y, and Z. Not seeing those capabilities on a resume puts the job applicants in the skills gap category.
What is the solution? Take cyber applicants with some of the skills and train them for the rest.
Zeltser recalled looking to staff a few security experts who would provide customer support. The company needed entry-level security people but could not find them.
What the company ended up doing with much success was recruiting tech-savvy bartenders who were interested in computers and could set up their own Wi-Fi. But they only did this at home, he explained.
“We found that we were able to train them in the right security skills at the office. But what we did not need to train them in and what is very hard to teach them is how to multitask and how to think on their feet and to interact with humans,” said Zeltser. It turns out bartenders are really good at that.
Need Positive End Result
Zeltser found numerous options where he could be more open, and that became a necessity. Being more open means changing your mindset to accepting people from non-technical, non-conventional backgrounds,” he offered.
“I want us in the industry to stop telling people that if they enter the field as a security professional, what they should be working towards is the pinnacle of the career in cybersecurity, which is the role of a CISO. The thing is, there are not enough of these roles,” he said.
The industry does not need as many security executives as other types of security professionals, which results in setting people up for failure, according to Zeltser.
“We are telling them to work toward that, and that is how we define success. But instead, we can talk about other ways in which people can succeed because not everybody should be an executive, not everybody should be a people manager,” he added.
Skills Gap Meets Security Gap
Even with the shortage of trained cybersecurity workers, many organizations are on the right path to securing and reducing cyber risks to their business. According to Joseph Carson, chief security scientist and advisory CISO at Delinea, the challenge is that large security gaps still exist for attackers to abuse.
“The security gap is not only increasing between the business and attackers but also the security gap between the IT leaders and the business executives,” he told TechNewsWorld.
Carson agreed that some industries are showing improvement. But the issue still exists.
“Until we solve the challenge on how to communicate the importance of cybersecurity to the executive board and business, IT leaders will continue to struggle to get the needed resources and budget to close the security gap,” he warned.
Better Career Path Needed
Organizations need to continue to expand their recruiting pool, account for the bias that can currently exist in cyber recruiting, and provide in-depth training via apprenticeships, internships, and on-the-job training. This helps create the next generation of cyber talent, offered Dave Gerry, CEO of crowdsourced cybersecurity platform Bugcrowd.
“By creating career growth opportunities and rallying behind the mission of helping our customers, their customers, and the broader digital community defend against cyberattacks, employees feel they have an opportunity to better themselves and the broader community,” he told TechNewsWorld.
Gerry added that for years, we have been led to believe there is a significant gap between the number of open jobs and qualified candidates to fill those jobs. While this is partially true, it does not provide an accurate view of the current state of the market.
“Employers need to take a more active approach to recruit from non-traditional backgrounds, which, in turn, significantly expands the candidate pool from just those with formal degrees to individuals, who, with the right training, have incredibly high potential,” he said.
Maybe a Better Alternative
The recent release of the National Cybersecurity Strategy will make more demand than offer. This might slow down large-scale processes, predicted Guillaume Ross, deputy CISO at cyber asset management firm JupiterOne.
It will be essential to prioritize and reduce the attack surface as much as possible. Also, security measures must ensure that developers, IT, and even business/process management people integrate security into their day-to-day work routine.
“Improving the security skills of a million developers and IT workers would have a much better impact than training up a million new “security people” from scratch,” Ross countered to TechNewsWorld.
Universal Solution at Large
The skills and cybersecurity shortages are not solely a U.S. industry problem. A tremendous shortage of skilled cybersecurity experts is extensive worldwide, noted Ravi Pattabhi, vice president of cloud security at ColorTokens, an autonomous zero-trust cybersecurity solutions firm.
Some universities have started teaching students some basic cybersecurity skills, such as vulnerability management and security hardening of systems. Meanwhile, cybersecurity is undergoing a shift.
“The industry is increasingly incorporating cybersecurity into the design stage and building it into product development, code integration, and deployment. This means that software developers likely need basic cybersecurity skills as well, including the Mitre attack framework and using pen test tools,” Pattabhi told TechNewsWorld.
While not directly in the security department, I worked in IT at a bank for years, performing some security tasks while there. I was also the favorite helpdesk person, as I could work with people. While I could properly handle just about every cybersecurity job out there, it likely that my age would prevent someone from hiring me.