Cybersecurity is facing a painful talent crisis. Recent research suggests that the industry may fall 30,000 workers short over the next four years.
The problem isn’t unique to Australia: in the face of rising rates of ransomware, data theft and fraud, the global security industry is looking at a shortage of 3.4 million people. But Australian recruiters are in an especially tight spot, thanks to overall employment rates that are at their highest for decades. Despite recent fluctuations, Australia’s Reserve Bank forecasts the unemployment rate could sink below 4 percent this year.
The talent shortfall is putting organisations in danger
As a result of this shortfall, while threats grow in intensity and sophistication, many organisations are struggling to fill vital security roles. Around three-quarters of organisations with a significant staff shortage say that the shortfall puts them at a moderate or extreme risk of attack.
There’s an obvious answer to this emerging crisis, the first step being to bang your head repeatedly against a wall. Cyber leaders have been raising alarm bells on the talent shortage for years. But let’s focus on what they can do in the here and now. Hiring managers should first look to their policies. Overly zealous screening can prevent top candidates from getting an interview, while great in-house talent often goes unnoticed, sitting in plain sight. But before addressing any of those issues, the smart move is to start with an objective assessment of what skills you actually need in-house.
Understand your needs with a talent-to-value approach
Many organisations hire primarily on a reactive basis, thinking about filling roles as they become vacant rather than making hiring part of a long-term strategy. Risk-based models such as talent-to-value instead focus on building a roadmap to mitigate threats, and hiring resources that will get you there most efficiently.
Talent-to-value starts with an assessment of the likelihood and possible impact of cyber risks to your company, then considers the skills required to manage them. Roles that offer the greatest security value – such as those that protect your critical assets – are prioritised, whatever their nature or level.
This approach not only focuses your efforts, but also encourages long-term thinking. Understanding the skills required for the most mission-critical tasks allows you plan a talent pipeline and take a range of measures to fill it, whether that be through hiring, upskilling or augmenting current staff with automated tools or partner organisations.
Are you putting unnecessary blockers on young talent?
Despite widespread fears of a talent shortfall, many aspiring cyber superstars are paradoxically unable to find a role. One Australian, former journalist Rohan Neagle, has written about his – so far unsuccessful – attempts to find a full-time cyber role. “How was it this hard to break into an industry begging for a new generation of workers,” he asks. “And, more puzzling, how was I supposed to apply as an entry level security analyst if a lot of those entry level positions required 1-5 years’ experience, with certs to boot?”
Neagle isn’t the only person to speak out about an industry that often clings to stringent hiring rules, neglecting individuals with potential. Pre-screening based on keywords and qualifications is common, and many organisations – perhaps wary of employee churn – are unwilling to invest in training up new staff.
This is short-sighted and a symptom of the reactive nature of cyber hiring. Smarter companies understand that addressing cyber risks – and the cyber talent to mitigate them – are now a permanent need that will only keep growing. Why wouldn’t your hiring practices reflect that? After all, cyber threats are not seasonal, so why do we expect to hire talent on a temporary, as-per-need basis?
Re-evaluating your base hiring requirements through a medium to long-term lens can help you recruit talent, but it can do more than that – it can bring in a more diverse range of people with a wider range of life experiences. For example:
Computer science or related college degrees may be an easy checkbox, but most cyber professionals learn far more on the job than in education, and insistence on formal degrees may unnecessarily discriminate against individuals from different backgrounds.
Similarly, try asking for “demonstrable experience” in technical areas, rather than specifying a set number of years of experience, and being flexible over industry certifications.
Rather than requiring a thorough understanding of concepts right across the full spectrum of cybersecurity, consider focusing only on the areas most relevant to your organisation.
Less formal cybersecurity experience, whether building a virtual lab, attending hackathons or practicing capture the flag scenarios may indicate not just skills that can be leveraged, but also a proactive and curious mindset.
Mindset is crucial. Mimecast’s Alison O’Hare underlines that “degrees and formal qualifications become almost secondary…. to thrive in a cybersecurity role, you need to be the sort of person who enjoys problem-solving, can pick up new skills quickly and has the people skills to work well with others.” Aptitude and attitude often beat qualifications in the field.
Consider how their experience may be applied from sectors outside cybersecurity – a candidate who has never responded to a major cyber incident may have cast-iron experience of managing pressure situations via hitting mission-critical deadlines. They might have a unique insight into your sector, or have demonstrated their ability to multi-task under pressure by managing children alongside their work or study.
Organisations should look to the heroes inside
In many cases it is more cost-effective to upskill an existing employee than hire a new one. Staff may be less optimised to a given role than a new hire, but they’re experts in your organisation and sector, and should have been regularly assessed by their line manager – which makes them a known quantity, versus an untested outsider.
The use of promotion or lateral moves to fill crucial roles taps into both the “pipeline of talent” approach favoured by talent-to-value models and the lesson of encouraging talented people with flexible skills (rather than waiting for someone with exact qualifications to appear). Being willing to upskill employees and help them shape their own career path can also help organisations deal with that other great cyber HR bugbear: poor retention rates.
A flexible approach means moving fast and being open
By thinking carefully about the best way to build teams that can mitigate risk, hiring from within and opening the door to a wider range of candidates, businesses can lessen the strain of recruitment. But a nimble and effective talent policy will have other benefits too.
Your current hiring protocols may exist for good reasons, but in this pressurised market, speed counts – if you know a candidate is right for you after just one interview, consider concluding your search right there. Good candidates will have multiple offers on the table, and a swift, decisive move might make the difference between them joining you or your competitor.
Being flexible with your employee benefits, including hybrid, part-time or contract work, may also help you build a resilient team and minimise churn. Outsourcing aspects of your cybersecurity to trusted partners, or looking into holistic security solutions or AI-based monitoring and threat hunting may also help you keep your team lean but effectively staffed.
Ride out the recruitment crisis by widening your net and developing talent
As so often in cyber, no one solution will end recruitment woes once and for all. But by translating your business priorities into a long-term staffing strategy that’s open to upskilling and a wider range of candidates, CISOs can build a strong, capable and loyal team, even in today’s job market. Indeed, the right talent strategy can help ensure your team is nimble and resilient enough to handle whatever the future throws at you.