At least once a day, I see a new article on the topic of how to close the cybersecurity skills gap. Without fail, these discussions center on the need for public and private sector collaboration, early STEM education, skills-based training, and increasing cybersecurity programs and course options through colleges and universities. While these are all necessary, they are really geared to solving the overall cybersecurity workforce shortage, which is more of a long-term concern.
It’s important to understand the distinction between a cybersecurity skills gap and a workforce shortage. A skills gap means people lack the proper training, guidance, or resources to do the job the right way; a workforce shortage means there’s not enough people to do the job.
You can’t completely depend on outside forces to address the skills gap. This issue needs to be addressed directly by your organization, and it should be addressed immediately. In fact, Cybersecurity Ventures projects that today’s skills gap shortage equals more than a million positions due to a lack of qualified candidates.
Meanwhile, the workforce shortage could be answered in time by more sustained education and training for those individuals just entering (or who will someday enter) the workforce. Still, if you don’t have the right number of people in the workforce pipeline going into the IT field, you’ll have both a workforce shortage and a skills gap to fill the open positions of today and tomorrow.
What are some of the immediate steps you can take to close the cybersecurity skills gap? Here are a few important things to consider.
Stop Hunting for the “Perfect” Candidate
No candidates meet every requirement of a job posting. And if they do, they probably want more than you’re willing to pay. Don’t search for an expert in every piece of software and hardware version you have. Search for someone who’s smart, learns quickly, and enjoys working in the field. It’s important to remember that being successful in cybersecurity requires passion and general intellectual curiosity. It’s not just a job, it’s a calling.
Look for Diamonds in the Rough
Find motivated individuals and spin them up. They will be better assets in the long run as opposed to people who have sufficient experience but lack passion. As Marc van Zadelhoff of the Harvard Business Review reinforced, “Some characteristics of a successful cybersecurity professional simply can’t be taught in a classroom: unbridled curiosity, passion for problem solving, strong ethics, and an understanding of risks. People with these traits can quickly pick up the technical skills through on-the-job training, industry certifications, community college courses, and modern vocational and skills education programs.”
Incentivize Your Top Employees
It’s important to quickly identify your best cybersecurity professionals. You need to keep them and train them. The government already recognizes how competitive the market is and they are making a push to stop the talent drain. For example, in an effort to attract and retain top talent, Cyber Command has been authorized to go above and beyond the typical civilian pay grades for higher salaries and incentive bonuses. Incentivize your top employees by offering opportunities for advanced training, pet projects, research and development, and increased pay. There is always someone who can sign off on anything. Make it happen for the rock stars.
Give the Infantry What They Need
The passionate, technical experts know exactly which tools they need to do the job. They know if you need a Cisco expert; they know if you need a new firewall; they know if there is a systemic configuration issue. Nine times out of 10 they can tell you the best way to address the technical issues. It’s important that you’re able to provide them with the tools they need to be successful. If you can help them do what they do best, you’ll see your cybersecurity program becoming more efficient and effective in the long run. Imagine that!
Summary and Resources
The skills gap needs to be addressed now. We don’t have years to wait for fully-trained and qualified candidates to show up at our door. We don’t have the luxury of waiting on solutions that pass the responsibility to someone else, whether it’s the Department of Education or STEM programs.
One resource you may want to explore is HackEducate, which is trying to address the skills gap by offering hands-on learning and training in their custom lab environments. They take about 1.5 percent of their applicants and train them in a cohort for six weeks, then market them to companies that need talent with offensive and defensive security skills such as network forensics, malware/reverse engineering, and network/wireless ethical hacking.
Matt Kuznia is senior associate at Delta Risk LLC, a Chertoff Group Company that offers managed security services. You can follow him on Twitter for his latest #cyberhandyman tips and tricks. Read more Delta Risk LLC blogs here.