The cybersecurity skills gap persists for the fifth year running

Image: Teera Konakan/Moment/Getty Images

Breaches successful caller years—ranging from the Pegasus malware hack to the WannaCry and NotPeyta outbreaks—highlight however captious a robust cybersecurity strategy is for each organizations, ample and small. Yet the spread successful cybersecurity skills for astir businesses continues to persist: There are simply not capable skilled professionals successful these roles to conscionable the demand. This information is evidenced successful the 5th yearly industry report from the Information Systems Security Association (ISSA) and expert Enterprise Strategy Group ESG, "The Life and Times of Cybersecurity Professionals 2021," which shows that the cybersecurity skills shortage has not improved.

The report, which surveyed 489 cybersecurity employees, shows that a heavier workload (62%), unfilled positions (38%) and idiosyncratic burnout (38%) are contributing to the skills gap. Nearly each surveyed (95%) judge the spread has not improved successful caller years.

SEE: Security incidental effect policy (TechRepublic Premium)

Hiring and keeping professionals "remains a apical situation successful 2021," according to William Candrick, probe manager successful the Gartner IT practice. "The planetary request for cybersecurity skills acold exceeds the existent proviso of traditionally qualified individuals."

The study is "no surprise," said Camille Stewart, Google's caput of merchandise strategy. Stewart, who has worked for Deloitte's Cyber Risk program, nether the Obama medication arsenic the elder argumentation advisor for cyber, infrastructure & resilience argumentation astatine the Department of Homeland Security, and successful different apical positions, says the cybersecurity spread is "a multifaceted problem." 

She observed that galore tiny to midsize organizations don't decently prioritize cybersecurity, "which does them a disservice—because if you person seen each of the ransomware and proviso concatenation attacks that person been going on, [they] are not immune from being targeted." 

Another contented is that those who person unfastened roles don't cognize however to capable them. The Cybersecurity Infrastructure Security Agency has respective unfastened positions, for instance, and is "trying to get truly originative with however they enlistee the talent," she said.

A superior way to doing this is by connecting cyber jobs to a much divers endowment pool.

"It has agelong been a occupation to capable cybersecurity roles," Stewart said. "The manufacture is fraught with precocious and often unnecessary certification requirements, grooming requirements that often are barriers to entry."

Candrick agrees with this assessment. "Gartner advises CISOs to grow wherever and however they look for cybersecurity talent," helium said. "Cybersecurity occupation listings typically person criteria that bounds the disposable endowment pool. For example, occupation listings often necessitate a four-year degree, information certifications, and important erstwhile experience," but galore palmy employees tin prime up these skills connected the job. 

"Conversely, clients prosecute endowment that whitethorn person cybersecurity skills, but deficiency the credentials HR typically filters for," helium added.

Increasing diverseness should beryllium a priority, Stewart believes. "As agelong arsenic the tract is not arsenic divers arsenic it should be, we chopped retired a ample cross-section of the colonisation that could beryllium moving and innovating connected these issues." Steward is progressive successful initiatives specified arsenic Girl Security, NextGenNatSEc, and ShareTheMIcInCyber, aiming to assistance bring women and radical of colour to jobs successful the information industry.

"We person to interruption retired of the accepted models for what cybersecurity practitioners look similar and what their resume looks like," Stewart said. "We request to rewrite occupation descriptions. Some of them origin imaginable candidates to self-select out, oregon enforce requirements that don't align to the occupation arsenic stated."

For instance: If you're looking for a inferior cybersecurity practitioner, and necessitate a CISSP, which takes 5 years to accomplish, it "doesn't align," she said. "That's not a inferior practitioner."

Cultivating endowment via apprenticeships, oregon providing on-the-job grooming are large ways to grow the campaigner pool.

Stewart thinks the manufacture should "reflect" and "broaden the tract of a candidate." To "open the excavation of candidates, whether that's gender, ethnic, radical diversity, oregon adjacent diverseness of acquisition oregon truthful galore radical trying to modulation careers and deliberation astir their adjacent signifier of beingness that would beryllium large candidates for cybersecurity," she said. As the descriptions evolve, the representation of what a palmy worker looks similar evolves, arsenic well.

If CXOs are looking for the close skills to prosecute for, Stewart says that "curiosity," is key. "A penchant to lick truly analyzable challenges, involvement successful technology, an aptitude for coding languages––because you tin adjacent larn those connected the job," she said. The different cardinal constituent is radical skills, she believes. Despite the method cognition required for cybersecurity work, "Cybersecurity is focused connected people," Stewart said.

"Whether you are looking astatine the malicious hacker oregon the idiosyncratic that you question to protect, your inheritance and knowing of the concern environment, people, and civilization are each relevant," she said. "If you tin harvester it with an knowing of exertion and the tendency to larn the circumstantial accomplishment sets of the role, you are a large campaigner for a cybersecurity job."

Stephen Boyce, laminitis of The Cyber Doctor, has spent his vocation successful cybersecurity—on some sides of hiring. He's worked successful supporting cybersecurity initiatives for the national government—ranging from the FBI to the US Department of State—and has recruited endowment successful cybersecurity successful some the nationalist and backstage sector.

As idiosyncratic who hires cyber talent, helium caught himself not ever looking past "[a candidate's] resume oregon beyond what they person connected paper." It's critical, helium said, for hiring managers to halt comparing candidates' experiences to their own. "You're not hiring yourself," helium added. "You're interviewing idiosyncratic other who whitethorn beryllium astatine a time, the mode successful which you went astir it, oregon the way was wholly different."

Boyce besides sees unrealistic expectations, connected the broadside of hiring managers. "You'll person occupation descriptions that necessitate 10 to 15 years of acquisition for a exertion that hasn't adjacent been astir that long," helium said. "If idiosyncratic says, 'I privation a Cloud information expert,' well, the Cloud hasn't been astir for 20 years. It makes you laugh."

Although he's got his Ph.D., Boyce doesn't deliberation the world way is needfully captious to beryllium bully astatine cybersecurity. However, candidates are "sometimes overlooked owed to not having degrees oregon checking definite boxes."

Soft skills are captious for cybersecurity roles, Boyce agrees.

"Ultimately, it's knowing people. It's knowing however radical interact oregon don't interact with these technologies," helium said. "We absorption connected the exertion aspect, but there's conscionable truthful overmuch much that truly plays and truly is each of cybersecurity."

There's a batch astatine involvement if employers don't statesman to tackle the cybersecurity endowment gap. For one, Boyce says, those with highly precocious method skills could "use their talents for bad," instead. 

The different large hazard is losing retired connected a diverseness of viewpoints. 

"We truly request radical from each antithetic walks of life," Boyce said. "We request radical from different disciplines, different avenues, different parts of the satellite that deliberation differently, to assistance america with the extremity of providing a harmless and unafraid situation successful the integer age."

Also see

• How to go a cybersecurity pro: A cheat sheet (TechRepublic)
• Security threats connected the horizon: What IT pro's request to cognize (free PDF) (TechRepublic)
• Checklist: Securing integer information (TechRepublic Premium)
• Online information 101: Tips for protecting your privateness from hackers and spies (ZDNet)
• Cybersecurity and cyberwar: More must-read coverage (TechRepublic connected Flipboard)