Close the Cybersecurity Skills Gap by Investing in the Future

Noor Boulos

We hear a lot about the cybersecurity skills gap, which the latest research puts at 770,000 open positions in the U.S. and 3.4 million globally. There are lots of reasons why organizations find themselves dealing with a skills deficit – from an actual dearth of qualified talent to internal factors including turnover, lack of budget/competitive wages, limited opportunities for growth and promotion, and lack of training. 

Here, we thought we’d take a look at one aspect that has garnered attention on LinkedIn, and even used a celebrity to spread the word: unrealistic hiring practices. 

It’s not uncommon for companies to require three to five years of experience for an “entry-level” cybersecurity position. Is this because budgets are misaligned with needs? Are internal training programs insufficient or non-existent? Do companies not appreciate that applicable experience can come through many different avenues and take many different forms? Are hiring managers stuck in the past when rigorous cybersecurity programs weren’t part of the university curriculum? Whatever the reason, these positions go unfilled or result in high turnover. 

Here are five things employers can do to expand their workforce and lay a solid foundation for future growth of their security teams.

  1. Consider cybersecurity degrees an important component of the experience journey. The number of top universities and colleges across the U.S. offering degrees in cybersecurity is now in the hundreds, and well-known college ranking services track the top programs. These programs are often quite challenging and may include internships, competitions, and real-world projects to incorporate aspects of “on-the-job” training that shouldn’t be discounted.

  2. Build a strong internship program. The Office of Personnel Management (OPM) issued a memo earlier this year encouraging government agencies to expand their early-career ranks by boosting the number of internship positions to 35,000 in 2023. The private sector should place a similar emphasis on internships and look for opportunities to work with colleges and universities to promote their internship programs. Many educational institutions welcome the opportunity to partner with cybersecurity companies to strengthen their career placement offerings. And the experience helps employers understand more about the quality of the educational program and what to expect from graduates. Internships are also a great, low risk way to see if there’s a match between the organization and the candidate and build a pipeline of talent to fill open entry-level positions.

  3. Look for candidates from within. Turnover often happens because employees become bored or don’t see opportunities to move up. And the costs to companies can be surprising—33% to 200% of the departing employee’s salary to replace them. Training is a win-win as it can help reduce the skills deficit and increase retention. Companies don’t even have to invest heavily in building their own educational programs. Instead, enable employees to develop baseline technical and cybersecurity skills through a number of online courses available from well-respected groups including: CompTIA Security+, ISACA Cybersecurity Fundamentals, and (ISC)2 Systems Security Certified Practitioner (SSCP).

  4. Recognize the value of related work experience to the field of cybersecurity. Any type of on-the-job experience that focuses on troubleshooting issues and working with customers, such as working on the help desk, translates well into working in cybersecurity. Learning how to get to the root of a problem and dealing with upset customers gives job applicants a solid foundation to build on. Candidates with positions in service and support roles bring valuable skills including listening and empathy, as well as troubleshooting and decision-making capabilities, which are important in a number of areas including testing, quality assurance (QA) and product development.

  5. Automate various elements of cybersecurity. ThreatQuotient’s 2022 State of Cybersecurity Automation Adoption report finds that organizations are becoming more confident in automation. Consider using a balanced approach to automation where you automate repetitive, low-risk, time-consuming tasks, while human analysts take the lead on irregular, high-impact, time-sensitive investigations with automation simplifying some of the work. This reduces the number of entry-level people required as well as burnout by allowing analysts to focus on more rewarding higher value activities. In fact, organizations report that employee well-being and retention are regularly used as part of their cybersecurity automation ROI calculations. Additionally, simplify complexity by adopting cybersecurity automation platforms with low- or no-code interfaces. Solutions that provide choice of no code through a simplistic playbook builder, as well as the option to code using standard formats like JSON or YAML to support more advanced requirements, can make automation accessible to a range of users with varying skill sets.

We’ve been talking about the cybersecurity skills gap for years. Let’s start to break it down into more manageable and approachable chunks. When we focus on entry-level recruiting with realistic expectations, strong internship programs and internal training and professional development, while automating and simplifying various aspects of cybersecurity, we can make headway and start to cultivate the next generation of security leaders.


Blog Archive

About ThreatQuotient™

ThreatQuotient™ understands that the foundation of intelligence-driven security is people. The company’s open and extensible threat intelligence platform, ThreatQ™, empowers security teams with the context, customization and prioritization needed to make better decisions, accelerate detection and response and advance team collaboration.
Share This