The cyber security skills gap is a global problem
By 2025, there will be 3.5 million cyber security jobs open globally, representing a 350% increase over an eight-year period, according to Cybersecurity Ventures. Yet, the barriers to entry remain firmly in place for many people wanting to get into cyber security roles and it would seem that the very organisations which need to hire people are making it difficult to fill these posts.
Experience as a barrier to entry
Lack of experience is the main barrier to entry into cyber security roles as organisations have high expectations for past training. There is often an expectation for even “entry-level” candidates to have gained several years’ experience in the field and hold advanced qualifications, yet the salary on offer doesn’t reflect this. It is the responsibility of the organisation, especially those with large IT departments and cyber teams to train entry-level employees on the job. Organisations should also recognise the value that non-experienced people can bring to the job by looking beyond their limited experience and focusing on their skillsets. Cyber security teams need people with strong problem-solving and communication skills with excellent attention to detail. Once someone with these traits is identified, they can usually be trained once in post. Lack of experience is not always a barrier when recruiting for CISOs however. In contrast to job advertisements for entry-level positions, it is concerning that current CISO recruitment adverts don’t always focus enough on experience and qualifications and organisations appear to be hiring CISOs as a tick box exercise. Organisations run the risk of inadvertently, or even deliberately, attracting candidates who might be blamed if things go wrong and used as scapegoats in the event of a destructive cyber attack.
Spotlight on diversity and inclusion
Cyber security requires teams from different countries and cultures to work together to defend against new and dangerous threats. However, there is a widely recognised lack of diversity and inclusion in cyber security. A diverse cyber workforce brings a wide range of viewpoints which help organisations identify and solve a variety of problems with creative, cost-effective solutions. Whilst an attacker need only find one way into a system, cyber
security teams must find and block all of them which is very difficult without a diverse mindset building defences. Given the vast growth in the number of cyber security jobs post-pandemic, organisations that are not inclusive will struggle to recruit into their cyber teams.
Diversity in cyber security doesn’t just encompass sex, gender, religion and cultural background. It is essential that diversity also includes embracing neurodiversity with companies encouraging a culture which welcomes neurodivergent individuals. At the 2022 InfoSecurity Europe conference, Pete Cooper, deputy director of Cyber Defence in the Cabinet Office, highlighted the need for the cyber security sector to recruit a diverse range of people to help foster different perspectives and the ability to spot both opportunities and challenges, bolstering a business’s agility and resilience. A career in cyber security typically requires logic, discipline, curiosity and the ability to solve problems and find patterns. The cyber security industry offers a wide variety of jobs and career paths for people who are neurodivergent, particularly for roles in threat analysis, threat intelligence and threat hunting.
Why people leave cyber security roles
People want to be engaged, challenged, educated and fulfilled at work. When a company recruits someone just to look after their cyber security, they often get bored and frustrated. Small and medium organisations often only have a very small team or even just one person working in cyber security which can be very isolating and offers very few opportunities to learn. In contrast, working for a managed service provider means you have many customers and the opportunity to learn from them as well as the wider internal team around you. When organisations try and build their own internal cyber security teams, they run the risk that work becomes about management and meetings, leaving little time to complete projects. This often builds dissatisfaction and is a common driver for people to look for a new role elsewhere.
Another driver for cyber security professionals to leave their roles is when their job doesn’t provide variety and interest. If all they are doing is ‘alert bashing’ which, without the right automation requires analysis, this can be a source of great frustration.
The dangers of overwork
When cyber security is done in-house, stress and burn-out become more likely for cyber security professionals. Unless an organisation is very large, it will struggle to build a cyber team working 24/7 or operating internationally and provide cover for shifts, illnesses and employees’ annual leave when needed. One recent report found that security leaders work an average of 11 hours extra per week, with one in 10 leaders working up to 24 hours extra a week. It is little wonder that people then struggle to switch off from their jobs once they are home.
Aside from relaxing stringent entry requirements, being more inclusive and making sure staff are not overworked, here are some other steps organisations can take to make sure they recruit and retain their cyber security hires.
Consider hiring an expert
Often, small businesses don’t have the budgets to address cyber security in the way they want to or need to. Business owners often believe that they need a technical person in place but businesses can benefit from hiring a CISO to bring a holistic and proactive approach to implementing information security. A CISO can analyse an organisation’s cyber risk, put a strategy in place and identify the right team to handle cyber security issues. If budgets are tight, CISOs are available as a virtual service (vCISOs) and demand has been growing significantly since the pandemic for this service. With a CISO at the helm of your organisation’s cyber security management, it is more likely that the right security team hires and investment will be made.
Automation is not a magic pill
Don’t assume that your cyber gaps can be solved by automation as this isn’t the silver bullet many organisations imagine it to be. Automation can certainly help and it is essential for Managed Service Providers as it frees up staff to do other, more interesting work. Automation requires an experienced automation team working 24/7 which is only possible in large organisations working at scale. You can’t just automate processes and forget about them as, after a period, it may not be appropriate to do this any longer. It is worth noting that some of the biggest outages that happen are caused by automation failures. If a one-man band has automated a cyber security process for an organisation and it fails, then they are often the only person who can fix it too.
Put a cyber security strategy in place
Organisations should have a cyber strategy allocating the appropriate time and budget to cyber security. This enables the cyber security team to do their job and not just be in meetings all day. Security teams cannot and should not work in isolation either – they need other teams to cooperate with them such as the network and helpdesk teams. When organisations don’t have a cyber strategy, the cyber security team can end up working on projects or solving issues, which aren’t even in their job description.
Recruit for the people, train for the skills
People are the key to a successful cyber security operation for any organisation – not the technology in place. If organisations focus on hiring the right people with the aptitude and personal skillset to do the job, they can train them once in post. It is crucial to get the human element of cyber security right and there’s a long way to go before organisations crack this nut.
About the Author
Rob Demain is CEO at e2e-assure. Manage your cyber risk with an expert partner. We provide owners of cyber risk with confidence through a transparent and tailored security operations centre and managed detection & response service that leverages value from existing investments whilst reducing total cost of ownership.