The cybersecurity skills shortage is far from a new phenomenon, but it continues to be a major thorn in the side of the industry.
Here in the UK, a recent government report found that almost 7 in 10 businesses (68%) have tried to recruit someone in a cybersecurity role within the last 3 years, with a third (35%) of those vacancies proving hard to fill. As a result, over 650,000 UK businesses currently have some sort of cybersecurity skills gap, the most common being in setting up configured firewalls, storing or transferring personal data, and detecting and removing malware.
This clearly causes major challenges when it comes to data protection. However, rather than lamenting the apparent lack of suitable candidates, many organisations simply need to devote a bit more time, energy and creativity to finding them. This article will look at some of the main challenges associated with filling cybersecurity vacancies, before discussing a few ways businesses can increase their chances of success. In many cases, the right people are a lot closer to hand than you might realise.
Candidates with the right hands-on experience are hardest to come by
Perhaps unsurprisingly, the hardest challenge to solve is that of experience. Amidst the ongoing global skills shortage, candidates with extensive experience in their given field, such as senior threat hunters and incident responders, are in extremely short supply. This is because it takes many years to build up a bank of real-life knowledge in these areas. While attending yearly SANS training courses can prove beneficial – and is highly recommended – it can’t replace the knowledge gained from hands-on researching and incident response. It becomes even more difficult when trying to find qualified candidates with experience in responding to state-sponsored attacks. Understanding a threat actor’s tradecraft and knowing what to look for as it relates to TTPs (Tactics, Techniques, and Procedures) is an incredibly valuable, yet rarely acquired skill.
Of course, this is a classic ‘chicken and egg’ situation. Experience only comes with time/practice, yet most businesses want someone who can already hit the ground running. As such, they are often reluctant to bring in someone without the complete skill set needed. However, with ideal candidates so thin on the ground, it can be more prudent in the long-run to invest in someone who ticks most of the boxes rather than wait months, or even years, for the perfect CV to land on your desk.
Filling new roles from within is more effective than new hires in many cases
Sometimes the right people can be right in front of you. Not only is hiring from within more cost effective, it can give existing employees new skills, spark inspiration and light fires to keep them motivated. Furthermore, current employees are already familiar with the company and culture, which significantly shortens any transitional periods. As such, be sure to always look inside as well as outside when filling open positions.
Don’t rely on the same old recruitment channels, be creative
One mistake a lot of businesses make when trying to fill tricky cybersecurity positions is relying on the same old recruitment channels. Rather than posting up ads and hiring expensive recruitment firms, look within personal networks or in less obvious places. Some of the best candidates I’ve come across were people I met at obscure security conferences, in online forums, or even on social media. While more conventional recruitment channels still have a place, their focus on quantity over quality can often lead to a lot of frustration. As such, getting creative with recruitment can be a much more fruitful way to find the best people for your business.
It’s not all about the money
While salary is a big factor for anyone, it’s rarely the only consideration. Many people also look for clear paths of progression, with mentors that can help them grow their knowledge and skill sets. Doing the same tasks every day, month after month, quickly gets boring and can soon lead to high levels of staff turnover, which is the last thing businesses need when qualified staff are already so hard to come by. Offering opportunities to work with great security tools, or on mini-projects that they’ll enjoy, will not only keep employees engaged, it will improve overall team capabilities, resulting in a more collaborative environment overall.
Unfortunately, the cybersecurity skills shortage shows no sign of abating any time soon, but that doesn’t mean great people aren’t out there. In fact, they might already be right under your nose. Rather than relying on the same recruitment channels as thousands of other businesses, apply a bit of creative thinking/strategy to your approach. Doing so can quickly pay dividends, leading to a higher calibre of candidates than you might otherwise find. So don’t be afraid to think outside the box!
About the Author

Tim Bandos, CISSP, CISA is Chief Information Security Officer at Digital Guardian and an expert in incident response and threat hunting. He has over 15 years of experience in the cybersecurity realm at a Fortune 100 company with a heavy focus on Internal Controls, Incident Response & Threat Intelligence. At this global manufacturer, he built and managed the company’s incident response team. Tim has a wealth of practical knowledge gained from tracking and hunting advanced threats targeted at stealing highly sensitive data.
Featured image: ©fxquadro
