We asked three cybersecurity experts for their insights on the most in-demand skills and how companies can address the talent shortage.
While the latest report from (ICS)2 indicated that Ireland has reduced its cybersecurity skills gap, the picture was not so positive for the rest of the world.
The report, released last month, revealed a substantial jump in the size of the global workforce gap to 3.4m – up from 2.7m the previous year.
But what can companies do to address the ongoing talent shortage in the industry at a time when cyberattacks continue to climb?
“Reskilling adults who wish to career switch through bootcamps, seminars, internships and on-the-job training is a great way to add to the talent pool for cybersecurity,” said Karen Worstell, senior cybersecurity strategist for VMware.
“In addition, companies that rely upon a technical workforce can do more to increase the pipeline of qualified candidates through both traditional and non-traditional channels. Active partnerships with organisations like WiCyS [Women in Cybersecurity], local cybersecurity bootcamps and universities help candidates to not only see the company as committed to a diverse workforce, but also create a pool of candidates for internships and entry-level roles.”
Also hoping that companies widen their search is Michelle Killian, senior director of information security at Code42.
‘We can’t continue to ask for a master’s degree and a decade of experience for each and every opening’
– MICHELLE KILLIAN
“In the year ahead, I hope that the cybersecurity industry can shift its hiring practices to consider more of the intangibles, like intellectual curiosity and determination to learn, rather than pure security skillset, while also placing more of a focus on retention and upskilling existing talent,” she said.
Shamla Naidoo, CISO and head of cloud strategy for Netskope, added that companies and jobseekers need to treat skills and experience as two separate entities.
“If candidates are willing to take steps to build their skillsets and companies are negotiable on the experience required for a role, the industry has a fighting chance of fulfilling the need for a skilled workforce that’s ready for the future,” she said.
As well as a skills shortage, the cybersecurity industry has also suffered a diversity problem for many years. Widening the pool and bringing in a more diverse range of candidates could help companies solve both problems at once.
Worstell said there are several areas in the recruitment process that could be improved in this regard, including unrealistic job descriptions for entry-level roles, an all-male review panel as part of the interview process and gendered language in job descriptions.
“For male managers, not recognising the unofficial performance management activity that occurs outside of working hours: at the climbing wall, at the bar, on the golf course, at the gym shooting hoops, in the hot tub – yes for real,” she added.
Killian also cited unrealistic job expectations as a major barrier to closing the talent gap. “We can’t continue to ask for a master’s degree and a decade of experience for each and every opening. Curiosity and a willingness to learn are key traits we want in candidates, and these skills are harder to train, so let’s build job roles off of those skills instead,” she said.
“We also need to look for people with diverse backgrounds and diverse leadership styles so we can tap their varied experiences and elevate problem-solving in our industry. Not every leader needs to be a type-A extrovert. In the same way we create bias in gender and ethnicity, we also have a lot of inherent bias in personality that limits us.”
In terms of the skills that are needed, all three cybersecurity leaders agreed that there are various technical skills necessary, similar to any IT role. However, Killian pointed out that not every cybersecurity role is purely a technical one.
“Technical skills are usually easier to learn than other important skills like curiosity, ability to ‘play’ in the grey – security issues are rarely obvious ‘yes or no’ problems to solve – and the ability to build relationships with stakeholders. So, unless technical skills are required for the role at hand, they should be prioritised appropriately in job postings,” she said.
“Familiarity with technology and the ability to problem solve are skills I’d value more than pure technical acumen.”
Naidoo reaffirmed that great attitudes and high aptitudes are essential as “technical skills can be taught”. However, she also said it’s important to keep on top of how the tech industry is evolving.
“Whatever technical skills are needed in the industry, a corresponding security skill is necessary to secure that technology. So, whether that’s blockchain, quantum or artificial intelligence, or even traditional functions like networks, operating systems and databases, one needs to understand these technologies in order to properly secure them.”
10 things you need to know direct to your inbox every weekday. Sign up for the Daily Brief, Silicon Republic’s digest of essential sci-tech news.