Illustration of several padlocks. Some are different colours dotted around the picture.
Image: © kras99/Stock.adobe.com

Cybersecurity has an ‘experience shortage’, not a talent shortage

17 Jun 2022

HPE’s Bobby Ford believes businesses need to stop taking cyber talent from other companies and start thinking outside the box.

Last October, non-profit cybersecurity network (ISC)2’s annual report highlighted some stark figures surrounding the cybersecurity skills gap, with Ireland needing around 10,000 infosec workers to plug the gap and Europe as a whole needing close to 200,000.

In Ireland, many education institutes have stepped up to address this gap with the introduction of new courses and apprenticeships, while industry players such as Microsoft have also taken on the challenge with cybersecurity skills programmes.

While these efforts should help create a bigger cybersecurity workforce down the line, they don’t address the immediate need for talent. But there might be other aspects to consider.

Hewlett Packard Enterprise (HPE) chief security officer Bobby Ford believes that the gap doesn’t come from a lack of talent – but from a lack of specific experience.

“I believe there is a gap between individuals that have cybersecurity experience and roles requiring that experience. As a result of this gap, there are many cyber positions that go unfilled,” he told SiliconRepublic.com.

“This creates the gap we often declare as the talent shortage. But really, it’s not a talent shortage, it’s an experience shortage. So, how do we address this shortage? By tapping into a pool of talent often ignored and creating opportunities for them to gain experience.”

Where to find talent

Ford said that rather than waiting for ready-made cybersecurity graduates or trying to poach infosec talent from other companies, leaders should be looking at the talent they already have and seeking ways to train them in the cybersecurity space.

“Internal career development and upskilling often get pushed to the back burner when you’re short-staffed. Failing to develop your team is a waste of resources and it leads to attrition. It’s a vicious cycle,” he said.

Outside of internal talent, Ford said it’s important to think outside the box when it comes to searching for external talent and consider those who lack the traditional skills but have the “potential and drive” to work in cybersecurity.

“This is how the US military does it. They don’t recruit already trained soldiers; they want talented and motivated individuals that can be trained and developed. Why can’t we take the same approach for some cyber roles?”

‘Once we removed the “must haves”, an influx of amazing talent applied’
– BOBBY FORD

HPE recently launched a cybersecurity career reboot programme, aimed at recruiting and training non-traditional candidates.

“By tapping into this overlooked and underutilised pool, we are building a stronger, more diverse team. And if we’re at the same time giving life-changing opportunities to them and their families, opportunities they may have not been given otherwise, all the better,” said Ford.

Considering this type of talent requires thought in the recruitment process. Job descriptions and requirements are sometimes given very little attention, but could be excluding a huge number of candidates from the get-go.

“We have to stop listing unrealistic requirements for entry-level positions, especially when we believe there is a shortage of individuals to fill our open positions,” said Ford.

“Also, word of mouth is key – your team can help recruit. A lot of us have a friend, a cousin, or a neighbour looking for a new career challenge – someone who is a great person and just needs an opportunity.”

Training non-traditional hires

Companies may be hesitant about hiring those who lack the traditional experience because of the training that will be involved, but Ford said it starts with knowing the best fit for each person based on their own talents rather than experience.

“I often say success happens when someone is gifted with an opportunity, and they have the presence of mind to recognise it and the strength to capitalise on it. Just the fact that someone applied for a job completely beyond their experience and skillset tells me that they’ve got the second part of that equation down,” he said.

“A willingness to be vulnerable and push yourself outside of you comfort zone speaks volumes about a candidate to me. We do that every day in cyber. We never know when or how or from where that next attack is coming. There is no comfort zone in cybersecurity.”

As part of HPE’s reboot programme, each new hire is matched to the business functions and roles that best suit them before entering a six-month training programme.

“In parallel to their training, we assign them real-world projects and provide mentors so they can learn on the job. The learning curve is steep, and it does take a commitment from our team, but the end result for us is a candidate pool we already know and have begun training in the skills we need,” said Ford.

Applicants have told him they applied because the requirements on the job ad didn’t call for a degree or prior security experience. “Once we removed the ‘must haves’ that we all routinely add to job specs, an influx of amazing talent applied with an array of backgrounds, from marketing and retail to a bus driver and a wedding planner.”

10 things you need to know direct to your inbox every weekday. Sign up for the Daily Brief, Silicon Republic’s digest of essential sci-tech news.

Jenny Darmody
By Jenny Darmody

Jenny Darmody became the deputy editor of Silicon Republic in 2020, having worked as the careers editor until June 2019. When she’s not writing about the science and tech industry, she’s writing short stories and attempting novels. She continuously buys more books than she can read in a lifetime and pretty stationery is her kryptonite. She also believes seagulls to be the root of all evil and her baking is the stuff of legends.

Loading now, one moment please! Loading