Bojan Simic is its Co-Founder, CEO and CTO HYPRa provider of True Passwordless Security™.
Although many industries are affected by skills gaps, the shortage in IT/cybersecurity is almost unparalleled. In fact, “over an eight-year period, the number of unfilled cybersecurity jobs increased by 350 percentfrom one million positions in 2013 to 3.5 million in 2021.” And experts predict that number won’t budge between now and 2025.
This is largely due to the speed at which the sector is moving with new technologies, advanced malicious attack techniques and the scale of attacks. Because of this acceleration, security professionals are taking on multiple complex responsibilities and struggling to expand and develop their security practices and skill sets.
This also poses a challenge for C-suite executives looking to hire top talent: What skills are they looking for and where do they draw the line in knowledge requirements? This article describes what both professionals and executives need to do to help close the cyber skills gap.
From A Practitioner’s POV
For better or worse, many cybersecurity professionals have been and continue to be self-taught, whether it’s coding, dabbling with hacking, or signing up for affordable certifications along the way. This mostly comes from self-interest, but as the job market continues to suffer, it’s also become clear that organizations looking for cyber experts (thankfully) aren’t necessarily looking for degrees – they’re looking for problem solvers with intellectual creativity.
To embrace this self-taught nature (which is how many of us in the industry, including myself, hone their valuable skills), a culture of curiosity—where each person keeps diving into the latest technologies—is the main avenue we’re going to help close the cyber security skills gap.
As briefly mentioned above, this is driven by how quickly technology evolves and the relentless need to protect intellectual property, as many hacking capabilities running rampant weren’t there just a few years ago. When I was a hacker for hire, there were much more rudimentary hacks being completed successfully, as this was before both individuals and businesses began to understand the technological advances and tricks.
That said, professionals should focus their time on learning new security technologies and the technique behind new attack patterns. For example, consider endpoint detection and response (EDR). EDR is a system for collecting and analyzing information related to security threats from computer workstations and other endpoints, with the goal of finding breaches as they happen and facilitating rapid response. Although EDR technology was released in 2013, there have been significant advances in its capabilities that many professionals need to be trained on. This includes extended detection and response (XDR), which relates to wider systems and networks such as IoT networks.
Therefore, valid certifications become obsolete and continuous education (both in and out of the workplace) is key to professional development. Professionals need to stay curious and in touch with friends and colleagues in the industry. They must read Reddit threads and attend conferences, learning in depth the ways in which hackers operate. This is not only critical for professional development, but vital to reducing violations more holistically. According to the results of a research of security professionals“80% of respondents said they had at least one breach that could be attributed to a lack of cyber security skills or awareness.”
From An Executive’s POV
All C-suite executives are looking to hire experienced, qualified and energetic employees, regardless of department. But when looking at cybersecurity professionals, what exactly are the requirements? How can they find the soft skills (and the right mix of people) that align to support a highly visible, ongoing but ever-changing cybersecurity program?
Ideally, their team of professionals will include:
• Generation diversity: A recent study found that generational diversity among cybersecurity teams is critical to accelerating the implementation of zero-trust, mainly based on the fact that those leaving the workforce entail an increased risk of losing the know-how to integrate legacy IT into modern IT infrastructures.
• Emotional Intelligence: In general, the early adopter nature of millennials often means they look for shortcuts, which, as we know in the cybersecurity industry, is a risk. Both imperative skills of patience and empathy need to be present and honed, particularly during a training program, so that all parties understand the value of the work and what may be at stake.
Additionally, in all organizations, there needs to be a culture of training for those within the cyber security realm as well as those outside, although the former is more important. (Note: While cyber security training for the general staff could be helpful, what really needs to be supported is the advanced user experience, so that training is not as imperative. Options that simultaneously optimize control identity and user experience, such as passwordless technologies, can achieve this.)
Executives should prioritize ongoing programs for professionals throughout their tenure, focusing not just on the soft skills listed above, but on certifications and more practical advice, including step-by-step responses to increasingly complex breaches . This includes how to deal with internal and even external communications and concerns.
The bigger picture
According recent study results, the number of workers in the industry worldwide is increasing. For example, in 2021, there were 4.19 million, an increase of more than 700,000 from 2020. Of course, this statistic alone presents good news. But unfortunately, the industry requires a 65% increase in the global workforce to close the skills gap.
With this in mind, considering the fact that bridging this gap is not possible anytime soon, we need to upskill the workers we have now. This is essential not only for the industry but for any company that relies on the security of its data, intellectual property and likeness (which is all companies).