Organizations are facing a perfect storm of surging threats, expanding attack surfaces and cyber skills shortages. This is partly due to the growing sophistication of the cybercrime economy, which has reached trillions of dollars annually. It’s also because of organizations’ accelerated investments in digital technologies and the surge in remote working, which has created new technology and human-shaped gaps for threat actors to exploit.
Cybersecurity teams are struggling to manage the rapidly evolving threat landscape and expanding corporate attack surfaces. These teams require constantly evolving expertise in numerous digital landscapes and languages. What’s more, the industry is facing an escalating skills shortage, with businesses struggling to fill critical security roles on their teams.
Alleviating these hiring challenges can be achieved by diversifying the talent pipeline. This would both expand the talent pool and help build a healthier cybersecurity culture overall.
Barriers to Entry
A diverse and inclusive cybersecurity team is more innovative – yet one in four UK cybersecurity professionals say they have experienced career barriers due to diversity and inclusion issues. The rate is much higher among women, ethnic minority groups, those with accessibility needs and neurodivergent people. Additionally, one in five cybersecurity professionals feel like they cannot be themselves at work, with the figure significantly higher for disabled and neurodivergent people.
These are findings from the NCSC’s Decrypting Diversity report, released last November. Following the report, NCSC CEO Lindy Cameron said the industry must ensure the security profession reflects the rich diversity and full range of talent across the nation.
That “full range of talent” is essential: effective cybersecurity strategies should aggregate the multitude of perspectives that a diverse team can offer, along with the innovation, problem-solving and consensus-building that happen when people from varied backgrounds come together to take on a challenge.
Casting the Net Wider
The current mindset on what makes a ‘good’ security professional, and unrealistic job specifications requiring candidates to have every qualification under the sun, risks holding back innovation.
As security leaders, we can tackle this shortcoming by rethinking cybersecurity hiring to build a cyber workforce that’s a better fit for business today. The industry needs executives with IT experience from diverse backgrounds who understand the digital areas that businesses want to prioritize. We need people who bring new perspectives to foster fresh solutions and don’t fit the typical cybersecurity CV – because it doesn’t exist anymore.
Yet, the tendency to prioritize particular experience and qualifications, such as the Certified Information Systems Security Professional (CISSP) accreditation, over transferable skills may put off suitable candidates. Other suitable candidates are overlooked because HR algorithms searching for keywords and accreditations have filtered them out.
Another pitfall is demanding that new starters hit the ground running because teams are too short-staffed to invest in someone ‘unproven.’ However, this creates a vicious cycle hurting both employers and overlooked candidates. The time spent finding unicorns could have been spent training up a greenhorn.
The Skills that Matter
Of course, technical aptitude and the ability to quickly understand new technologies and methodologies are important. Yet, so too is out-of-the-box thinking, attention to detail, a desire to understand how things work – and break – and an aptitude for recognizing the unintended consequences of actions. Additionally, good communications skills and the ability to simplify complex are increasingly critical if you want to progress in the sector.
Candidates with backgrounds in adjacent sectors like engineering and data science also have these skills. The cyber stars of tomorrow may be mathematicians, database managers, former soldiers and those working in neighboring security functions. There’s no typical cybersecurity role – from the cloud to the endpoint and SOC to GRC – and enabling sideways moves can help mitigate skills shortages.
There are claims that the growth of AI and machine learning can help plug skills gaps by completing repetitive manual work at speed and scale. That’s true for specific use cases such as threat detection and response, where extended detection and response (XDR) solutions analyze huge datasets for patterns of suspicious behavior that the human eye can miss. However, many of these tools still need to be trained and fine-tuned to the organization’s needs, and experienced analysts must act on the produced data.
Boosting the Pipeline
Opening up the recruitment process to attract a cognitively diverse workforce is even more acute given the current pace of technological and societal change. IT environments and business processes are changing faster than universities and accreditation companies can produce new qualifications. In just over a year, the nature of the workplace and how cybersecurity should function within it has rapidly evolved with the shift to mass remote and hybrid working triggered by the global pandemic. Finding the brightest talent should be the priority, and they should be provided with on-the-job role-specific training.
Cultural change of this kind does not always come naturally to organizations. Yet, as cybersecurity becomes an increasingly important differentiator for firms, companies that grasp the need for change will be best positioned for growth.