"Cybersecurity is the field to be in," they say. It's a dynamic field with high visibility and billions of dollars are being poured into cybersecurity budgets as boardrooms, executive management teams, and all sorts of other organizational and government leaders are starting to realize the billions of dollars it costs to overlook it. Why then is the United States sitting in the middle of a workforce deficit?
There are over 1 million cybersecurity jobs in the United States remaining unfilled, today. It's estimated that in the next couple years that number will rise to 1.5 million. According to a 2018 (ISC) Cybersecurity Workforce Study, the deficit is largest in the Asia Pacific region — up to 2.1M professionals.
How To Hire: A Cybersecurity Talent Conundrum
Cybersecurity has been around as long as computers have existed, but has only seen mainstream attention in the past decade or so, with the rise of the internet. As a widespread profession and as an academic discipline, it is fairly new, and as schools rush to patch together curricula and faculty to try and capitalize off this explosion of interest, they are producing graduates who have major gaps in their cybersecurity knowledge and no practical knowledge of how to perform these jobs.
All of this is occurring at the supply side of this talent gap problem, but there are negative factors on the demand side of the problem, as well. As employers rush to secure their organizations, they have trouble understanding what it is they are actually looking for, so they turn to certifications and degrees to give them a measure of the skills they are paying for. Degrees and certificates are never a guarantee of a skill level and this is as true in Cybersecurity and Information Technology as it ever was.
In addition to not knowing what they want, many employers don't know what it’s worth. They want personnel with Masters' Degrees in Electrical Engineering and decades of experience combating hackers but they want to pay entry-level wages. As such, they end up getting no qualified applicants and having to turn away droves of "under-qualified" candidates.
Is There A One Size Fits All Solution?
The general approach to the problem of staffing cybersecurity teams is to hire highly-qualified, well-credentialed personnel at all levels of a team in a tiered structure and promoting from within the group. This tiered, hierarchical approach, with a focus on technical aptitude and degrees, often leads to highly-competitive work environments where team members have a hard time working together and individuals withholding knowledge from others in attempts to rise above their peers. It's a common phenomenon in any social setting, among people or even in nature: There can only be one alpha.
In nature, when there are multiple alphas in a group, it is usually a violent affair that does not end well for the losing competitors.
Perhaps a method for developing a more effective cybersecurity team lies in a shift from prioritizing technical skills to prioritizing personality traits and characteristics that are conducive to good working relationships and teamwork to build a cohesive unit instead of just filling empty slots.
Looking at the team as a unit means assembling disparate parts into a larger whole so that each part serves a role in the unified accomplishment of common goals. It sounds simple, but more often than not, what is called a "team" just turns out to be several people grouped together who each have their own agendas that tend to run counter to one another. This is what organizations need to avoid. To prevent this, how each team is structured is vital.
A Bottom-Heavy Approach
A different way of looking at building a team is to have the team predominantly consisting of junior cybersecurity personnel led by highly-qualified, experienced leaders.
This approach is founded on the concept that a handful of personnel that are teachable and able to contribute to a team is more valuable than the same amount of highly-educated, highly-qualified personnel that are all vying for the top spot. This means hiring managers would ideally look for the following in their candidates for junior members of the unit:
- Solid foundational knowledge of cybersecurity concepts
- Good problem-solving skills
- Enthusiasm for learning and growth
- The ability to work well within a team
These traits are a minimum and all other factors such as degrees, certificates, and past experience should be considered after these. This allows not only for a solid base for a team, but also for the lowering of the credential and experience bar that keeps so many valuable candidates from filling positions. This also has a better chance of matching entry-level personnel to entry-level salaries, which would be cost-effective. Having this level of personnel consist of mostly Cybersecurity generalists is preferred, as it will allow them to develop into niches and specialties organically.
A good army needs a good general and that is why it is key to the success of the unit that it be led by individuals who have the qualifications and experience to do a great job, but also the leadership capabilities to drive the unit forward. Although those qualifications and experience will play a more major factor in assigning these roles than those of their subordinates, personality traits are still the primary focus of choosing successful leaders. Those are:
- The ability to mentor and teach individuals
- The ability to communicate high-concept ideas in non-technical terms
- The ability to motivate a team to achieve objectives
These traits allow the leader to pass their knowledge onto all the members of the team, improving each member's effectiveness as a cybersecurity professional over time. The search for personnel who possess the sufficient technical expertise on top of those leadership qualities means these positions would represent the greater financial investment, but finding these individuals and paying them what they are worth is the best chance of getting value out of the investment.
A well-built unit along these guidelines would make great strides toward a solid, secure organization and would have the ability to develop itself into a highly-effective cybersecurity program in any enterprise that serves these purposes:
- Fill the knowledge gaps in the next generation of would-be whitehats
- Facilitate potential hires of individuals who lack the sufficient degrees or certificates, but could make excellent cybersecurity professionals
- Tailor a more appropriate focus in cybersecurity staff spending
Fight The Good Fight
The problem of this cybersecurity workforce deficit falls on many shoulders, but it must be addressed. Cyberspace adversaries are only getting more sophisticated and crafty. They are attacking all sectors and are out for money, information, and damaging reputations.
The barbarians are coming. It would be a shame if there was no gate.