It’s not just cybersecurity talent that is in short supply, but also ideas on who to recruit and how.
By Greg Noone
Ian* had spent four years as a lorry driver before he decided to pursue jobs in cybersecurity. More people were needed in the sector than ever before, he’d heard. Besides which, Ian recalls, “I wanted more”; more money, more opportunities for career progression.
And so, he began teaching himself the rudiments of computer science through courses he found online. “I started one, and it was brilliant,” says Ian. “I was like, ‘Yeah, you know what? I could do this as a career.”
Finding time to study with a full-time job and a young family was difficult, but after he was put on furlough during the first national lockdown, Ian knuckled down on a £749 course for CompTIA Security+ certification (“That was the discounted price,” he says.)
When it became clear his old job was no longer viable, Ian parleyed the resulting accreditation into a job as an IT technician at the school where his wife worked. Impressed by his enthusiasm, his manager allowed him to study for further qualifications on the job.
Ian thought that this combination would put him in good stead with recruiters for entry-level cybersecurity jobs. He was wrong. After applying for dozens of vacancies for SOC analysts and junior pen testers, Ian saw that most recruiters were asking for two or three years’ experience in similar roles, in addition to a set of unfamiliar qualifications and skills. Progression would involve investing hundreds of pounds more into additional training courses, although it was difficult to know which ones were worthwhile enrolling onto.
“I don’t know what skills these people are looking for,” says Ian. Even if he did know, it’s difficult to find the time to study. “I’m spending six hours a day going to fix a broken PC or replace a mouse that a student’s broken. It takes me away from sitting there [and] learning Python, learning SQL.”
Ian’s story is all the more remarkable given the strength of demand for cybersecurity professionals in the UK. According to recent figures, 51% of all businesses have identified a shortage in basic cybersecurity skills, a reflection of the global estimate of 2.7 million vacancies for cybersecurity jobs.
This shortage of talent is making businesses of all stripes more vulnerable to cyberattack. Earlier this month, a report from Fortinet estimated that up to 80% of breaches can be linked in some way to the cybersecurity skills crisis.
But this isn’t just down to a general shortage of candidates in cybersecurity recruitment. Businesses themselves are making elementary mistakes in how they hire and retain talent.
“They’re putting the job out there, and they’re requesting too much from these roles,” says Jason Nurse, a cybersecurity professor at the University of Kent. Simply put, businesses are envisioning an ideal candidate that simply doesn’t exist. Other firms, meanwhile, do not know what they want their new recruits to accomplish once they join and fail to ensure clear paths for career progression or even hint at supplementary in-house training.
This leaves applicants like Ian high and dry. “There’s people out there that are willing to train, willing to even pay for it themselves, but they need to be in the job to learn it, as well,” he says. “And I think that’s what they’re missing out on.”
It’s little wonder that a job in cybersecurity is attractive right now. Average salaries for cybersecurity jobs in the UK have ballooned, with some sectors seeing rises of between 30-45%. Many businesses, however, either cannot match this or simply aren’t aware that offering anything less than £50,000 is likely to result in the job advertisement being roundly ignored.
The pandemic hasn’t made things any easier for the industry. Remote working has been a double-edged sword for businesses, vastly increasing their attack surfaces but allowing them to recruit for cybersecurity jobs from almost anywhere in the world.
However, while this might be great for individuals, companies outside London and the South East are suffering, explains Andrew Rose, resident CISO at Proofpoint. “They can’t even afford the people who are local to them to come and work for them,” says Rose, “because they’re insisting on bigger wages from the bigger companies who can actually pay.”
Even if they get the salary they want, new starters may not be inclined to stick around. “Stress levels have gone up,” says Rose, especially since the pandemic. An increased attack surface means bigger workloads for security teams, and it’s not unusual for cybersecurity personnel to burn out within months. Add in the general shortage of talent and highly competitive salaries, and it becomes much more difficult for businesses to retain staff.
Unsurprisingly, specialist recruitment agencies have gotten bolder in poaching talent – leading to bizarre outcomes in some cases. “I had an experience with one organisation where a recruitment agent phoned up one of my staff to offer him a job in my team,” recalls Rose.
Not that companies themselves fare any better when it comes to recruiting. With HR departments bringing recruitment in-house, the risk that requirements for cybersecurity jobs get lost in translation has risen. When the GDPR came into force in 2018, recalls Gary Hibberd, a consultant with the Cyberfort Group, “you had recruiters asking for people who had GDPR experience of five years or more.”
Then there are those companies that know exactly what they want from applicants and will not compromise on getting it. This is a symptom of increased specialisation in cybersecurity generally, explains Nash Squared’s global CISO Jim Tiller, but it also leads to unrealistic job advertisements. Unless you’re a massive organisation with money to burn, says Tiller, “it’s hard to hire a team that just does threat hunting.”
This also points toward a wider ‘expectations gap’ in cybersecurity recruitment, says Hibberd, which assumes that those applicants who have the necessary qualifications but not the experience, and vice-versa, are unsuitable. “There are a lot of people out there who have the requisite skills,” he says. “They may be 20-year-olds, they may be 17-year-olds, they may be 25, they may be 45, but they’ve got the skills. What they may lack is experience.”
By prioritising experience over expertise, argues Hibberd, companies risk missing out on recruiting truly talented individuals. “There’s hundreds of thousands of people who are developing skills in their own time,” he says, “but maybe lack the experience of working with an organisation or with a client to actually [use them.]”
In-house training opportunities are also uneven, explains Tiller. In his experience, most cybersecurity tools “are not fully implemented,” he says. “They may be only leveraging 2%, or 3%, or even 20% of the feature capabilities.”
This contributes toward an overall impression that such roles consist of little more than putting out fires. This negative impression of cybersecurity poses an existential threat to the profession, argues Rose. Computer scientists fresh out of university, after all, seem more likely to pursue more creative developer jobs if they think a career in cyber defence consists of playing whack-a-mole against hackers and little else. Ultimately, argues Rose, “they don’t see it as a thing that needs attention and support, and a big career option.”
Where does this leave businesses? One thing hiring managers can do is broaden their definition of who suits a cybersecurity role, explains Tiller. “You need to think of similar skillsets that play into a specialist area,” he says. “Maybe somebody who does threat hunting would maybe also be interested in monitoring, forensics, or incident response.”
Businesses should also be open to hiring from a more diverse pool of candidates. One recent survey indicated that 70% and 61% of organisations have experienced difficulties in recruiting women and minorities respectively. Companies should also accommodate more neurodiverse candidates, says Hibberd.
Raw enthusiasm should also count for more, he adds: “I want to hire that person who says to me, ‘Oh, I take computers apart, I like to learn how they work,’ you know? ‘I built my own lab at home,’ [or] ‘I go on hack-me websites and various other places, and I play.’”
Once they’re hired, says Rose, businesses also need to work much harder at convincing new staff that it’s worthwhile staying. That doesn’t just involve regular reviews of salaries, but investing where possible in the latest software and in-house training, while ensuring that members of the cybersecurity team know there’s a path to promotion within the firm.
Ultimately, says Rose, it comes down to building a corporate culture where new arrivals “feel part of a wider family, so they can actually feel like…they’re working as a real team, and they feel like they’re effective.”
That’s easier said than done for many organisations, acknowledges Rose. Inevitably, firms with larger recruitment budgets will pull in a higher quality of talent. “You’ll find that the recruitment crisis at a charity will be a lot worse than the recruitment crisis at a top bank,” he says, which itself speaks to the increasingly shallow pool of talent that’s available.
“What we really need is more people in the industry,” says Rose. “And that’s something we’ve been talking about for years and years, and we just don’t see that coming through.”
There are signs, however, that that is beginning to change. The UK government, for example, is investing more in digital upskilling across the board, while “more and more universities [are] offering undergraduate security courses,” says Nurse.
Big Tech is also pitching in. IBM has pledged to enhance cybersecurity skills training in its plan to digitally upskill some 30 million people worldwide by the end of 2030, while Microsoft has recently pledged to expand its existing cybersecurity skills partnerships with US community colleges to 23 additional countries.
That effort also involves boosting the diversity of those applying for cybersecurity courses. “In the countries where we’re actually expanding the initiative, on average only about 17% of the workforce is female,” says Kate Behncken, vice-president and lead of Microsoft Philanthropies. “Leaving women out of the cybersecurity workforce leaves talent on the table and will only hurt our ability to close the skills gap.”
Training takes time, however, and with millions of vacancies to fill, the demand for external cybersecurity consultants is only growing, with the UK’s cybersecurity sector reporting a 14% rise in revenues in 2021.
Automation in cybersecurity may also advance as a result of the crisis, adds Rose, although most IT departments currently don’t have the time or the energy to even begin thinking how they can do it themselves. “They’re too busy fishing people out of the river to go and figure out who’s throwing the people in the river a bit further up,” he says.
Ian, meanwhile, is still trying to find a way to break in. He was recently hired as a network manager at another educational institution, and hopes that the role will give him more time to pursue his studies. Even so, he remains jaded at the lack of mentorship opportunities for individuals seeking to transition into cybersecurity from other professions.
What would make his life easier, and thousands of others like him, explains Ian, are more apprenticeship schemes – courses that would allow him to showcase his passion for solving cybersecurity problems more than a CV ever could.
“I’m a learn-on-the-job person,” he says. “Show me once, let me do it once, let me ask questions, and I’m good. That’s my theory. That’s how I learn.”
source