Gernot Krautberger - stock.adobe
The low global unemployment rate has created a well-publicized workforce shortage for numerous industries. Now, (ISC)2 has put a number on just how big an infosec issue it is.
According to the "(ISC)2 Cybersecurity Workforce Study, 2019" report, the number of security-related employees needs to grow by 145% to meet the current demand for talent.
The study, which included nearly 3,300 participants from across the globe, concluded an additional 4 million employees must join the current 2.8 million security pros to fill the void.
But, with approximately 75 million millennials and 72 million Gen Zers, won't they help fill the cybersecurity skills gap?
"Only 34% of the people in cybersecurity are under the age of 35," said Wesley Simpson, COO at (ISC)2, a nonprofit based in Clearwater, Fla. "And, within that 35%, only 5% are under the age of 25. That shortage is going in the wrong direction. It's getting bigger; it's not getting smaller. And that scares all of us."
As baby boomers and Gen Xers retire or prepare to and without new generations to fill the vacated seats, enterprises are left in a quandary as the need for cybersecurity professionals grows.
"The hope and dream is that organizations start to create an environment … and be willing to put sweat equity into future cybersecurity professionals," Simpson said. "Has it happened yet? No. I think organizations are waking up and saying, 'Well, we can't hire a five-year CISSP, so what else are we going to do?'"
The answer to that question, Simpson said, requires rethinking corporate culture, advocating the security career path, creating truthful and descriptive job listings, and diversifying the workforce.
1. Create a culture new generations want to be a part of
To appeal to potential employees, organizations need to consider how they are perceived both internally and externally and then update their culture accordingly, Simpson said. While this is important when recruiting employees of any age or demographic, it especially applies to Gen Zers and millennials.
"Make your employees want to be a part of [your organization and its culture] and stay -- and even bring in their friends that are in the field," Simpson recommended. "When we start to really see Gen Zers hit, they operate quite differently than the previous generations. What they want is different -- the benefits package they want and the environment they want is different, how they work is different. That's going to be a wake-up call for most organizations that haven't started changing how they operate to be able to attract and retain the next generation."
2. Have a clear security career path
Programs such as apprenticeships and internships are essential to develop and build security professionals' skills, Simpson said.
Many students don't learn about cybersecurity careers until they are in college, if at all, Simpson said. By this point, many already have their sights set on their chosen majors. Cybersecurity education and training should start as far back as middle school or even elementary school, Simpson recommended.
But career path planning shouldn't end there. Cybersecurity is an ever-evolving space, so ever-evolving education is required. To be a desirable employer, organizations should help workers progress their career by contributing to the cost of achieving security certifications, providing opportunities for employees to stay up to date on security matters and laying out a clear career path toward enterprise security roles.
3. Update job listings and titles
Writing cybersecurity job listings involves what Simpson calls "buzzword lingo bingo" -- the practice of stuffing job descriptions and qualifications with acronyms and certifications so a computer or HR rep can quickly discard any resumes that do not include them.
However, many of the best cybersecurity candidates may be non-STEM or nontechnical and lack the mandatory computer science degree.
Wesley SimpsonCOO, (ISC)2
To remedy this, Simpson suggested hiring managers look at their job listings and ask if they really need someone with the much coveted five years of experience and CISSP. "If you do, there's slim pickings because there's not that many of them," Simpson said. "Let's truly understand what you are trying to do, and write those position descriptions with what you truly need at that time for that position."
Another challenge, Simpson added, is that an enterprise may recruit an associate with the required years of experience and qualifications, but the employee soon realizes the job description doesn't match the work and thus moves on.
"We need to break that cycle," Simpson said. "As an industry, we have not done a good job creating standards around job titles, duties and responsibilities. Even what we say -- the lexicon and taxonomy of certain words that we utilize -- mean different things to different organizations."
4. Hire outside the box
Diversification is a term you'll hear a lot when it comes to adding members to your team. Adding diversity -- whether by hiring different genders, races or experience levels -- is a winning recipe for all positions, cybersecurity included.
"We need different backgrounds, we need different degrees, we need nondegrees," Simpson said. "You need to build a team that doesn't look like each other, that doesn't think like each other, that doesn't have the same resume as each other."
About 42% of the current security workforce comes from a technical background. The other 58% does not -- including Simpson.
"You've got to start looking at liberal arts, you've got to start looking at business majors, you've got to start looking at the people who can take data and tell a story, who can communicate, can facilitate and can put it in any format at any level to any audience at any time," said Simpson, who has an accounting degree.
Using diversification tactics to solve the cybersecurity skills gap may also mean looking at current employees in nonsecurity-related jobs. Employees working in legal, accounting, marketing and other nontechnical departments may have transferable skills that make them ripe for security training or cross-training. This will not only enhance an organization's security posture, but also bring different mindsets and points of view into the security conversation.
Read more from the "(ISC)2 Cybersecurity Workforce Study" report here.