How to address the skills gap of security and IT personnel

Ensure CISOs, CTOs and CIOs have a say in decisions

A fundamentally different approach is required considering the effects of remote work as we move into 2021. It's understood that frank conversations about budget cuts are necessary in uncertain times, but the lack of inclusion of security and IT stakeholders in these conversations is hurting the cause when it comes to the skills gap. Therefore, CTOs, CISOs or even CIOs that place an emphasis on security must be given a trusted voice within organizations, particularly when it comes to the tough decisions. Without this collaboration, organizations find themselves hiring security and IT leaders who focus on business development instead of actual security.

Remote work remedies

Although there are many challenges associated with remote work, there is also a silver lining. Without the frequent distractions of a traditional office, cybersecurity professionals can place themselves on "do not disturb" mode to complete tasks much more efficiently. Given that many in the industry often work best independently, this can be particularly helpful in order to provide themselves additional time to focus on upskilling initiatives.

Also, rapid advancements in AR and VR technologies is another great place for organizations to invest their resources. Instead of colleagues needing to be in the same physical location as one another to "whiteboard" under "normal" circumstances, they can now do it together from the comfort of their own home.

Level up: Provide labs, CTF events and bug bounties

Organizations and IT leaders often emphasize spending time on a training platform watching videos to help upskill, but this does not provide any substantial data to an organization. Instead, interactive labs are a great way for employees to prove to their bosses that they know the material and to help soothe concerns. Supervisors can look at hard data to see signs of real progress. "Capture the flag," cyber scavenger hunts and other hacking competitions are also great resources that lend themselves to remote work environments, not to mention free courses and guides found all over the internet. Additionally, bug bounty programs, where users are paid to attack organizations, can raise security postures through the roof, while also being a much cheaper option than suffering an attack.

By encouraging employees to partake in these types of trainings, organizations have a handful of cost-effective solutions at their disposal to enhance the skills and knowledge of their employees even while they're working from home.

Improve assessment during hiring and recruiting process

A large responsibility also falls on recruiters and hiring managers. For starters, they need to determine if applicants understand IT and security fundamentals and are self-learners rather than prioritizing familiarity with specific tools, like Splunk, JavaScript or Azure vs. AWS certifications. Ultimately, the interview process should be prioritized enough to garner employees the proper credentials, access and responsibilities to do the job they were hired for on day one. Security "training wheels" are essentially useless unless it's an entry-level position. Considering the investment it takes for an employee to be fully functional, recruiters and hiring managers need to do a much better job of assessing these skills early on in the hiring and onboarding processes.

Develop a security culture

Instilling a company culture that emphasizes personal and professional growth is one of the best ways to bridge the skills gap. Security professionals often have a habit of upskilling just to switch jobs or for a salary raise, but this is worsened when organizations fail to provide clear steps for internal professional development. Employees are much more motivated to grow if they're provided with ample time, opportunities and materials, especially considering that more than two out of three employees are currently forced to seek these resources on their own. By carving out designated time slots on a weekly or monthly basis, motivation to upskill won't be as difficult and time consuming as it once was.

Another way to build this culture is by creating a "show and tell" portion of team meetings. Here, employees are encouraged to showcase or demo new things that weren't required but could potentially help the organization. Additionally, having a standing happy hour to discuss anything and everything non-office or non-work related is one of the easiest ways to grow camaraderie among the team while also encouraging accountability.

Keeping employees motivated, being transparent with your plans and asking for constant feedback is a great place to start. Once this model is adopted, it's imperative that organizations fully acknowledge the challenges associated with the security skills gap, empower team members to learn on the job, reevaluate their training solution investments and adopt a company-wide skills growth mindset. Not only will implementing these recommendations be beneficial for employees to help grow both personally and professionally, but it will also provide a long-term benefit to an organization's bottom line while simultaneously creating a great company culture. In the era of remote work, security best practices must be enacted across the board and organizations should not forget about how to grow their greatest asset of all: their employees.

About the author
Jonathan Meyers is the head of IT and a principal infrastructure engineer at Cybrary. He is responsible for designing, maintaining and securing all corporate infrastructure including the security enablement platform supporting over 200 companies and 2.5 million users worldwide. He previously worked as a senior DevOps and senior operations engineer at Forcepoint (formerly RedOwl Analytics) where he oversaw the operations and deployment of its hosted and on-premises UEBA e-surveillance product. Meyers holds an information technology degree from The U.S. Military Academy at West Point.