Solving the cybersecurity talent shortage
How to bridge the skills gap
Feb. 24, 2020 | By: Kory Patrick
From an innovation or automation standpoint, organizations seeking to build and implement a secured product struggle to find the right talent with employable skill sets to secure and sustain the environment within their company.
The reality is that this is more than just a talent shortage. Many people want to break into cybersecurity or evolve their career in security, and yet, organizations are often looking at the wrong candidates to hire.
There have been countless times I’ve come across “must have two to three years’ experience and a CISSP” when reviewing job descriptions. But looking at these requirements, you typically need to have at least five years of work experience to achieve a CISSP, which disqualifies a candidate with two to three years of experience. So, why do organizations put these requirements forward? What do they really want, and what are they truly looking for?
How I hire IT security talent for my team
Security, privacy and compliance are continuously evolving. And compared to where they can go, it’s still an immature market with tremendous growth possibilities—but that means it has a very entrepreneurial spirit. Therefore, I look for cybersecurity professionals with a similar mindset—who want to grow to match the rapidly changing pace of risk and security. People who see there’s a mess on the floor and want to clean it up. Or that can bring and push forward a viable solution to an unstructured or chaotic environment. Because risk management, identity access management, cybersecurity—they’re not a scripted job. The goal is to assist organizations scale compliance operations, strengthen defense postures and build innovative security solutions in order to protect against ever evolving threats. My recommendation is to look for people who aren’t afraid to answer questions with, “I don’t know—let’s figure it out.”
Additionally, you want to ensure that as you continue to grow any cybersecurity team, you bring perspective and diversity of thought to the table, too. There’s insurmountable value in building a diverse team and an inclusive culture because we’re solving for incredibly challenging problems in the cybersecurity space—problems that skew more toward human behavior-based than technology-based problems. Building a diverse team with the right technical and soft skills to solve and embrace these complexities—rather than being deterred by them—spurs creativity and innovation.
Let’s grow people. Let’s invest in people.
Early in my career when I joined the federal government, one of the important lessons I learned was that it wasn’t what I did or didn’t know—it was more about what I could learn. There weren’t any degree or certification programs to adequately prepare me for the journey I was about to embark on. I was fortunate to investigate computer intrusions around the globe and serve with many incredibly talented, smart individuals who wake up each morning to serve and take care of their community, even though cybersecurity can be a thankless job. Security professionals are on the front lines protecting enterprises but rarely receive recognition unless something goes wrong. Organizations often underestimate the necessity for cybersecurity, and therefore, the skill gap continues to widen, leading to the current talent shortage in relation to the exacerbation of the number of data breaches happening today.
My biggest takeaway from my experiences is this: Teach what you can teach. Hire what you can’t. When I look for people to join our team, I carry that mantra and philosophy. Because it’s not really about what that person knows—whatever they know, they learned it. I look more for cultural fit, personality and motivation. And what they can learn, we can invest in.
The biggest challenge I see in the world of cybersecurity talent shortage is organizations setting an expectation to hire qualified cybersecurity professionals who already come with every single skill set needed. At best, this is a small talent pool they’re limiting themselves to; at worst, this expectation could be wholly unrealistic, believing that one or two people can accomplish something that requires a much larger team. The real opportunity lies within doing a better job of growing and investing in people.
One of the things I’m extremely proud of is how TEKsystems has evolved our approach to developing professionals in a variety of areas. Through our learning solutions, development of bootcamp programs, solution centers, and inclusion and diversity programs—TEKsystems is providing opportunity to those who want to get a leg up, have an interest in technology or are transitioning out of a previous career. We’re moving forward in investing in people and helping them acquire new skills versus just expecting them to have them.
The security talent unicorn: people who are technical and strategic
I consider talent in the cybersecurity space in terms of two types of groups. On one hand, you have people who are focused on cybersecurity tools and technology because they find it fascinating but aren’t necessarily interested in the bigger picture. And on the other hand, you have strategic minds that aren’t as technical, so there’s a gap where process and clear communication gets lost.
Companies require qualified individuals who bring both technical experience and an understanding of how to integrate into technical teams, coupled with a strategic mindset. Cybersecurity experts who can step back, look at business processes and help guide those technical teams to tactically execute risk mitigation strategies.
We’re always going to create new roles—scientists, analysts—but the key is finding individuals who can bridge the strategy gap and help align cyber technology to the business instead of solely focusing on tactically executing. And how do we find more of this talent? By providing experience, mentoring and encouragement to people to step into these roles.
There’s oftentimes a reluctance to leave a technical role out of fear of becoming irrelevant. And that’s a very real, valid fear. I’ve been a technologist and security practitioner for over 20 years and still experience a fear of losing technological relevance, because in IT cybersecurity, we’ve historically carved two distinct paths: if you want to go into leadership or management, you go one way; if you want to continue as an individual contributor or tactical executioner, you go another way.
We need to bring those two directions back together. We need strategic security practitioners who can gain business acumen and understand how cybersecurity fits into the greater need of organizations. Without them, we are left with a huge talent gap across all areas of security, privacy and compliance as we try to navigate an ever-evolving digital landscape.
Kory Patrick is the risk and security practice leader at TEKsystems. He leads advisory and consulting services for the enterprise environment focused on reducing risk to the business by addressing security, privacy and compliance challenges through effective governance, identity and operations management in cloud, on-premise and remote environments.