The Cybersecurity Talent Gap: CISOS' Perspective

As you’re likely aware, there is a major talent gap when it comes to hiring entry-level cybersecurity workers. An (ISC)2 2020 report indicates that the industry needs an additional three million workers worldwide and that the U.S. cybersecurity workforce needs to grow at a clip of 40%+ to meet demand. Here at Evolve Security, we not only improve our clients’ security posture through testing and remediation, we also help train individuals to enter the field and help businesses build a talented and diverse workforce. In fact, we’ve made it part of our mission to understand the talent gap and explore ways to narrow it.

Recently, we hosted a panel discussion with four Chief Information Security Officers (CISOs) to learn where they think the real gaps in cybersecurity talent are, and how they address some of their biggest hiring challenges. Here are a few of the key observations these astute CISOs shared:

Describing the Skills Gap

A major insight that the CISOs discussed is that while they may have trouble finding and retaining entry-level employees, perhaps the gap is a mismatch between employer expectations and the skills of those just coming out of school.

• Job descriptions may have more technical requirements than those with little or no practical experience can meet.  
• Research shows that when there are too many applicants for the number of available positions, hiring managers generally choose those who have the exact skills to match the job descriptions.
• This approach means a pool of potentially good applicants who might better fit the company given some on-the-job training is overlooked.
• The skills CISOs look for don’t always match the education provided in different programs.

How CISOs Can Help Narrow the Skills Gap

Most entrants to cybersecurity typically come from a traditional IT role. The variety of specializations and disciplines in cybersecurity (risk, compliance, security analyst, security engineer, etc.) can be overwhelming and difficult to navigate for someone just finishing college or pivoting into the field. Guidance for CISOs includes:

• Getting active in helping schools, academies and training programs to shape educational curriculum and pathways to enter to the field.  
• Looking for ways to grow their company’s talent from within.
• Becoming mentors or working to match entry-level employees with other professionals who can help guide and train them.
• Being honest about their high expectations when it comes to technical skills, but also considering hiring someone with “soft skills” who is eager to learn.

Finding and Training Within

CISOs may look for new talent externally because they believe they don’t have time to train for the skills they need.

• But many companies already have strong employees with basic skills who are very capable of learning on the job once trained from a highly qualified company.
• Mentors can seta good example for all employees by showing passion for their industry and job and by building up the people around them.
• Employers can also work with specialized talent placement companies like Evolve’s to find candidates who have the skills and aptitude for understanding and applying scientific methods in a variety of situations.

Here at Evolve, we place top graduates from our Academy who have both the technical skills and the critical thinking skills into companies on a short term and long-term basis. They also are supervised by experienced cybersecurity veterans which saves CISOs time.

How to Get into the Cybersecurity Field

According to the group of CISOs in our panel, entry-level applicants or those who feel that they don’t have all the skills or qualifications listed in job descriptions can take these steps:

• Find a mentor and network in the cybersecurity community.
• Attend professional events and meetups and join organizations such as ISSA.org to make meaningful connections and learn the language of different specializations or niche jobs.
• Be realistic. Take a position that might get you in the door without being fixated on one specialization. Be willing to try new things.

Focus on DEI

Now more than ever, many companies are focused on increasing their Diversity, Equality and Inclusion  (DEI) efforts. The CISOs discussed that organization scan try to eliminate unconscious bias by:

• Changing how applicant screeners review resumes so that they only read applications with personal data like names, address, resume font, gender references, and education removed.  
• Reducing the number of requirements for entry-level positions to help encourage women to apply.
• Research shows that women shy away from applying when there are more than seven requirements whereas for men that number can be up to ten.

‍

Final Thoughts from the CISOs

While CISOs need people with technical skills to do important cybersecurity work within their organizations, they also need good communicators on their teams to empathize with their clients’ or management teams’ business objectives, goals and mission. Security is most effective when there is a reduced level of friction between internal security teams and others in the business and “soft skills” are often overlooked.

In conclusion, CISOs are having difficulty finding enough people with specialized technical cybersecurity skills. However, with new thinking around hiring and training, the gap can be narrowed. If you’re looking for cybersecurity training or talent for your organization, get in touch and let’s talk!

‍

View the entire discussion with CISOs Jesse Miller, CISO at Stratosphere Networks; Matt Whisman, Head of Security Engineering and Identity Management at Jack Henry & Associates, Naomi Buckwalter, CISSP CISM, Director of Information Security & IT at Beam Technologies; and Dave Brown, Global Chief Information Security Officer at Clarabridge, here.