The Solution to the Cybersecurity Job Crisis

Too many open positions—and not enough skilled applicants to fill them. Here's what your company can do about it.

In case you haven’t heard, there is currently a cybersecurity job paradox. The market is flooded, but there are simply not enough candidates possessing the unique skill-sets companies are looking for.

Fast Company recently emphasized just how real this shortage of qualified workers is. They cited a CSIS study in which 82% of organizations reported a shortage of cybersecurity skills, with 25% of those companies claiming they were “victims of cyber thefts of proprietary data due to this lack of qualified workers.” Meanwhile, TechRepublic writes that, “Some 36% of organizations said they believe security-staff turnover is higher than it is in other parts of the organization.”

The alarm has been sounded. Now what?

Many have pointed towards the need for academic institutions—from STEM-centric grade schools to universities’ computer-science departments—to offer tactical and demystified cybersecurity curriculum. The idea here is to yield a more diverse generation of security-savvy applicants. Which makes sense, only it takes valuable time to groom these graduates.

Others point to outsourcing. Mining Asia for cheap, specialized labor has long been an apt solution for Western tech needs. But it turns out, this work shortage is a worldwide problem. Cybersecurity Ventures predicts that this job market will grow globally to six million in merely two years, with a 1.5 million shortfall.

A story in CSO Online, meanwhile, recommends thinking more practically. It suggests cross-training IT workers to fill some cybersecurity vacancies. “CIOs and CISOs [should] assess their IT workers,” it says, “and see which ones might have an aptitude for security—and a baseline understanding of it.”

We suggest evolving that ethos two more steps.

First, breaches are way too formidable to be a one-person or one-department problem. Organizations have learned that the hard way—yet persist with existing protocols.

The most empowering thing a company can do right now is create a macro view of security:

  • The entire executive team needs to treat cybersecurity as company strategy, a necessary investment and cost of doing business.
  • As suggested by CSO Online, a company’s IT staff should, indeed, be trained in cybersecurity.
  • In fact, all companies employees should to be trained in best practices. According to Wombat’s The State of the Phish report in 2016, a staggering 85% of organizations reported being the victim of phishing attacks, frequently targeting their employees.
  • Additionally, the IT department must collaborate with the HR, legal, and executive teams to map out proactive prevention measures and swiftly align in the event of an attack. This will prevent losses or greatly offset them, enabling quicker recovery.

Second, your candidate pool will open-up if you stop looking for very specific experience. Instead, invest in analytics that not only (a) uses machine learning to transform company data into actionable intelligence, but (b) delivers it in a way that you don’t need to be a rocket scientist to comprehend.

According to a recent study by Osterman Research (in partnership with Bay Dynamics, which determines the financial impact of risk), “59% of board members say that one or more IT security executive will lose their job as a result of failing to provide useful, actionable information.”

Fair enough. But consider this: What if it isn’t your employee that’s failing you? Maybe it’s your outdated work infrastructure, hindered by a rigid security platform.