As we enter 2022, the shortage of cybersecurity pros hasn’t gotten better. In fact, it’s gotten worse. There are currently about 435,000 cybersecurity job openings available in the United States, up from approximately 314,000 in 2019. The move to remote work in response to the COVID-19 pandemic increased the workloads for skilled IT professionals, and combined with the rising rate of ransomware attacks, many security pros are suffering from burnout. With all that going on, the need for experienced cybersecurity staff hasn’t dwindled, causing recruiters and government officials alike to search for solutions to the skills shortage.
The Cybersecurity Hiring Gap
- Obstacles to Cybersecurity Hiring
- Government Initiatives
- Business Recruiting Efforts
- How to Find and Cultivate Cybersecurity Talent
- DE&I Improves Cybersecurity Recruiting
- How Your Business Can Help Close the Skills Gap
Obstacles to Cybersecurity Hiring
Compounding the cybersecurity skills shortage is a host of other challenges companies face, from inadequate wages to employee burnout. It’s not always possible to solve every problem, but you can address some to help improve the situation.
According to a Forrester survey, “2021 data shows that 51% of cybersecurity professionals experienced extreme stress or burnout, with 65% saying they had considered leaving their job because of job stress.” This level of burnout means that not only are cybersecurity professionals leaving their jobs, but some are also leaving the field altogether. So much of this burnout stems directly from the COVID-19 pandemic, where cybersecurity pros are being asked to take on heavier workloads as companies undergo digital transformations, not to mention the mental health difficulties that accompany a multi-year pandemic.
Despite the increase in work that companies are putting on their IT departments, they aren’t increasing wages to compensate for it. And because these jobs are so in demand, many workers can jump ship and easily make a substantially higher salary. Then, once those workers are gone, the business has a nearly impossible time replacing them because the salary doesn’t match the expected level of work.
Benefits Don’t Outweigh Job Stress
While a competitive salary is important, the right set of benefits is the actual driver behind fighting burnout and keeping employees. If the benefits package a company is offering doesn’t outweigh the stress of a job, employees will leave and they’ll be difficult to replace. Paid time off and flexible work options are a big part of this and are low-cost ways companies can improve benefits packages for their employees. Hot startups and big-name competitors who can now hire from anywhere are also making it harder for companies to compete for talent because they have the budget or flexibility to offer attractive benefits.
Even the United States government is struggling to fill its cybersecurity roles, leading to government initiatives to solve the problem.
DHS’s Cybersecurity Talent Management System
The Department of Homeland Security created a Cybersecurity Talent Management System that allows it to streamline the hiring process, create better compensation packages, and build new career development programs. The portal includes assessments for a variety of cybersecurity skills, as well as customized applications for each role, so applicants aren’t wasting time filling out unnecessary information.
Cybersecurity Workforce “Sprint”
In March of 2021, DSH Secretary Mayorkas outlined six 60-day cybersecurity sprints covering several different cybersecurity priorities. The sprints covered:
- Ransomware (April & May 2021)
- Cybersecurity Workforce (May & June 2021)
- Industrial Control Systems (July & August 2021)
- Cybersecurity and Transportation (September & October 2021)
- Election Security (November & December 2021)
- International Cybersecurity (January & February 2022)
While the DHS knows work in each of these areas will take more than 60 days, they are using these sprints to ensure existing work is addressing these challenges, target and remove roadblocks, and create an opportunity to form new partnerships as necessary.
Business Recruiting Efforts
Businesses are also having to get creative with their recruiting efforts to find and cultivate top cybersecurity talent. Some are partnering with technology organizations (like the SANS Institute or Cyber Talent Institute) to find potential employees early. Others are looking to current employees for referrals or examining their competitors to see how they can improve their benefits package.
Remote and flexible work options are another way businesses are enticing new employees. Allowing workers to work when and where they want is a great option for many cybersecurity roles because they typically don’t need to be in the office to do their job well.
How to Find and Cultivate Cybersecurity Talent
Even though it’s tough right now, there are steps businesses can take to find and cultivate cybersecurity talent to fill their open roles.
Create Internship Programs
Internship programs are a great way to find talented workers early and teach them the skills they need to be successful in your business. To create a successful internship program, you need to give your interns actual work experience, rather than just having them handle the grunt work none of your full-time employees want to do.
You also need to partner with local colleges and possibly even high schools to generate interest in the field and find future employees. Many community colleges have strong IT programs, and they can also be a good source for a diverse candidate pool. And you need to pay your interns. It’s the best way to keep them engaged in your business, reduce their stress so they can perform better, and increase the likelihood of getting good referrals.
Gather Referrals from Current Employees
If you’re a recruiter, you likely already know how helpful referrals can be for finding the right candidate. On average, referred candidates are faster to hire, stay at the company about twice as long as non-referred candidates, and have a higher ROI than other employee sourcing methods. To get referrals from your current employees, they first need to know what you’re looking for.
They should already be familiar with your core values, but take time every so often to let them know which positions are open and which are most critical to your success. Chances are, they aren’t checking out your company’s career page unless they already know someone looking for a job, so you need to tell them what’s available. Additionally, consider offering a referral bonus to incentivize employees to refer people in their network to your open roles.
Subsidize Education for Employees Who Want to Move to Cybersecurity
You may have talented individuals already in your employ that are interested in cybersecurity but don’t yet have the skills to make the transition. Employees with knowledge of human behavior, compliance and government policies, or risk management can all bring that knowledge into a cybersecurity role. Consider funding or subsidizing a training course or tuition for these employees. For example, TechnologyAdvice has partnered with The Nashville Software School to pay for current employees who don’t have technical skills to get the training they need to move into an IT position.
Not only does this provide employees with growth opportunities and make them feel valued by their company, but it also provides the business with more skilled IT workers that are more engaged. Typically, this benefit often comes with a stipulation that the employee must stay with the company for x number of years after they’ve completed their training or coursework or they have to repay the company for the cost of their tuition.
Also Read: How to Get Started in a Cybersecurity Career
DE&I Improves Cybersecurity Recruiting
Diversity, equity, and inclusion (DE&I) is a must for cybersecurity recruiting. Although the industry has been historically dominated by white and Asian men, women and people of color have a lot of value to add, in both new ideas and a stronger workforce.
Diversity jolts us into cognitive action in ways that homogeneity simply does not.Katherine Phillips, Professor, Columbia Business School
Removing Barriers to Entry
Focusing on DE&I can often remove barriers to entry because recruiters may realize that some of the requirements they currently have on the job listing aren’t actually relevant for a successful employee, and they may be harming your ability to find good candidates. For example, some roles may not require a four-year degree, especially if the candidate has relevant experience or proper certifications, but many workplaces require such degrees, quickly eliminating a large portion of the population.
Requiring workers to be in the office is another barrier to entry. With remote work, you can significantly increase your talent pool, accommodate disabled individuals, and provide extra benefits to your employees. This also reduces commuting expenses for your employees and offers options for candidates without personal transportation. With technology as it stands now, there are very few jobs that can’t be done at home at least most of the time, especially in IT.
New Ideas for How to Protect the Organization
A diverse workforce brings new perspectives to the work, allowing organizations to develop new ways to protect themselves from cyberattacks. “Diversity jolts us into cognitive action in ways that homogeneity simply does not,” wrote Columbia Business School Professor Katherine Phillips in an article for Scientific American.
When workers come from diverse backgrounds, they have to work harder to communicate their ideas and understand their coworkers because not everyone sees the world the same way they do. Not only does this breed new ideas, but it also helps improve overall organizational communication.
How Your Business Can Help Close the Skills Gap
The gap between available cybersecurity workers and open roles is a big one, but your business can close it by creating new opportunities for existing employees outside of IT and increasing interest in cybersecurity in students. And in the short term, work with your existing employees to improve your benefits package to attract new employees and retain your current ones, while also increasing the likelihood of referrals. And make sure you’re increasing pay to keep up with the rising demands of cybersecurity and IT work in general. Otherwise, you may lose more employees than you gain.