The deficit in skilled cybersecurity personnel is now directly affecting businesses’ ability to remain secure. The World Economic Forum has stated that 60 per cent would “find it challenging to respond to a cybersecurity incident owing to the shortage of skills within their team” and industry body ISACA found that 69 per cent of those businesses that have suffered a cyber attack in the past year were somewhat or significantly understaffed.
The impacts can be devastating. Accreditation body ISC(2)’s Cybersecurity Workforce Study found that staff shortages were leading to misconfigured systems, tardy patching of systems, lack of oversight, insufficient risk assessment, lack of threat awareness and rushed deployments. With these shortages now jeopardising businesses’ ability to function, the hiring function is under significant pressure to up its game.
To make matters worse, these shortages are expected to intensify. Last year the Department for Culture, Media and Sport (DCMS) predicted there would be an annual shortfall of 10,000 new entrants into the cybersecurity market but in its latest report, released in May, that was revised to 14,000 every year. This means that, over time, we can expect business defences to become even weaker and more exposed.
Why tech isn’t the answer
Businesses have been sold the idea that they can automate their way out of the problem, but the ISACA survey shows that only 17 per cent now think artificial intelligence and machine learning can help resolve the skills gap. If anything, tech seems to have exacerbated the problem; the average business now typically has between 20 and 70 security solutions, according to Verizon’s Payment Security Report, creating a bloated stack of software. Each of these proprietary tools requires specific training, leading to skills that are often non-transferable, and managing them can create alert fatigue, leading to higher staff turnover (45 per cent of those surveyed in the ISACA report cite stress as their main reason for leaving).
The short space of time many cybersecurity staff spend in their positions is further weakening security. For the past decade, the average tenure for a chief information security officer (CISO) has been just two years, according to the Verizon report. Pre-Covid, it took between three and six months to fill these positions and six months for the new CISO to get up to speed, so that 35 per cent of all CISOs were new to the job. This has a direct impact on the ability of the organisation to commit to security plans that typically span five to 10 years.
So how can HR teams better recruit and retain cybersecurity professionals? The main strategies today are training up non-security staff from within the business; using contractors and consultants, AI and automation; and upskilling existing staff, the ISACA survey found. But the problem with these approaches is that they all depend on a healthy security budget. As businesses begin to feel the squeeze from higher costs, inflation and an imminent recession, the likelihood is these budgets will shrink.
Rethinking recruitment
Going to market is, therefore, the only viable way in which to address the problem but this means resolving pipeline challenges. To date, there’s been an overwhelming emphasis on experience and certifications, with 95 per cent regarding the former as essential and 88 peer cent the latter. It’s a blinkered approach that drastically reduces potential candidates, with the majority of hiring managers thinking only 26-49 per cent of applicants are suitable for the role they are applying for, states ISACA.
There’s also evidence to suggest HR is partly to blame by being out of step with hiring managers. A DCMS and Ipsos MORI report found many recruiters thought suitable candidates were excluded because of the filtering performed by HR. Similarly, hiring managers have complained that job postings have not matched the criteria needed to fulfil certain roles. This can lead to so-called ‘unicorn’ job postings whereby incongruous experience or qualifications are asked for in a bid to secure one multi-skilled candidate.
To help improve recruitment practices, we must look to attract more applicants into the profession, to understand the value of aptitude and soft skills, and seek to improve communication between HR and the hiring manager. Thankfully, advances are being made that promise to help everybody involved.
The UK Cyber Security Council is devising cyber career pathways across 16 speciality areas between now and 2025 which will map the certifications and experience to each role. This will make it easier for HR to see what it should be advertising for and enable applicants to equip themselves with the right skills. The Chartered Institute of Information Security (CIISec) has also developed a cyber-skills framework that aims to help with the recruitment and retention of cybersecurity professionals.
Such initiatives will bring some much-needed clarity, making it easier for previously marginalised groups to enter the profession, those within the industry to progress, and the business to boost retention which is key to improving security posture.
Jamal Elmellas is chief operating officer at Focus-on-Security