Cybersecurity skills shortage paradox


Many employers are hesitant to hire entry-level talent, further perpetuating the skills gap issue.

Over three million cybersecurity professionals are wanted globally. However, as cyber start-ups keep firing people and raising the bar to enter the field, many are unconvinced of a skills shortage.

ADVERTISEMENT

The gap is getting bigger

By 2025, there will be 3.5 million cybersecurity jobs open globally – a 350% increase over an eight-year period, Microsoft claims.

According to Dan Weeks, director of employer partnerships at tech bootcamp provider Fullstack Academy, cyber employers are under extreme stress with limited budgets, as they are typically a cost center, not a profit center like a software development organization is.

“Experienced cyber talent often are not given the time to mentor or develop entry-level talent to get ahead of the game. In contrast, software development organizations put a large focus on onboarding and mentoring entry-level talent,” he told Cybernews.

Over the past several years, the skills shortage has become a broader problem not just for large companies but for smaller companies too, Tony Bryan, executive director at a non-profit organization committed to cultivating talent CyberUp, reckons.

“I think we are seeing an uptick in job postings due to smaller companies creating cybersecurity teams as well as growth in capacity for the larger organizations. To be honest, we haven’t even scratched the surface of the total need for talent because thousands of jobs haven’t been created yet. These would include local governments, local school districts, solopreneurs, and the list goes on,” he told Cybernews.

ADVERTISEMENT

Job creation is outpacing talent creation 3 to 1 right now, and so Bryan proposes reducing the gap in the following ways:

Automation – Tons of cyber-related tasks are repetitive and add to the burnout rate we are currently seeing across the sector. If we can automate these mundane tasks, it will reduce talent needs but allow refocus of talent on higher demand/critical tasks.

Increase the number of computer science/cybersecurity degrees. Although degree requirements are being reduced nationwide, the importance of a college education will never diminish. Many companies (more traditional) will continue the need for degrees. We can increase the number of trained and qualified candidates by engaging with students at an earlier age and pointing them to the opportunities provided in a cybersecurity career and the skill paths to get there (college, bootcamps, apprenticeship).

Reimagine how companies hire – Companies have to escape the traditional hiring process. It is essential to establish a standard set of roles and responsibilities. Choose a preferred model – we suggest the NICE Workforce Framework, but something that builds out entry-level to senior positions. This sets a precedent for hiring managers and talent acquisition teams to use for job descriptions and how they choose who they interview. It also allows them to look at apprenticeships and other non-traditional paths for talent hiring.

How important is salary?

Fraud “employment” outpaces cybersecurity jobs. According to the fraud deterrence firm Arkose Labs, rookie fraudsters start with $20,000 while master criminals “earn” up to $600,000 a month.

Network defenders are nowhere near getting that high of a salary. According to the 2021 (ISC) Cybersecurity Workforce Survey of 4,753 cybersecurity professionals, the average salary before taxes in 2021 was over $90,000. In North America, the average salary is $119,000 before taxes, Latin America – $32,000, Europe – $78,000, and APAC – $61,000.

This poses the question: are we losing talents to the criminal underground?

“I doubt it. Most of the entry-level cyber talent focus is “blue team,” or defense, for an employer. Over 80% of the cyber jobs are a blue team. I think there are a lot more cyber professionals playing defense against a relatively small number of people that are active cybercriminals,” Weeks said.

Bryan doesn’t believe that people are inherently going to the dark side for money.

ADVERTISEMENT

“I believe the entry-level hiring process is tiring a lot of recent graduates out but what we have seen is people are persistent and find a way into a role,” he said.

Many specialists publicly criticize job postings requiring experience, even for entry-level positions.

Workers feel stressed

Many people in cyber feel like they are in a pressure cooker 24/7. And there's no silver lining here – with insufficient skilled personnel and automation. With the current threat landscape, including the ongoing cyber war, the pressure is likely only to build up further.

Most likely, the stress for cybersecurity workers will get worse month after month without more hiring to build the ‘bench strength’ for cyber employers and more AI to sort through the ongoing cyber threats," Weeks said.

Mid- and senior-level cyber talent rarely has early talent available to delegate work to. According to Bryan, the pace of work, coupled with the job's stress, creates an environment conducive to burnout.

He supports Weeks's idea of a paralegal model – if there were enough junior colleagues to delegate work to, it would also mean opportunities for a company to grow skills.

"I would also recommend that employers stop looking for only people with three to five years of experience and develop two entry-level roles for that mid-career role. Through apprenticeship, the cost is generally less than or equal to what they would be. This helps headcount, burnout, and doesn't increase costs for the organization," he added.

What about apprenticeship programs?

ADVERTISEMENT

Recently, Fullstack Academy partnered with CyberUp and CompTIA(The Computing Technology Industry Association) to help place cyber apprentices to address the skills shortage problem.

According to Bryan, companies tend to fear the unknown, and apprenticeship has always been equated to the trades and not necessarily technical careers like cybersecurity.

“Companies and talent acquisition teams (we all are) are reluctant to change and new things. The Department of Labor standards can be daunting and perceived as not worth the headache,” he said.

Bryan’s team has recently seen an uptick in apprenticeship adoption. “The consistent cadence from the federal and state governments, as well as the large amount of money invested over the last several years into an apprenticeship, has helped. Also, apprenticeship has been a great way for companies to increase diversity hiring, which has yielded more adoption.”

Historically, he added, 90% of apprentices remain with their employer at least one year after the apprenticeship, and that number increases at the two-year mark.

“I would encourage companies to create possible career pathways in their organization. We have found people don’t often leave for money (there are some, of course) but for an opportunity to gain a different skillset somewhere else. Not all companies will have that capacity or scale for people to grow simply because of budget limitations and organizational structure. That is okay, and they will have to be okay with attrition and rather than limit hiring in totality, just build a program that accounts for that timeframe,” he said.