Bojan Simic is the Co-Founder, CEO and CTO of HYPR, a provider of True Passwordless Security™.
getty
Despite many industries being affected by skills gaps, the shortage within the IT/cybersecurity sector is nearly unmatched. In fact, "over an eight-year period, the number of unfilled cybersecurity jobs grew by 350 percent, from one million positions in 2013 to 3.5 million in 2021." And experts predict that number won’t budge between now and 2025.
This is largely due to the speed at which the sector is moving with new technologies, advanced malicious strike techniques and the scale of attacks. Because of this acceleration, security practitioners are juggling multiple complex responsibilities and struggling to expand and build their security practices and skill sets.
This also presents a challenge for C-suite executives looking to hire top talent: What skills do they look for, and where do they draw the line on knowledge requirements? This article outlines what both practitioners and executives need to do to help close the cybersecurity skills gap.
From A Practitioner’s POV
For better or worse, many cybersecurity practitioners were and continue to be self-taught, whether that’s coding, tinkering with hacking or signing up for affordable certifications along the way. This mostly stems from personal interest, but as the job market continues to suffer, it’s also become clear that organizations looking for cybersecurity experts (fortunately) aren’t necessarily looking for degrees—they’re looking for problem-solvers with intellectual creativity.
To embrace this self-taught nature (which is how many of us in the industry, including myself, hone their valuable skills), a culture of curiosity—wherein each individual continues to dive into the latest technologies—is the primary avenue that’s going to help close the skills gap in cybersecurity.
As briefly mentioned above, this is spearheaded by how quickly technology is evolving and the unrelenting need to protect intellectual property, as many hacking capabilities that are running rampant now weren’t a few years ago. Back when I was a hacker-for-hire, there were significantly more rudimentary hacks being completed successfully, as this was before both individuals and enterprises became savvy to technological advancements and tricks.
That said, practitioners need to focus their time on learning new security technologies and the technique behind new attacking patterns. For instance, take into consideration endpoint detection and response (EDR). EDR is a system to gather and analyze security threat-related information from computer workstations and other endpoints, with the goal of finding breaches as they happen and facilitating a quick response. Although EDR technology was released back in 2013, there have been significant advancements in its capabilities that many practitioners need to educate themselves on. This includes extended detection and response (XDR), which relates back to broader systems and networks such as IoT networks.
As such, valid certifications become obsolete, and continued education (both inside and outside of the workplace) is key to professional growth. Practitioners need to stay curious and in touch with friends and colleagues in the industry; they need to read through Reddit threads and attend conferences, learning in-depth the ways in which hackers are advancing. This isn't only instrumental to professional growth but vital to reducing breaches more holistically as well. According to the results of a survey of security professionals, "80% of respondents said they had at least one breach that could be attributed to the lack of cybersecurity skills or awareness."
From An Executive’s POV
All C-suite executives are looking to hire knowledgeable, qualified and proactive employees, regardless of department. But when looking at cybersecurity practitioners, what exactly are the requirements? How can they find the soft skills (and the right combination of people) that align to support a highly visible, ongoing but ever-changing cybersecurity program?
Ideally, their practitioner group will include:
• Generational Diversity: A recent study found that generational diversity among cybersecurity teams is critical to accelerating zero-trust implementation, mainly based on the fact that those exiting the labor pool means an increased risk of lost expertise in integrating legacy IT into modern IT infrastructures.
• Emotional Intelligence: Generally, millennials’ first-adopter nature often means that they look for shortcuts, which, as we know in the cybersecurity industry, are a hazard. It’s necessary to harbor and hone both imperative skills of patience and empathy, particularly throughout a training program, so that all parties understand the value of the work and what may be at risk.
Further, in all organizations, there needs to be a culture of training for those inside the cybersecurity realm as well as those outside, although the former is more important. (Note: Although cybersecurity training for the broader staff could be helpful, what really should be supported is advanced user experience so that training isn’t as imperative. Options that simultaneously optimize authentication and the user experience, such as passwordless technologies, can achieve this.)
Executives need to prioritize ongoing programs for practitioners throughout their entire tenure, focusing on not only the soft skills mentioned above but certifications and more practical advice, including step-by-step responses to increasingly intricate breaches. This includes how to address internal, and even external, communications and concerns.
The Bigger Picture
According to recent study results, the number of workers in the industry worldwide has been on the rise; for instance, in 2021, there were 4.19 million, an increase of more than 700,000 from 2020. Of course, this statistic alone presents good news. But, unfortunately, the industry requires a 65% increase in the global workforce to close the skills gap.
With that in mind, considering the fact that closing that gap isn’t feasible any time soon, we need to upskill the workers we have now. This is necessary not only for the industry but for every company that relies on the safety of their data, intellectual property and likeness (which is all companies).
Forbes Technology Council is an invitation-only community for world-class CIOs, CTOs and technology executives. Do I qualify?
