According to the 2020 Cybersecurity Workforce Study, the shortfall of global cybersecurity professionals has fallen for the first time since records began. 700,000 additional skilled workers joined the talent pool this year, which is 25 percent more than last year’s workforce estimate.
However, while it is encouraging news, the gap is still enormous and the study indicates a remaining shortfall of 3,21 million. So, although we’re moving in the right direction, progress is slow. And there are still some myths that must be addressed if we’re really going to make a substantial dent in the number (whatever it might be).
One of the main myths around the cybersecurity skills gap is that it largely, if not only, stems from a lack of skilled applicants. But it’s not that simple. Businesses have a huge role to play by upskilling existing or new employees, understanding their own specific and unique requirements, and removing unrealistic expectations of potential talent.
Demand and supply
Demand for cybersecurity skills is hugely outweighing supply. Not only is there a need for more people in education, but businesses also need to understand existing candidates’ worth.
Some of the problems around security hiring, mirror broader staffing issues: everyone wants a finished product, but nobody wants to pay the market rate. We often hear an argument like “I don’t have time to train someone, I have to mitigate these threats tonight!”. While we have been there, and can appreciate the sentiment, the fact that we have yet to find an equilibrium between candidate supply and demand indicates that we might not be formulating or pricing the problem correctly. If everyone always holds out for the complete package, nobody will ever get it.
The difference between computer science and cybersecurity
Another issue in our field is that many organizations seem to build cybersecurity staffing requirements around a bachelor’s degree in computer science. This was possibly a good strategy once, but computer science degrees and cybersecurity are increasingly mismatched, for several reasons. Most people in computer science programs want to write software. Furthermore, most computer science programs offer little material on security. This is partly because there is so much other material to cover, and partly because security knowledge isn’t yet a big part of the development careers that follow. DevSecOps continues to hold promise, and developers may, in time, begin to know and care about security, but we aren’t there yet.
It’s clear that security is computer science-adjacent at best, in terms of both the body of knowledge and daily behaviors. A computer science graduate coming into security will not only have learned a lot of unnecessary information, but they will also have a lot of catching up to do. If nobody recognizes these gaps for what they are, the candidate can appear untalented or unmotivated.
What is cybersecurity?
Another problem is that security itself is a poorly defined body of knowledge. There are so many different skillsets that even veteran security experts often don’t see eye to eye about what a security professional should know and do. The field encompasses multitudes of subdomains, whether it be malware analysis, penetration testing, code review, forensics, threat intelligence, risk assessment, compliance, cryptography, network monitoring, and incident response. Each requires different skills, personality types and training.
No institution can effectively cover everything, and the needs of a given organization will also be determined by its strategy, security architecture, and the hiring manager’s perspective. Businesses therefore need to have a thorough understanding of the role and skills required. This means that even experienced specialists need to be willing to adapt.
Ultimately, the most important thing is the candidate having a fundamental interest in the idea of security. If they have that, we can teach the rest. For that reason, we think that, rather than looking for turnkey candidates, it’s better to cultivate the practical skill set among people who self-select as being interested.
Investing in talent
It would be great if you could get a security genius off the shelf, but both the history and the direction of the field indicate the need to cultivate rather than purchase. The key to this is to test for passion first. For cybersecurity professionals, continual learning is part of the job. If they aren’t curious and motivated to do this, don’t bother going further. It will be a waste of their time and yours.
It is also worth noting that, in our experience, many of the best candidates will be from nontraditional backgrounds, and not just computer science students. Self-taught, passionate hobbyists and code-school candidates have frequently shown themselves to be willing and able to learn and excel in our field. Find the people who are inspired by security, and who are willing and humble enough to go the distance and hold on to them—these are the people to nurture.
There are some parallels here with the state of the market for talent in global football. It is fashionable to praise clubs like Ajax, Borussia Dortmund, and Monaco, who seem to have a knack for finding and nurturing homegrown talent. What’s more, all of these clubs use that knack as a source of revenue by turning academy prospects into the finished article and selling them on at great profit. Generally, fewer clubs seem willing to go down that route, whereas some that used to have a tradition of cultivating youth (i.e., Tottenham, Arsenal, Manchester United) seem to settle for paying market rate for ostensibly tried and tested talent, with indifferent results.
That is a rough approximation of the state of cybersecurity hiring at this moment in time. In the right environment, with mentorship, training, and support, unproven but motivated newcomers will deliver far more over the long term than throwing money at distinguished computer scientists whose skills, and interest, lie in other realms. The sooner more organizations recognize this, the sooner the skills gap will be a thing of the past.
Sander Vinberg, Threat Research Evangelist, F5 Labs