Your first steps to closing the cybersecurity talent gap

Since 2020, organizations large and small have faced a dual cybersecurity crisis.

First, there has been a significant increase in cyberattacks, some of which can be attributed to pandemic-related work policies like BYOD and the use of unsecured home networks. In fact, the 2022 Acronis Cyberthreats Report showed the following:

●      Phishing remains the main attack vector and 94% of malware is delivered by email.

●      Phishing actors are becoming more sophisticated and targeting messaging and multifactor authentication (MFA) tools.

●      Ransomware is still the top threat to big companies and small- and medium-sized businesses (SMBs) alike.

●      More operating systems are becoming vulnerable as Linus and macOS are increasingly under attack.

At the same time, there is a significant shortage of qualified IT talent to protect companies from these attacks. According to the 2021 (ISC)2 Cybersecurity Workforce Study, while the cybersecurity workforce gap is closing globally, it is growing in North America. As of June, 2022, over 400,000 cybersecurity professionals are needed in this region.

Unfortunately, the threat of malicious actors has not diminished, so the talent shortage must be alleviated. Read on to learn more about the reasons behind IT talent shortages and suggestions on how to close the gap.

Browse through the cybersecurity listings on any job search website and you’ll commonly see a bachelor's degree in computer science as a minimum requirement for applicants, even in entry-level positions. If businesses only hired college graduates, it is unlikely that they could fill all their open positions — U.S. universities only produce around 65,000 computer science graduates per year.

It is clear that requiring an undergraduate degree is not only impractical but problematic as well, especially in the United States where rising costs and student loan debt have steered many people away from higher education.

Moreover, a four-year degree hardly equals competency in a technical and rapidly evolving field like cybersecurity. If someone had only the skills they acquired in an undergraduate program 10 years ago, they would be woefully unprepared for working in today’s industry.

It is time to redefine what makes someone qualified for a cybersecurity job. While a college degree can still stay on the list of “nice to have” qualifications, here are other factors to consider:

●      Soft skills: Cybersecurity professionals do not work in a silo. They have to communicate their work to the larger organization and possibly the general public. While many technical skills can be improved on the job, it’s advantageous to have employees start out with strong soft skills from day one.

●      Independent work: Many self-taught security analysts work as independent researchers and consultants. They bring real-world experience that not all recent college graduates have.

●      Alternative programs: Expand the talent pool to include graduates of alternative programs like boot camps and apprenticeships. Engineering disciplines like frontend and backend programming have found success hiring graduates of these types of programs.

●      Upskill or reskill engineers: Some technical experts may not have cybersecurity experience, but they do have easily transferable skills. Finding competent workers may involve reaching out to engineers whose skills may be becoming obsolete or increasingly automated.

Many professions begin recruiting the next generation of employees when they are still in high school. The U.S. Army Junior Reserve Officers' Training Corps (JROTC) offers programs that introduce students to the military. Trade school recruiters look for new apprentices. Career explorer programs show teens what it’s like to be a physician or a lawyer. Shouldn’t technical professions, especially cybersecurity, do the same?

A survey of 4,000 individuals aged 18–26 found that “67% of men and 77% of women said no high school teacher or career counselor ever mentioned the idea of a cybersecurity career to them.” The profession is clearly missing a great opportunity to prove to young people that cybersecurity is a possible career for them.

Companies need to work with STEM teachers and guidance counselors to introduce these career opportunities to students. Emphasis should be placed on how it is a rewarding career that provides a great public service. One way to do this is by sponsoring cybersecurity training programs for high school students. As an example, AWS has career training programs for students ages 13 and up.

When considering how to close the cybersecurity talent gap, don’t overlook the potential of your internal resources.

Some of your current employees may be open to transferring into a cybersecurity role, but if you don’t introduce the opportunity, they won’t know. Current employees also have certain advantages over external candidates: They understand the business and may have a deeper perspective on managing and preventing attacks.

By running internal training programs, you can increase your hiring pool without having to look too far for potential candidates. As an example, Verizon has seen success with this type of program. In a 2021 article, Verizon’s Chief Information Security Officer Nasrin Rezai wrote, “We turn to our own ranks for new talent, offering an infosec-focused upskilling program and tuition reimbursement to help build our security workforce ‘from within.’”

Finding potential talent requires creativity, initiative, and looking beyond the typical pool of candidates.

The cybersecurity industry is behind others in diversifying talent. Don’t think of diversity as something that’s for optics — you need people from different backgrounds in order to come up with creative solutions to tackle problems.

Cybersecurity companies need to explore opportunities to diversify and enlarge the talent force. Organizations like Girls Who Code, the National Society of Black Engineers, and CODE2040 work with companies to introduce them to diverse and qualified applicants.

Consider building an in-house pipeline of diverse talent by creating your own programs. The Acronis SCSVets initiative works with military veterans who may not possess a background in cybersecurity but have proven discipline, resolve and a willingness to learn. In addition, the Acronis Cyber Foundation offers a Skills Program that trains immigrants for IT careers.

Besides being diligent to find more talent and foster it, companies can also ensure that they automate wherever possible in order to reduce their need for highly-trained professionals. With this in mind, automation and integration with Acronis Cyber Protect Cloud can considerably reduce the burden on your IT professionals, providing best-of-class cyber protection that requires fewer IT personnel. Try it free for 30 days.