Guidance to Overcome the Cybersecurity Talent Shortage

January 31, 2024 | By IANS Research

The hiring dilemma continues to challenge organizations - cybersecurity and IT functions have shown a continued disparity between the number of open roles and qualified talent. At its peak, the gap included more than 3.5 million unfilled positions. Since then, the number has decreased, but there is still a long way to go before the supply of qualified talent catches up to current demand.

Many factors combined to influence the hiring market. A skills gap existed before the pandemic, but remote work pushed the need for qualified, skilled talent to higher levels than ever before. A corresponding global surge in ransomware and cyberattacks continue to fuel demand for skilled security talent, in addition to recent economic uncertainty that has strained staffing budgets across industries.

This piece explains common employment roadblocks security candidates face when seeking increasingly sophisticated roles along with guidance for both organizations and job seekers to overcome hiring obstacles.

 

Cybersecurity Talent Hiring Challenges

Many of today's information security professionals have benefitted from the talent shortage trend. They've leveraged their knowledge and experience to land high-paying roles in IT and InfoSec departments across the globe. Demand is surging, turnover is high, and opportunities are plenty.

For cybersecurity leaders, this situation can cause more problems than it solves. They must not only fill open positions but also advance their group's careers, boost retention, or risk losing valuable team members to the competition. All of this comes at a cost and can impact the effectiveness of cybersecurity coverage for the organization itself.

As they try to fill security gaps, organizations are wary about losing their top-performing security employees. Advancing to senior management and leadership roles is common for star performers in other business functions but happens less in cybersecurity. Top performers are too hard to replace.

To add to these hiring gaps, potential security jobseekers often find several factors that hinder their search to land their ideal security role.   Among the major roadblocks when seeking positions and advancing their careers include cybersecurity training costs, unclear career path knowledge and lack of related experience.

Ultimately, both organizations and candidates end up accepting less-than-ideal hiring results simply because both have reached plateaus with no feasible opportunities for progress or growth. Organizations may turn to third-party vendors offering managed security service packages to cover their shortfalls, but only as a contingency plan – not as a strategic goal to advance cybersecurity initiatives. Security jobseekers may end up settling for a less enriching security role that does not provide an ideal career path

 

READ: How to Hire and Retain Cybersecurity Talent

 

Roadblocks to Cybersecurity Careers

Some of the barriers hindering security professionals seeking advanced positions that compounds organizational hiring difficulties include:

  • Formal education needed to land entry-level security positions - More than eight out of every ten cybersecurity job postings require a bachelor's degree or higher, often alongside real-world job experience. This presents a high barrier to entry compared to many other IT fields, potentially dissuading people from exploring their potential as cybersecurity professionals.
  • Cybersecurity certification costs - More than half of all cybersecurity positions require at least one independent certification. Ideally, every security professional should have multiple certifications, expanding the number of roles they can play in a tight labor market. These costs add up, and don't always translate to long-term value – especially when security technology best practices change on short notice.
  • Lack of experience and product expertise - High certification costs and unclear career opportunities set the stage for inexperienced security professionals to take on responsibilities beyond their capabilities. This sink-or-swim approach puts undue risk on the organization's security posture and amplifies the challenge of implementing new security technologies when needed.
  • Lack of knowledge about cybersecurity roles - Many organizations neglect to discuss cybersecurity roles (or provide clear job descriptions) with potential candidates within their own ranks, simply because they work in other departments. This leaves leadership in the position of only educating new and existing security team members, and not promoting cybersecurity opportunities to the people already familiar with the unique structure of the organization.
  • Unclear career path opportunities - Many organizations avoid cultivating cybersecurity talent towards management or leadership roles. As a result, security professionals may not receive attractive opportunities for advancing their career in the company. Some may move from one job to another or exit entirely when given the chance to seek better opportunities.
  • For both security professionals and organizations there is light at the end of the tunnel. Organizations can help cybersecurity professionals move past these roadblocks to help develop their careers and expand the available hiring pool. Training and certification assistance are the best area to start.

 

READ: Develop Strong Career Paths to Boost Retention

 

Be Creative to Grow Security Talent

Organizations that take time to be creative when seeking to cultivate security talent and align their goals accordingly will find better hiring and retention with a greater security posture. This approach enables the organization to both grow its in-house security talent and opens the hiring opportunities for qualified trainable applicants.

  • Find cross-training opportunities - Many employees enjoy their jobs but want occasional opportunities to stretch their capabilities and gain new skills. In an environment where every role is also a cybersecurity role, there is a wealth of security-oriented cross-training opportunities in every department, bringing vital talent and new perspectives to the security team itself.
  • Incorporate certifications into training and transition plans - If a new position requires expertise with a specific tool, employees will need support to obtain that certification. Cybersecurity training must include vendor-specific certifications whenever the roles demand using specific tools to obtain security results – especially if candidates are being brought in from other internal departments.
  • Establish performance goals and role expansion opportunities - Every position should have performance indicators that accurately reflect how well an employee meets the demands of the role. This can be challenging for security roles, where attributing success to a single task is not always possible. These indicators are vital for identifying and cultivating top talent.
  • Create Employee-specific profiles – Potential hires have different goals, and you need to know what they are. Some people may be subject matter experts who don't want to take on management responsibilities. Others thrive when presented with management challenges. The better you know what your employees want, the more detailed a career roadmap you can create which helps build the team.
  • Build a comprehensive professional development track - Work with your human resources department to identify and document employee achievements that put them on the right professional development track for their needs. Seek employee input and build a collaborative roadmap that gives security talent a chance to flourish at your organization.
  • Consider training exchanges - If you don't have access to specific security tools and no opportunity for in-house training for those tools, you may be able to arrange cross-training swaps with other companies in the area. This is especially useful for smaller companies that can use three-to-six-month swaps to increase their in-house capabilities before signing on with a new platform or service.

 

READ: 3 Keys to Retaining Cybersecurity Talent


The more comprehensive and unique potential and current employees' career roadmaps are, the more likely they are to stick to the path laid out for them. In a labor-tight field like cybersecurity, treating each candidate and employee on an individual basis makes sense, and can significantly impact the success of the career development initiatives you create together.

 

Best Practices to Help Cultivate Security Talent

Security leaders who face security talent and retention issues need to focus on the individual goals of both potential and existing security team members. Be open to the fact that not every individual wants the same thing from their career, and you’ll gain the ability to build collaborative professional development roadmaps with your security staffers.  Best practices to cultivate new security talent include:

  • Build professional development tracks that speak to the individual employee's needs and expectations and promote this to jobseekers.
  • Find cross-training opportunities for other departments members, or even training exchanges with partner companies.
  • Incorporate job descriptions and performance goals into a comprehensive training and transition plan that includes vendor certifications.

Pay close attention to what potential and current employees want from their careers and help them build a plan to execute that vision.

 

Although reasonable efforts will be made to ensure the completeness and accuracy of the information contained in our blog posts, no liability can be accepted by IANS or our Faculty members for the results of any actions taken by individuals or firms in connection with such information, opinions, or advice.


Access time-saving tools and helpful guides from our Faculty.


IANS + Artico Search

Our 2024-2025 CISO Compensation and Budget Benchmark Survey is Live!

Subscribe to IANS Blog

Receive a wealth of trending cyber tips and how-tos delivered directly weekly to your inbox.

Please provide a business email.