Cybersecurity hiring gap: Time to rethink who can contribute

There is no denying the large number of vacant full-time positions to be filled in the cybersecurity workspace. The numbers range from 3.5 to 4.7 million globally. As most CISOs will attest, the talent pool has never been tighter, and the squeeze will only continue. Necessity is the mother of invention, so this critical need requires different thinking about who can contribute to security teams' successes.

For some, the answer is surrender. They simply accept they are resource constrained, keep the executive staff informed of the risks they are assuming due to lack of resources, and call it a day. This is not the path I'd advise, as it is almost certainly a step toward the self-fulfilling prophecy of the alternate CISO acronym, "career is so over."  

For others, this is an opportunity to create new pathways to success for their teams and the individuals who are afforded opportunity. Here are some ideas about what those pathways might look like.

Make entry-level cybersecurity jobs just that

During the recent RSA conference, I asked Curtis Simpson, Armis CISO, about the complexity of the tools being brought to market and the learning curve needed to be a contributing member of a team. He sees a high school graduate, maybe with some community college classes and "critical thinking skills" as having what they need to know to fill an entry-level cybersecurity position and be operational within days. The key, he says, is in removing the complexity of the systems being used.

HPE's CSO Bobby Ford shared with me some perspective as to how he believes, "entry level, should mean just that - an entrance into the field or role. I feel very strongly that you're overlooking potentially tremendous talent if a particular skill set is used as a barrier to entry. My approach to cultivating talent is drawn from my experience in the military. I'm looking for people who have an interest in the subject matter. We can teach the skills to anyone willing to learn."

Ford gets no argument from me as one who has spent a good part of his professional career developing vocational instruction for a rather unique skill set of the intelligence officer. Early in my professional career I was also the benefactor of the "take someone with interest" way of thinking Ford describes. I was a 20-year-old file clerk whose claim to fame was he knew A-Z and 0-9. I was given the opportunity to learn a skill as a "telecommunications specialist." The CIA was experiencing a shortage of radio-qualified operators who knew Morse code, Radio Teletype (RTTY), and how to use encryption methodologies (one-time-pad, one-time-tape, and a variety of devices). This was almost a half-century ago, but the lesson remains valid.

The Agency created a homegrown variety of operators. The cadre was taught the skills necessary and were sent out to the field. It was a great success and kept the bits moving along the blazing 120 bps RTTY circuits. Before you roll your eyes about Morse Code, yes, I once did use Morse Code encrypted with OTP to pass staff communications in a frosty period of the Cold War: For a six-week period a certain government cut the lease line and jammed outbound RTTY transmissions in a fit of diplomatic, "We'll show you." The communications under my remit were degraded, not cut off. My Morse Code speed was a mighty 21 wpm.

Create and grow your security professionals

In the recent "HPE 2023 Cybersecurity Annual Report," Ford discusses how his organization has "worked to create and grow our security professionals." The highlights of the HPE effort begin with perspective. Ford sees the "cybersecurity talent shortage" as misidentified, he refers to the situation as an "experience shortage." As we all know, the only way to garner experience is by doing. He opened doors to "overlooked" talent, with the creation of their Cybersecurity Career Reboot Program.

The program's key factor probably broke every HR sorting tool, as they sought out individuals who had been passed over because the "lack the experience required to land entry-level jobs." HPE set up a six-month in-house program where "participants are paid while learning the nuts and bolts of cybersecurity, embedded within various cyber functions within HPE and taking on project-based work while being mentored by our team members." 

HPE wasn't done. They then used their Professional Rotation Experience Program (PREP), which took recent grads and put them in "two-year rotational program that includes global exposure to all our cybersecurity functions. PREP participants gain experience with the foundations of cybersecurity through hands-on project work, exposure to a variety of experiences, and innovative training and development, rotating through the different teams within cybersecurity every six months during the program."

Keep an eye on employee growth and retention

While the focus of homegrown talent programs is on the new and eager employees, CISOs must also keep an eye on retaining and improving the talent already in place. Simpson and Ford both noted the value of mentoring. Keeping your current stable of professionals at their peak also requires investing in training.

This may be a larger lift than one would think based on the recent Immersive Labs Cyber Workforce Benchmark report, which highlights how "seasoned cyber pros are more complacent in their skills than junior staff." They explain that their data displayed how "junior staff tend to challenge themselves with more difficult exercise and are more likely to stay current with new threats compared to more experienced cyber professionals.

The White House cybersecurity workforce plan for the US

The White House on July 31, 2023, issued a "National Cyber Workforce and Education Strategy, Unleashing America's Cyber Talent" and it aligns with the thinking of both Simpson and Ford. The strategy emphasizes the need to "chart a path to resolving these challenged by working towards filling cyber jobs for working families." What are the challenges? An education system that lacks a cyber focus and an "insufficiently diverse workforce."

The plan has four pillars:

• Equip every American with foundational cyber skills.
• Transform cyber education.
• Expand and enhance America's cyber workforce.
• Strengthen the federal cyber workforce.

The US federal government has its CyberCorps Scholarship for Service program that provides scholarships to those studying cybersecurity related field. The National Security Agency (NSA) invests in providing certification to colleges and universities as centers of academic excellence. The pipeline is bright for those positions requiring academic degrees or certifications. In time, they will deliver qualified individuals into the pipeline.

While the White Houses initiative and those of other governments will enable resources to grow the cyber workforce of the future, we need results in months not years. Companies must take the initiative today to help themselves and by extension the overall cyber community.

In sum, if we are to close the gap in open cyber position requirements, we must create home-grown solutions, ensure our established cyber workforce is afforded training opportunities, and to embrace the concept of mentoring both intra-company as well as across the cyber community landscape.