There has been a lot of noise made about the problem of the Cyber Skills Gap, but not masses of coherent exploration of what the solutions could look like.
How did we get here?
- The challenge of defining what an ‘entry level’ role should look like
- Organisations reluctance to onboard unskilled or inexperienced staff
- General resistance to diverting significant budget to infosec teams.
Clearly there is a relationship between the first two bullet points; in cases where an organisation is unwilling or unable to onboard unskilled or inexperienced staff and train them up in-house, they miss out on the ‘cheaper’ end of the market. Once they are having to bring in people with pre-existing skills and experience for what are (as far as the market is concerned) ‘Junior’ roles, the company is in a catch twenty-two. They are already having to offer more in salary than they otherwise would, as such they are motivated to get as much for their money as possible. This is part of what creates the familiar scenario, oft bemoaned in our LinkedIn feeds, of ‘entry level’ roles asking for anywhere between two- and five-years of experience when it comes to various platforms and/or processes.
The final point is an overarching issue in cyber security; communicating the value of investing in the cyber security functions of an organisation, in a way that mitigates board concerns of cost. CISO’s often come from a technical background and may not always had the time or opportunity to develop the core skills required to deliver this message most effectively to the board. Knowing how to present a technical risk in the context of business and/or financial risks is crucial to the success of both the individual CISO, and the organisations’ cyber security programme. Recently Reet K illustrated an example of how this can be achieved from her time at Nike in a LinkedIn post. You’ll find a link to her post in the comments below.
Recruitment and Certifications
Accepting that there is a cyber skills gap, we have to look at the process of filling it, and therefore the first thought is “recruitment”. HR obviously plays a key role in this process, but to be effective it needs to be aligned with the hiring manager within the relevant security department. In any recruitment process both the hiring manager and HR are crucial. HR knows the recruitment process, how to enter the market and which channels will attract the best talent, whereas the hiring manager knows the skillsets and experience needed. Combined, they should craft the job specifications and determine the package that would be required for the ideal candidate. The reality, more often than not, in cyber recruitment is that job specifications are not well-written. Every few weeks my LinkedIn feed is littered with examples of job descriptions that equate to 3 or 4 separate roles, and requirements of experience that cannot be met across a wide variety of disciplines/platforms/languages etc.
These issues are partly caused by the rapidly evolving nature of cyber security, resulting in a dearth of skilled exponents in particular disciplines; this makes it difficult when trying to determine the skill set required for the role. For example, there are 14 qualified CBEST testers in the UK currently, CBEST having been the flagship standard for security testing in the financial industry, this does not bode well for some of our most crucial organisations. Consequently, The Cyber Scheme are working to establish a new more accessible and relevant standard in collaboration with industry bodies.
So, while in principle certifications can help, and as a result a significant number of hiring organisations require them, in a market where the issue is a lack of candidates creating hurdles to applications isn’t ideal.
Additionally, the relevance of the certifications to the organisations’ landscape is key to consider. Many certifications are about looking ‘over the hill’, proving oneself adept at the latest cloud and sec ops software. However, many organisations are struggling to secure legacy infrastructure and applications, which have often been stitched together through a variety of M&A’s where Asset Management processes were… lacking.
In recognition of this, and in addition to our work on easing the route into Cyber Security, both as The Cyber Scheme and with the impending launch of The Cyber Challenge, we are currently collaborating with corporate entities to move away from the reliance on expensive and inaccurate hiring of external candidates by:
- the identification and progression of existing in-house talent that can migrate to the security team
- creation of hiring frameworks for the key reporting roles in the security function (CISO)
- organisation specific technical assurance certifications
Career Pathways and Turnover
A well-worn path into cyber security is to get a start on the support team/helpdesk function, often these individuals are self-funding their courses. An organisation that has inward facing aptitude and ability assessments for their existing staff can identify motivated individuals, who can then be trained and transferred to the IT Security team at a much lower cost than hiring external candidates, shifting the hiring costs to a much less expensive role replacement. This approach can also be applied when hiring externally, as discussed in this CSO online article by the BlackBerry CISO Arvind Raman: To solve the cybersecurity worker gap, forget the job title and search for the skills you need.
We know an organisation has to be expecting to hire a new CISO every couple of years currently. Organisations that engage with an independent 3rd party, to assist in the creation of a hiring framework will have a much lower churn rate, as they will be assisted in ensuring they hire appropriately and have a clearer understanding of the nature of support/facilitation the incoming CISO will require. Considering the cost of churn to an organization is between 60%-120% of the actual salary, and the average CISO salary in the UK is between £120,000 – £150,000 this is not an insignificant amount. Respondents to a recent survey conducted by The Cyber Scheme were overwhelmingly clear that the majority of hiring organisations lack a coherent approach, or any insight to the problems they are attempting to solve. This is a significant contributing factor to the turnover of security leaders, which in turn contributes to the churn rate and related hiring costs lower down the cyber security chain.
Establishing an internal technical assurance certification programme supports the integration of migrated staff, while also supporting the upskilling of existing IT Security team members on an assessment that is designed to relate specifically to the threats that your organisations infrastructure and reputation are most exposed. This supports the continuing professional development of individuals within your team, directly strengthens the organisations security posture, and reduces the ‘brain drain’ cost of the more general industry wide certifications.
The 3 points above are clear examples of definitive steps that can be taken today, allowing organisations to broaden their audience for these key roles, closing the cyber skills gap sooner rather than later.