Addressing the Cybersecurity Skills Gap
In the face of a growing number of cybersecurity threats and increasingly sophisticated attacks, IT professionals need help. Unfortunately, they’re having a hard time finding it.
According to Cisco, there are more than 1 million unfilled cybersecurity positions around the globe. To drive that nail further, a recent report published by ISACA states that many cybersecurity positions remain open for six months or more before they’re filled (if they're ever filled).
The talent shortage is real, and it might get worse before it gets better. As the amount of accessible data grows, data crime is becoming more pervasive. Ransomware, sophisticated extended-duration attacks, phishing and whaling attacks are all targeting large enterprises, government organizations, mom and pop shops and everyone in between.
It doesn't help that the rapid growth of data crimes is a relatively new trend, making it hard to find people who are deeply experienced in fighting data crime and who can be thrown into the fire immediately.
This gap can have the biggest effect on small business leaders, who often can’t compete with larger companies when it comes to offering the salary and benefits that attract today’s top IT talent. At this point, qualified newly hired professionals command average salaries of roughly $150,000, and that number most likely has room to grow.
Plus, nearly all IT leaders who responded to a recent survey conducted by Pearl Meyer indicated that they are using or considering using hiring bonuses to attract more qualified talent. The talent gap doesn't look like it will decrease any time soon.
When looking outside your business doesn't solve any problems, turn to the team you already have. Here are three ways small businesses can develop security professionals in-house:
1. Define a clear path for acquiring credentials and certifications.
While big IT firms such as Cisco are able to set aside millions of dollars to fund mentoring, coursework and certification for cyber-ops professionals, you don’t need that kind of money to get started.
Have an experienced manager evaluate your current staff and determine what skills your team is missing that are absolutely necessary right now. Then, create a professional development plan for individual team members that includes professional seminars and conferences, certification courses in whichever cybersecurity systems and software your company uses and training in relevant new products and one-on-one strategy consultation with experts.
Currently, only 9 percent of organizations say they offer adequate security training for employees. Take the steps above, and you won’t be among them.
2. Give employees incremental hands-on experience.
Again, because data crime is a relatively new and rapidly evolving phenomenon, relevant first-hand experience can be hard to come by. The same ISACA report states that almost 65 percent of entry-level applicants for cybersecurity positions don't have the skills required to succeed in the position.
If you have employees who are curious about certain areas of cybersecurity, let them spend time shadowing a more experienced team member as he or she tackles the more complex parts of the job. And don’t be afraid to send trainees off-site during client engagements, as this type of experience can provide critical development opportunities. Just don't charge clients for a trainee’s time.
Even major companies do this. Dell SecureWorks' CTO argues that if candidates are a culture fit and have the interest in security and technology, they can learn the rest of what they need to know on the job.
3. Leverage the experts you already have on staff.
This is key if you’re going to be successful with either of the tips above. Even if you only have one person on your team with a cybersecurity background, give that person the opportunity to take on the responsibility of training the rest of your IT team. You can make this person’s job easier by mandating security training for other members of the team.
Leveraging these experts can help with the hiring process, too. When the Department of Homeland Security held a cybersecurity hiring event, it included security experts in the recruiting process along with hiring managers and HR staff. It only makes sense that having an expert on board to converse with prospects helps everyone understand one another and move through the process efficiently.
The talent gap makes it so you might not be able to hire the most experienced, credentialed cybersecurity experts to be on your team in-house -- they just might not be available. But there are steps you can certainly take in the meantime that will address the issues small and medium-sized businesses commonly face.