Finding and retaining qualified cyber workers is still a challenge.
The number of professionals in the cybersecurity workforce is at an all-time high, with 4.7 million professionals in these roles, (ISC)2 found. But 3.4 million more workers are needed to completely fill the talent gap.
The majority, 70%, of security leaders said their organization does not have enough cybersecurity employees.
Even the Cybersecurity and Infrastructure Security Agency has had to change its recruiting patterns so it could attract cyber talent, especially to stay competitive against private companies that can pay those experts already in the field higher salaries.
The overall problem isn’t necessarily a lack of people, said MK Palmore, director in the office of CISO at Google Cloud, and VP and board member of Cyversity. “There are tons of folks who are interested in this industry. How do you prepare them in a substantive way that will ultimately result in them getting jobs?”
Here’s what employers are doing.
Looking for qualities beyond just skills
Job descriptions for cybersecurity professionals can focus too heavily on specific markers of education and certification.
That can shut potential candidates out, especially those people who have the skills to be leaders in this field, even if they don’t have those technical abilities yet, said Alex Michaels, principal analyst at Gartner.
“We’re hyper focused on technology and we’re hyper focused on process, and we forget a lot of times the thing that drives the process and the thing that runs the technology are the people behind it,” he said.
Everything in security is very teachable, he added, which is why smart companies are looking for other kinds of leadership qualities, like business acumen, digital dexterity, agility and interpersonal skills, which “are all mission critical now.”
Changes in the recruitment process can also bring in workers who might otherwise feel they don’t belong in the field.
For example, only offering jobs in traditional tech hubs with high costs of living will most likely exclude those who don’t live there, or don’t see themselves there, said Palmore. “You have to go to where the diverse candidates are and offer them jobs in those locations.”
Michaels also recommends working with human resources to anonymize parts of the recruitment process, where things like the candidate’s name, location, college degree are held back.
“It means eliminating the affinity bias that a lot of leaders may indirectly have,” he said.
Focusing on culture, not just salary
While salary is important to cybersecurity workers and those considering entering the field, it’s not the only thing people are looking for.
Gartner found that compensation was a top driver of talent attraction, but closely followed by work-life harmonization.
When CISA set about changing its recruitment process, it focused on increasing salaries and cutting red tape, but the agency also worked on “building a culture that would attract and retain that elite talent,” Jen Easterly, CISA director, wrote in an August blog post.
That’s especially important since the public sector often pays less than private.
"We recognize that no one joins the federal government to get rich," she said. "Rather, they join for mission — an opportunity to serve the nation, ideally doing so with great teammates, inspiring leaders, and the ability to make an impact every day.”
Since this 2021 recruitment shift, the agency has hired more than 1,300 new people.
Easterly added CISA isn't finished yet, and encouraged anyone interested to apply, including those without college degrees, and located anywhere in the country.
“We’re looking for a combination of those with both hard skills as well as human skills because, while we’re solving some of the most complex technical problems for our nation, we must do it collaborative with our teammates and myriad partners,” Easterly said.
Palmore doesn’t anticipate that the cybersecurity professional gap can be entirely closed within 10 years, but he is optimistic that, through public and private collaborations, leaders can make a significant dent and eliminate anywhere from one half or two-thirds of it.
“We’ll be in a really good spot if industry and organizations continue to put their action where their mouths are. It can’t just be talking about this. We have to be doing what we can to solve this with intentionality,” he said.