The cybersecurity skills gap: how to close it faster, smarter and discover untapped tech talent

Even before the current global pandemic, demand for cybersecurity professionals far outstripped supply. In Europe, there’s a shortage of 291,000 such professionals [1]. In the US, the situation is even starker, with a pre-COVID-19 skills gap of four million [2].

And the situation is about to get worse. Lockdown has forced companies to accelerate their digital transformation programmes – on average by six years [3]. In almost all areas of business, from e-commerce [4] to payments [5], to the sudden pivot to work from home [6], companies across the world are ditching the analogue and adopting the digital in more areas than ever before.

And whether they’re providing payments, e-commerce platforms, remote employee access, or something else entirely, all the companies making these changes – and the service providers who work for them – will need to secure their systems and their data. And that means even fiercer competition for cybersecurity pros and – if the industry doesn’t do something quickly – even more unfilled security roles. So what can the tech sector do to find more security pros right now?

Start fishing in a bigger pond

No one is born a cybersecurity expert (no matter what cybersecurity experts say). But people in lots of different fields may have the skills and attitudes it takes to become one. Dave Lenoe, director of secure software engineering at Adobe, has developed a strategy for recruiting individuals with the right talents from other parts of the company.

“External hiring shouldn’t be the only solution,” explains Dave. “Looking internally for talent can be a great avenue to overcome the growing skills gap. At Adobe, our programmes and events allow employees from other parts of the organisation to take part in security activities that flex creative and problem-solving skills. To address ongoing concerns like the cybersecurity skills talent gap, it’s essential to expand and diversify the security opportunities within your organisation.”

Once you’ve started widening your talent search, there’s no need to stop at your company’s front door – take that open-mindedness out into the world. In the UK right now, as in much of the developed world, there appears to be a shortage of people with relevant digital and cybersecurity skills, even at the most basic levels.

Between 2018 and 2019, there was a drop of 40,000 in the number of pupils taking GCSE computing [7]. So where are you going to find recruits with an aptitude for computing? Why not try PC gamers? There are, to take just one demographic, 3.8 million 16-24-year-old gamers in the UK [8] [9].

Many of them are highly PC literate and have problem-solving skills. With the right recruitment process, it’s possible to find those in this group who, with some training, would have an aptitude for cybersecurity. Nor are gamers the only demographic with the right skills. Many people currently working in non-IT jobs have the analytical mindset required of an IT security pro.

“From our experience, the key to solving the skills shortage in cybersecurity is to aim to hire from a more diverse talent pool,” says Sarah Wood, digital marketing executive at Diversity in Tech. “Looking outside the box when recruiting and considering the transferable skills and mindset of individuals with different career backgrounds will help with beginning to widen the talent pool. For example, someone from a military or legal background might have the skills which could prove valuable for a career in cybersecurity.”

Joanna Burkey, CISO at HP Inc, is of the same mind. “I couldn’t agree more that this is an under-recognised area to find valuable talent for the future. Especially in cyber-sec, where so much value comes from experience, candidates with non-traditional experience should absolutely be encouraged to be a part of this field. This can mean looking in places such as the military, apprentice programmes, or even community organisations like [security conference] BSides.”

Target your recruitment at under-represented groups

Another way to pre-empt the scramble for skills is to start looking for them among groups who aren’t currently well represented in the industry. Sarah Wood from Diversity in Tech says: “To solve the skills shortage, challenge stereotypes that may be making the sector feel unapproachable for minority groups in tech, such as women – who currently make up just 20% of the sector. The more inclusive security becomes, the easier it will be to recruit and retain diverse tech talent.”

Recruiting among groups outside your company and who don’t have qualifications in cybersecurity can also help to attract more under-represented groups into your security teams. In the UK, for instance, 46% of manager-level accountants are women [10] and 15% of new accountants are from British Asian communities (who are 7.5% of the population) [11].  

Accountants need many of the same skills as cybersecurity professionals. And the average wage for an accountant in the UK is £29,000 [12] compared to £62,000 for a cybersecurity professional [13]. A recent study noted that the promotion rate for both women and ethnic minorities in accountancy is still discouragingly slow [11]. That’s not great for accountancy. But its loss can be cybersecurity’s gain. And finance is just one example of an area which, with the right approach and the right message, could become a fertile ground for the recruitment of new talent into security roles.

Another approach is to work with institutions of learning dedicated to attracting and training under-represented groups. “At HP, we’ve recently announced the launch of the HP Women in Cyber Security scholarship programme with The University of Queensland (UQ), Australia,” says Joanna Burkey. This new programme is designed to support the development of female talent across Australia’s information technology and cybersecurity industries and furthers HP’s commitment to boost equal opportunity in the workforce. With the first intake to commence in August 2020, this HP scholarship will be awarded to five women enrolled in UQ’s new Master of Cyber Security. It will cover course fees to the sum of $20,000 per year for the two-year duration of this programme.”

Whichever routes organisations choose to take to try and fill the cybersecurity talent gap, it seems likely that the job market in the sector is about to tilt heavily in the favour of job seekers. This on its own should be enough to pull a lot of new talent into the industry. But if past performance is anything to go by, this won’t happen fast enough. The process needs a helping hand from far-sighted companies and institutions. And the ones that act fast are likely to close the skills gap quickest.