There are two trends that have defined the cybersecurity landscape for the last decade: attacks are growing in number and severity, while the number of professionals equipped to mitigate these threats is outstripped by demand.

The latter trend is arguably the most significant challenge for the long-term cybersecurity of businesses globally.

Those perpetrating cyberattacks will continually identify new attack vectors and adopt increasingly advanced modes of attacks. Robust and effective cybersecurity practice can provide continued protection, but only if cybersecurity professionals and companies have the skills and numbers to stay ahead of malicious actors.

Unfortunately, this does not appear to be the case. In 2021, the fifth annual industry report from the Information Systems Security Association (ISSA) and analyst Enterprise Strategy Group (ESG) established that many in the global industry did not feel the cybersecurity skills gap had improved in recent years.

More specifically, three in five respondents (62 percent) noted that they currently had a heavier workload than in previous years, and almost as many (59 percent) commented that they believed their organisations could be doing more to tackle the skills gap.

Within the British market, the UK Government’s ‘Cybersecurity Skills in the UK Labour Market 2022’ report showed that almost half of cyber sector companies felt that job applicants lacked the technical skills required. This is leading to more unfilled cybersecurity positions. In fact, the UK Government estimates that approximately 17,500 new people need to enter the industry each year to keep up with current demand.

According to (ISC)², there were more than 2.7 million open cybersecurity jobs globally in Q4 2021. To help bridge the gap, the organisation recently launched a scheme called 100K in the UK, offering its entry-level cybersecurity certification for free to 100,000 people interested in a cybersecurity career.

Rethinking the pipeline
All this data goes some way to highlighting the scale of the challenge ahead for the industry. Government and industry must continue to work together to deliver a long-term solution to this problem, yet there are also changes beginning to take shape in the sector to relieve issues in the near-term.

In particular, cybersecurity leaders have started to recognise that stronger recruitment alone will not solve the problem.

CISOs have become ‘de facto’ recruiters
Generally, infosec teams have relied on traditional recruiters and HR processes to source talent. With the ongoing shortage, many are now looking for ways to build a talent pipeline outside of these traditional approaches.

Leaders in highly technical fields, like CISOs, are becoming more creative and hands-on in finding and attracting talent. This ranges from actively networking in their daily lives to getting directly involved with regional security organisations, conferences and mentorship programmes. In essence, CISOs are becoming de facto recruiters.

However, this approach only goes so far as it relies on a consistent and highly-skilled network of cybersecurity professionals, and can set a precedent that leads to a salary ‘arms race’ among organisations competing for the same small pool of cybersecurity talent.

Upskilling ‘parallel’ talent streams
Instead, cybersecurity organisations must get more creative and patient. More organisations should work to find talent from parallel fields with transferable skills and an eagerness to learn, then upskill and help them develop over time within the company.

Together with a hands-on recruitment approach and initiatives from government and industry, this longer-term approach to nurturing talent from within can help mitigate the worst impacts of the cyber skills gap.

Creating a culture of upskilling within an organisation also brings significant long-term skills benefits. The main way that cybersecurity professionals continue to stay ahead of new attack modes and vectors is by continual learning and development, yet 82 percent of respondents in the ISSA’s 2021 survey highlighted this as something they struggle to commit to due to job requirements. This could be, in part, addressed by making knowledge-sharing and upskilling an integral part of a cybersecurity strategy.

The cybersecurity skills gap may have been a persistent trend, but it doesn’t need to be one that defines the industry for the coming years. The only way to fix this vulnerability, however, is to not just persist with the same approaches that organisations have in the past. We must rethink the cybersecurity talent pipeline and adopt more robust strategies for skills development.