By Alberto Yépez, managing director of early stage venture capital firm Trident Capital Cybersecurity
The cybersecurity industry has a talent shortage, yet not many realize just how severe it is. And, more importantly, they don’t realize what corporations struggling with the problem must do to get a grip on it.
To solve the challenge, corporations must develop new hiring and training strategies and pursue additional steps.
First, let’s quantify the problem. Most cybersecurity experts believe there are roughly one million cybersecurity positions unfilled worldwide. According to the Leviathan Security Group, these positions could not be filled even if every employee at GM, Costco, Home Depot, Delta Airlines and Proctor & Gamble became a security expert tomorrow.
The backgrounds of many cybersecurity job candidates is somewhat lacking—and at a time, of course, when the number of cyber attacks keeps growing. In a poll of cybersecurity professionals by the Information Systems Audit and Control Association (ISACA), a global professional association, only 16 percent felt at least half of the cybersecurity applicants at their companies were well qualified.
A similar survey of United Kingdom companies by KPMG found that 75 percent of British IT executives believe their cybersecurity pros need better information security skills.
John Stewart, the chief security and trust officer at Cisco Systems, has said it will take years to close the talent gap. Others note that even if universities were briskly producing graduates who wanted to work in cybersecurity—and they’re not—it would take substantial time for fresh talent to grow into their jobs.
That’s why we have to take a new tact in approaching the challenge.
The qualifications of many cybersecurity applicants are being judged too strictly today. It’s true that most today cannot step into the job and do every required task. This seems like a reasonable expectation, but it is not, given the extraordinary growth in cybersecurity and the available talent pool. And the reality is that cybersecurity, at least so far, is not really a stand-alone discipline, but rather one of many within the technology discipline. This means some on-the-job training should be expected.
As a venture capital firm specializing in cybersecurity, Trident Capital Cybersecurity cares deeply about this issue. The reasons are obvious. Our lifeblood is investing in early stage cybersecurity startups. They can’t be successful if they cannot find the talent they need.
So what, specifically, do I suggest companies need to do? There are eleven successful strategies:
Build an in-house corporate training program. PricewaterhouseCoopers, as one example, plans to hire 1,000 people this year for its cybersecurity consulting practice. It’s finding people by confronting the labor scarcity head-on. PwC has increased recruiting of new college graduates, including liberal arts majors, as well as people with STEM degrees, and is also focusing on veterans who are leaving the military and seeking private-sector jobs. Then PwC is training these people for its cybersecurity jobs.
The program starts with an intensive four-week course, often leading up to the CISSP, a certification for the next generation of security professionals, followed by additional courses taken while on the job.
Turn to military veterans for help. Fortinet, a leading purveyor of enterprise-class cybersecurity solutions, has established a veterans program focused on military personnel, based on the strength of their analytical and teamwork skills and ability to meet deadlines under pressure. The program helps veterans transition into the cybersecurity industry through employment at Fortinet or with its distribution and technology partners. Dozens of “FortiVets” have already been trained and hired, and the U.S.-based program will soon be expanded to Canada and the United Kingdom.
Partner with colleges creating cybersecurity programs. Rather than have computer science, computer engineering or electrical engineering majors take specific cybersecurity courses along the way, universities and colleges are now creating cybersecurity-specific programs. Get to know these colleges and partner with them. Create internship programs and monitor their success within your company.
One well known program, at Southeast Missouri State University, has about 100 students and is the university’s fastest-growing major. Industry expert advisers supplement hands-on field studies. Courses include encryption coding, data analysis, risk assessment and organizational cybersecurity strategy planning.
Coach and promote entry-level talent. Many technology companies already have young, eager IT employees who understand cybersecurity. Get these people engaged to help mentor others. Have the senior executives get involved in training these people as well. Publicly acknowledge the success of this talent within the company.
Lean on the marketing department to recruit talent. Get the word out that you’re seeking cybersecurity talent. Blog about how your company solved a security problem or discuss how you bundled emerging security technologies. Emphasize specific technology tools that your cybersecurity pros use.
Be a thought leader. Make a point of pushing your top cybersecurity people to attend conferences and hackathons. Talk to the press about what you are accomplishing. Stay abreast of the most pressing issues. Make it clear—as widely as possible—why cybersecurity is so important.
In addition to pursuing new steps to attract and better train talent, companies can also mitigate the skill shortage by relying, in part, on automation techniques more than ever and other novel, non-personnel solutions. These include:
Security automation tools. Some cybersecurity techniques are relatively mature and suitable for more cost-effective automation. One public company, Qualys, performs cloud-based automated vulnerability assessment, policy compliance and end-point management.
Integrated solutions. An issue in the cybersecurity industry is the high cost of integrating best-in-class solutions. Off-the-shelf integration is provided by companies such as AlienVault, which materially reduces the cost and “time-to-value” for companies that don’t have a dedicated cybersecurity team. The solution is easy to install, configure and deploy without the help of experts.
Share treat intelligence. Companies can join communities willing to share threat intelligence, saving money by helping to prevent the next cyberattack.
Consider using security-as-a-service. A growing number of companies are turning to Managed Security Service Providers as an alternative to managing cybersecurity in-house.
Prevention. Take end user awareness and education seriously—it helps offset cyberattacks and hence your cybersecurity staff workload.
Some industries eventually face survival problems, in part because they are no longer relevant. Cybersecurity need not be concerned about that issue. An inability to attract sufficient qualified talent, however, can also be a very serious threat. Let’s work together to begin to remedy it.