The cybersecurity sector is facing a severe crisis: a lack of skilled workers. In June 2022 Condition reported that companies are in desperate need of cybersecurity workers. Cyber Seek lists more than 714,000 open cybersecurity jobs. And the demand for cybersecurity experts is expected to increase.
United States Bureau of Labor Statistics says it will grow 33% from 2020 to 2030, much faster than the average for all occupations. Cyber Security Enterprises says the situation is part of a trend that began in 2013. Since then, the number of cybersecurity job vacancies has increased by 350%.
For companies looking to hire cybersecurity professionals, TechRepublic Premium offers a Cybersecurity Engineer Hiring Kit.
Who will be affected by the lack of security professionals?
The crisis affects all sectors. Through the Department of Homeland Security (DHS), the US government launched in November 2021 Cyber Security Talent Management System (CTMS). CTMS is designed to recruit, develop and retain cybersecurity professionals by streamlining hiring processes and offering competitive compensation and career development opportunities. The business sector is also working to bridge the gap, with companies such as Cyber Talent Institute, Sans Institute, Cybint and others emerging to respond to the crisis. In contrast, some companies like Deloitte offer in-house cybersecurity training and skills.
An increasingly challenging cybersecurity environment, worker burnout, an increase in cyberattacks, a lack of diversity and the long years it takes to train an expert have been reported as drivers of the crisis. However, some of these factors may be a matter of perception.
SEE: Mobile Device Security Policy (TechRepublic Premium)
Why is filling positions in cybersecurity so challenging?
To understand the challenges, TechRepublic spoke with Ning Wang, CEO of Offensive Security.
“As in many fields, it takes several years to become a cybersecurity expert. However, there are many entry-level or mid-level cybersecurity roles that do not require two to four years of training,” Wang said. For example, Security Operations Center (SOC) analysts who work with a team to monitor and counter threats, or incident responders who create security plans, policies and protocols. On the other hand, other jobs such as a penetration tester, who simulates cyber attacks and looks for vulnerabilities and bugs, require a longer time to acquire skills and experience is often required.
Wang says skill is a matter of perception, and the time it takes for a person to become an expert varies from case to case. “I encountered incredibly dedicated and motivated people who were able to earn our Offensive Security Certified Professional (OSCP) certification and land a job as a penetration tester in about a year,” added Wang.
Her advice? Know what to study, how to study, be dedicated, find mentors and help when needed to achieve goals. Wang also advises companies to find the right people to train and provide them with quality learning materials specifically designed for their learning paths.
“Everyone learns by applying and doing, not just watching and listening, so hands-on learning is critical to cybersecurity education. A training program that recognizes and incorporates these elements will achieve faster and better results, thereby accelerating the learning process,” Wang said.
Good cybersecurity experts develop hypothesis-driven problem-solving abilities, understand what to do when stuck, and learn how to do something with limited time or resources.
New Generations: Cybersecurity Education Gaps
Another factor that is reported to be driving the job crisis is the lack of interest of the new generations in cyber security. In 2018, a report found that only 9% of Millennials were interested in a career in cybersecurity. Wang believes this is another misconception. She says the new generations are interested but learn differently.
“The way this generation learns is different. Attention spans are shorter and the need for instant gratification is much greater,” Wang said. She also noted that learning modalities need to change to be effective for new generations who prefer video over text and short content over long content.
“We need to create shorter learning modules in the media that new generations prefer and develop atomic learning units that provide immediate feedback,” Wang said. She calls for streaming technology to help students understand how to hack and for education to adapt to irreversible new learning preferences.
Is AI the solution to the cybersecurity expert shortage?
Like Deloitte reports, companies are turning to AI, machine learning and automated security solutions as force multipliers. New automated security technologies are being used to monitor, scan and respond to attacks affecting an ever-expanding digital attack surface. These technologies have been lauded as a solution to the chronic cybersecurity talent shortage. As organizations use automated security technologies and attacks evolve and increase, Wang says the approach may not be entirely on track.
“I think it’s great that companies are developing automated tools to identify vulnerabilities and flag suspicious activity. However, I don’t believe that these automated tools can fill the unmet gap due to a lack of security experts because the algorithm cannot think critically like a hacker or a human being,” Wang explained.
Machine learning models may be able to detect suspicious logins and activities, but these applications are built on existing data. As attacks and vulnerabilities evolve, they introduce new data that is not included in AI applications. This is known as drift in a machine learning model. “No matter how we automate, these tools help us identify known vulnerabilities, but they cannot help us identify new types of vulnerabilities,” Wang explained.
Furthermore, the majority of attacks do not breach systems with sophisticated coding or work their way through heavily guarded security systems. Cybercriminals have become experts in human nature. They are constantly finding new ways to trick employees into replying to an email, clicking a link or downloading malware. Experts say companies need to strengthen the human element of cybersecurity if they want to make their operations more secure.
“We need real people who are as talented as cybercriminals, who can think like hackers, to identify these new risks to improve and train our AI and ML tools,” Wang said.
Leading cybersecurity organizations have come to terms with the reality, and many are fighting fire with fire. Ethical hackers, bounty programs, and a hacker mindset approach are proving to be a practical offensive strategy for modern attacks, as TechRepublic recently reported,
“Essentially, the best way to defend yourself is to know very well how you can be attacked. Developing a hacker mindset is essential to success in the cybersecurity industry. You can’t do this job just by following a to-do list and ticking off a set of tasks,” Wang added.
SEE: Password Cracking: Why Pop Culture and Passwords Don’t Mix (Free PDF) (TechRepublic)
Hiring for ability and ability to work under duress
Despite significant investments in cybersecurity solutions, the number of attacks is not decreasing. Organizations building security teams still struggle to find talent to match the elasticity, adaptability, resilience and ruthless techniques of cybercriminals. So what should companies look for when hiring cybersecurity talent?
Wang says security experts must be critical thinkers and creative problem solvers with the tenacity to not give up easily. They must have the patience to study, observe, and be comfortable figuring things out through trial and error. These more innate abilities are much more complex to teach than the IT skills required for cybersecurity.
According to Wang, managers should look for six attributes when hiring for ability:
- curiosity: Find candidates who love to ask “Why?”
- creativity: Find candidates who will find innovative ways to solve problems and aren’t afraid to think outside the box – just like hackers do.
- Grain: Ask new applicants about challenges or failures they’ve overcome. Someone who achieves goals by overcoming obstacles is a courageous person.
- Willingness to work hard: Being smart and talented helps, but it’s not enough to become a cybersecurity expert. It takes hard work.
- Attention to detail: A lot of time can be wasted when careless mistakes are made, especially when writing code.
- Desire to develop skills and deepen wisdom: Deep knowledge allows people to hone their pattern recognition skills, which is one of the most fundamental aspects of cybersecurity.
It’s important for businesses and hiring managers to remember that very few candidates will tick every box – that’s why it’s important to hire for potential. “There is also something very rewarding about recognizing talent and nurturing it through training. Those with ability will flourish quickly and their business training will be rewarded handsomely,” Wang said.
TechRepublic’s Premium Cybersecurity Engineer Recruiting Kit takes some of the guesswork out of starting the hiring process. It includes job description, salary ranges, interview questions and more. Click here to download the rental kit.