Every 39 seconds, a cyberattack occurs somewhere in the world. These attacks cost organizations an average of $13 million. And according to Accenture, the value at risk globally from direct and indirect cyberattacks is $5.2 trillion from 2019 to 2023.
Yet, the cybersecurity industry faces a considerable challenge in finding enough professionals to answer these ever-growing threats. The International Information System Security Certification Consortium (ISC)2 Cybersecurity Workforce Study estimates that the gap between the currently employed 2.8 million cyber professionals and the number needed in public and private sectors worldwide is estimated to be a whopping 4 million. That's a huge number.
But is the shortage as dire as it seems? Ron Sharon, Vice President of Information Security for Mercer Advisors, says no. "There is a global shortage of cybersecurity professionals, but I don't think the numbers are that high, they are skewed. I see many qualified cybersecurity professionals out there looking for work and not being able to find any. If there is this huge shortage of qualified workers, it shouldn't take them months to find a new job." So, what is the real reason behind the perceived talent shortage, and how can it be addressed? Sharon shares his thoughts on how companies can solve this multifaceted problem.
Revamp job requirements
Many companies still want a college degree. Therein lies one of the main reasons for the talent shortage. Companies are dismissing many qualified applicants who exist outside that norm. The reality is that there are many of avid self-taught people who are as competent as college graduates from a skills perspective. That's because, college cybersecurity courses tend to focus more on theory than practice. "Cybersecurity programs in colleges and universities are just coming in to their own," says Sharon. "New programs have started in leading universities across the country, but the issues are that it takes a long time to finish and when you are done you have a lot of theoretical knowledge but no real-world experience." Not to mention the fact that college is expensive, and not everyone can afford it or qualify for a loan.
Revisit hiring practices
Given the current recruitment practices, companies are missing out on potentially strong cybersecurity candidates. So, how should employers make intelligent hiring decisions? Sharon suggests that a college degree not be a prerequisite for a cybersecurity position. Instead, employers should look for relevant certifications, experience and a willingness to learn. Ultimately, it's about being flexible. "Employers need to look beyond the resume and consider the candidate's potential. The Marine Corps has the 70% Rule. It states that you act when you have 70% confidence in the success of the decision. If a candidate fits 70% of what I am looking for, I hire them and then bring them to 100%."
Create training programs
It's time for the industry to step up and take ownership of training cybersecurity professionals. "As an industry we need to do better. We need to have low-cost in-depth hands-on training and certification programs for cybersecurity professionals. This will be a good first step in closing the skills gap," says Sharon. And don't forget internal talent. Many existing cybersecurity employees may already have a good combination of skills and experience, which, with further development, could fill in the gaps. Developing cybersecurity employees for internal roles will help reduce unfilled vacancies and increase retention. Companies could also consider having a practice lab, especially for entry-level employees. And focus on creating an environment that encourages employee growth and overall curiosity. That way, workers will feel empowered to continue expanding their understanding of the industry.
While there is no magic bullet to solve this complex problem, there are immediate steps that employers can take. Yes, there is value in a college degree, but it is not necessary to succeed in a cybersecurity job. Instead, companies need to start revamping job requirements, reevaluating their hiring strategies, and developing training programs. After decades of neglect by businesses, enterprises and educational institutions, it will take some time to close the existing cybersecurity skills gap. "I have a saying, says Sharon. "Don't think out of the box. Throw the box away." By using creative strategies, the cybersecurity industry can finally begin to solve the talent shortage-one employee at a time.