The cybersecurity industry is facing a serious crisis: a lack of skilled workers. In June 2022, Fortune reported that companies were desperate for cybersecurity workers. Cyber Seek lists over 714,000 open cybersecurity jobs. And the demand for cybersecurity experts is expected to increase.
The US Bureau of Labor Statistics says it will grow 33% from 2020 to 2030, much faster than the average for all occupations. Cybersecurity Ventures assures that the situation is part of a trend that started in 2013. Since then, the number of unfilled cybersecurity jobs has increased by 350%.
For companies looking to hire cybersecurity professionals, TechRepublic Premium offers a recruitment kit for cybersecurity engineers.
Who will be affected by the lack of security professionals?
The crisis affects all sectors. Through the Department of Homeland Security (DHS), the US government launched the Cybersecurity Talent Management System (CTMS) in November 2021. CTMS is designed to recruit, develop and retain cybersecurity professionals by streamlining hiring processes and providing competitive compensation and career development opportunities. The corporate sector is also scrambling to close the gap, with companies like Cyber Talent Institute, Sans Institute, Cybint and others emerging to respond to the crisis. On the other hand, some companies like Deloitte offer in-house cybersecurity training and skills.
An increasingly challenging cybersecurity environment, worker burnout, increased cyberattacks, lack of diversity, and the long years it takes to train an expert are reported as the drivers of the crisis. However, some of these factors may be a matter of perception.
SEE: Mobile Device Security Policy (TechRepublic Premium)
Why is filling cybersecurity roles so difficult?
To understand the challenges, TechRepublic spoke with Ning Wang, CEO of Offensive Security.
“As in many fields, it takes several years to become an expert in cybersecurity. However, there are many entry-level or mid-level cybersecurity roles that don’t require two to four years of training,” Wang said. For example, security operations center (SOC) analysts who work with a team to monitor and counter threats, or incident responders, who create security plans, policies, and protocols. On the other hand, other jobs like a penetration tester, which simulates cyberattacks and scans for vulnerabilities and bugs, require longer skill times, and experience is often required.
Wang says competence is a matter of perception and the time it takes for a person to become an expert varies from case to case. “I’ve met some incredibly committed and motivated people who were able to earn our Offensive Security Certified Professional (OSCP) certification and get a penetration tester job in about a year,” Wang added.
His advice? Knowing what to study, how to learn, being dedicated, finding mentors and help when needed to achieve goals. Wang also advises companies to find the right people to train and provide them with quality learning materials explicitly designed for their learning journeys.
“Everyone learns by applying and doing, not just watching and listening, so hands-on learning is essential for cybersecurity training. A training program that recognizes and incorporates these elements will drive greater results. faster and better, thus speeding up the training process,” Wang said.
Good cybersecurity experts develop problem-solving skills based on assumptions, figure out what to do when they get stuck, and learn how to do something with limited time or resources.
New generations: gaps in cybersecurity education
Another factor that has been reported to be driving the job demand crisis is the new generations’ lack of interest in cybersecurity. In 2018, a report revealed that only 9% of Millennials are interested in a career in cybersecurity. Wang thinks this is another misperception. She says new generations are interested but learn differently.
“The way this generation learns is different. The attention span is shorter and the need for instant gratification is much greater,” Wang said. She also noted that training modalities need to change to be effective for new generations who prefer video to text and short content to long content.
“We need to create shorter training modules in the mediums that new generations prefer and develop atomic learning units that provide instant feedback,” Wang said. She calls for streaming technology to help students understand how to hack and for education to adapt to irreversible new learning preferences.
Is AI the solution to the shortage of cybersecurity experts?
As Deloitte reports, companies are turning to AI, machine learning, and automated security solutions as force multipliers. New automated security technologies are used to monitor, analyze and respond to attacks affecting an ever-expanding digital attack surface. These technologies have been hailed as a solution to the chronic cybersecurity talent shortage. As organizations take advantage of automated security technology and attacks evolve and increase, Wang says the approach may not be quite on track.
“I find it great that companies are developing automated tools to identify vulnerabilities and report suspicious activity. However, I don’t think these automated tools can fill the unfilled gap due to the lack of security experts, because an algorithm cannot think critically like a hacker or a human can,” said explained Wang.
Machine learning models may be able to detect suspicious logins and activity, but these apps are built on existing data. As attacks and vulnerabilities evolve, they present new insights that are not considered in AI applications. This is called drift in a machine learning model. “No matter how well we automate, these tools help us identify known vulnerabilities, but they cannot help us identify new types of vulnerabilities,” Wang explained.
Additionally, the vast majority of attacks do not breach systems with advanced coding or force their way through highly protected security systems. Cybercriminals have become experts in human nature. They constantly find new ways to trick workers into replying to an email, clicking a link, or downloading malware. Experts say companies need to strengthen the human element of cybersecurity if they want to make their operations safer.
“We need real people as talented as cybercriminals, who can think like hackers, to identify these new risks to improve and train our AI and ML tools,” Wang said.
Major cybersecurity organizations have accepted reality and many are fighting fire with fire. Ethical hackers, bounty programs, and a hacker mindset-based approach are proving to be a practical offensive strategy against modern attacks, as TechRepublic recently reported,
“Essentially, the best way to defend is to know very well how you can be attacked. Developing the hacker mindset is essential to succeeding in the cybersecurity industry. a to-do list and checking off a set of tasks,” Wang added.
SEE: Password Breach: Why Pop Culture and Passwords Don’t Mix (Free PDF) (TechRepublic)
Hired for aptitude and ability to operate under duress
Despite significant investments in cybersecurity solutions, the number of attacks is not decreasing. Organizations building security teams still struggle to find talent that matches the elasticity, adaptability, resilience, and relentless techniques of cybercriminals. So what should companies look for when hiring cybersecurity talent?
Wang says security experts need to be critical thinkers and creative problem solvers with the tenacity not to give up easily. They must have the patience to study, observe, and be comfortable figuring things out through trial and error. These more innate skills are much more complex to teach than the computer skills needed for cybersecurity.
According to Wang, managers should look for six attributes when hiring aptitude:
- Curiosity: Find candidates who like to ask “Why?” »
- Creativity: Find candidates who will find innovative ways to solve problems and aren’t afraid to think outside the box, like hackers do.
- Grind: Ask new applicants what challenges or setbacks they overcame. Someone who achieves their goals by overcoming obstacles is a courageous person.
- Willingness to work hard: Being smart and talented helps, but it’s not enough to become a cybersecurity expert. Hard work is required.
- Attention to detail: A lot of time can be wasted when careless mistakes are made, especially when writing code.
- Desire to develop skills and deepen wisdom: Deep knowledge allows individuals to build their skills in pattern recognition, which is one of the most fundamental aspects of cybersecurity.
It’s important for companies and hiring managers to remember that very few candidates will tick all the boxes. This is why it is important to hire based on potential. “There is also something very rewarding about recognizing talent and nurturing it through training. Those with aptitude will flourish quickly, and the business education that trains them will be generously rewarded,” Wang said.
TechRepublic’s Premium Cybersecurity Engineer Recruitment Kit takes some of the guesswork out of getting the recruiting process started. It includes a job description, salary scales, interview questions and more. Click here to download the recruitment kit.