Building the cyber security workforce of today
Cyber security staffing shortages are being driven by issues such as burnout, a lack of interest, and qualifications (or lack of), leading to some alarming statistics for the industry.
According to the International Information System Security Certification Consortium (ISC2), the cybersecurity workforce gap increased from 2.7 million in 2021 to 3.4 million in 2022.
A separate UK government study reported there were 160,035 cyber security job postings in the last year – an increase of 30% on the previous year, and 37% of these vacancies were reported as “hard-to-fill”.
But even role filled doesn’t mean it’s being performed correctly.
The same report suggested half of all UK businesses have a cyber security skills gap which indicates some employees may be adding little value to the company.
According to Paul Watts, distinguished analyst at Information Security Forum, and retired CISO, students are being taught the technicalities around cyber security but failing to obtain that all-important experience.
“As we [cyber security professionals] know, it’s knowledge plus experience that gives you value,” he told delegates at Infosecurity Europe 2023.
In London’s prominent ExCel centre, Watts, alongside Erhan Temurkan, director of security and technology at Fleet Mortgages, discussed how businesses can retain and strengthen talent in an unforgiving cyber security landscape.
During his career Watts appeared as a guest lecturer at universities across the UK. Occasionally he’d ask students, ‘how much time is being spent learning the language of business?’ And more often than not he’d receive puzzled looks.
“A lot of those skills such as good presentation and emotional intelligence just aren’t being educated,” he said. And today’s cyber security professionals need to possess a much more diverse skillset. A skillset, according to Temurkan, largely made up of transferrable skills.
While working in the public sector Temurkan understood that psychological abilities can also be used in security. Cyber specific psychologists, for example, map out pathways to understand the mindset of a hacker.
Communication is also a key skill security must leverage, and it can sometimes be more valuable than industry knowledge – as Watts discovered when working at Network Rail.
He delivered a security transformation programme in white collar language to railway signallers. After the presentation a woman from Network Rail approached him and said “I think I can help but I don’t know the first thing about cyber or tech”.
“She came in, adapted it and it worked perfectly well and we got the engagement.”
The recipe for great communication is the core message and the demographic of the group you’re trying to communicate to. Then just shape the message to fit the different groups, said Watts.
Hiring internally and externally
While recruiters need to ensure they’re not grappling for staff, sometimes the best person for the job is right under their noses. It’s actually retaining this talent that can be challenging.
People need to be made to feel a part of something and businesses need to reassess that “total package” that compels people to stay, said Watts. It’s also important to remind employees of development pathways – “it’s a partnership between yourself and your staff at the end of the day.
“If firms aren’t looking to level-up their talent they’ll face a constant revolving door. How do you have continuity in your security programmes if you’re seeing a change in your workforce all the time?”
Temurkan added that every time you employ fresh talent you’ve got to retrain your business and “nobody benefits from that”, he said.
But let’s take a moment to consider fresh talent. It’s still important. And cyber security is a competitive industry, so the earlier you make people aware of who you are, the more talent you’ll attract.
“It could be setting up a podcast, or even teaming up with educational institutions,” Watts advised.
One ISF member from the City of Copenhagen recently described how the city has worked with educational institutions for some years.
“They take the time to explain [to the students] what it is that they do, showing the diverse ways they can help and support the city. Cyber security is one of the many areas they cover” he explained.
Communicating what a business does but also creating an emotional bond is vital – investing in talent makes it easier to build a workforce.
Money talks – but it isn’t everything
Employees want different things today. They’re not just motivated by money and this becomes clear in the interview stage.
“They want to talk about the work/life balance. How much time are you going to invest in me? what’s the training going to look like? can I travel to events and spend time with my peer groups?” said Watts.
The credentials of the business are also a point of interest.
Employees need to be see their own values reflected in an organisation, through initiatives such as sustainability and DEI.
Working from home is also key. While it can sometimes be a deciding factor for employees – 83% of employees to be exact, according to a study by Accenture – if you don’t have that physical connection to the business, firms are left with developmental problems, Watts warned. This means businesses need to look at how they’re supporting and engaging these greenhorns into the businesses.
“It’s all about being inclusive and feeling part of the business family” said Temurkan. “It could even be something as simple as sending employees donuts on national donut day, that’s what we do.”
To read more stories on cyber security click here.
Subscribe to our Editor's weekly newsletter