Despite recent high-profile tech industry layoffs, demand for cybersecurity professionals is still very high. With so many tech industry workers looking for their next job, why aren’t these displaced workers being recruited?

Better matching candidates less likely to retrain as cyber security techs may hold the answer. Demand for cyber workers is set to increase by 25% in 2022, and much commentary exists about the need to hire cyber security talent from non-traditional backgrounds, such as bartenders or school teachers.

According to data released in late January from the Cyber ​​Security Workforce Analysis site developed by NIST, CompTIA and the National Initiative for Cyber ​​Security Education at Lightcast, the total number of employed cyber security workers is expected to remain fairly stable in 2022 at about 1.1 million. The number of online job postings declined from 769,736 to 755,743 in the 12 months ending December 2022.

“Despite concerns about a slowing economy, the demand for cybersecurity employees remains historically high. Companies know cybercrime won’t stop for a downturn in the market, so employers don’t want to risk stopping their cybersecurity hiring. Can,” said Lightcast Vice President of Applied Research – Talent Will Marko.

According to Lightcast data, each of the first nine months of 2022 set records for the highest monthly cyber security demand since 2012 but cooled off in November and December. A key indicator is the ratio of currently employed cyber security employees to new openings, which indicates how significant the workforce shortage is.

The supply-demand ratio is currently 68 workers per 100 job openings, up from the ratio of 65 workers per 100 jobs in the previous period. Based on these numbers, approximately 530,000 more cybersecurity workers are needed in the US to close current supply gaps.

Some industry researchers suggest that hiring cybersecurity talent from non-traditional backgrounds, such as bartenders or schoolteachers, is an ideal out-of-the-box solution.

unrealistic idea given the technical constraints

Other cyber professionals argue that such a solution is not in line with the reality of the industry. Mainly, the barriers to entry remain high, with many organizations still using outdated recruitment methods, such as requiring certification that is impossible to obtain without work experience.

Lenny Zeltser, CISO at cybersecurity asset management company Axonius and instructor at cybersecurity training, certification and research firm SANS Institute, also finds it surprising that no one is talking about what happens once you land one. How difficult it is to move up the hierarchy. Cyber ​​situation in the first place.

There is little or no guidance on how to go from cyber practitioner to chief information security officer, or CISO. Many organizations lack standards and structure regarding how to pay cyber therapists, and many employees know the only way to advance is to move to other companies, he argued.

People are simply starting the conversation in the wrong place, Zeltser offered. Companies must first address the “cyber security career gap” before they can begin closing the cyber industry skills gap.

Advertisement

He said that learning computer security skills is not the primary issue. Many avenues exist for those motivated to acquire the necessary skills. The problem is the expectation of what skills are needed.

“I believe there are a lot of opportunities out there for people to acquire security skills. So it leads me to consider that maybe there is more to it,” Zeltser told TechNewsWorld.

“Maybe we have unrealistic expectations for what we’re looking for.”

Forget Ideal Candidates

Perhaps the typical unicorn situation where companies want one security professional who can do everything is the culprit, he said. It is such a specialized field that includes many specialized subsets, and it is difficult to be an expert on everything within cyber security.

“We’re not open enough to let people with unusual non-technical backgrounds enter the field,” Zeltser said.

He offered an example from his previous roles within the industry. With a slight variation, hiring managers want their recruiters to do X, Y, and Z. Not seeing those abilities on a resume puts job applicants in the skills gap category.

What is the solution? Take cyber applicants with a few skills and train them for the rest.

Zeltser recalled the employees looking for some security experts who would provide customer support. The company needed entry-level security personnel, but they were not available.

The company recruited tech-savvy bartenders who were interested in computers and could set up their own Wi-Fi. But he only did this at home, he explained.

“We found that we were able to train them in the right safety skills in the office. But we didn’t need to train them and it’s very hard to teach them how to multitask and how to think on their feet and how to interact with humans.” Do it,” Zeltser said. It turns out the bartenders are really nice.

need a positive end result

Zeltser found many options where he could have been more open, and it became a necessity. Being more open means changing your mindset to accept people from non-technical, non-traditional backgrounds,” he offered.

“I wish we could stop telling people in the industry that if they enter the field as a security professional, they should work at the pinnacle of a career in cyber security, which is the CISO role. The thing is, there aren’t enough of these roles,” he said.

According to Zeltser, the industry does not require as many security officers as other types of security professionals, resulting in people being set up for failure.

“We’re asking them to work in that direction, and that’s how we define success. But instead, we can talk about other ways in which people can be successful because not everyone has to be an executive.” Should be, not everyone should be a manager,” he said.

skill gap meets security gap

Even with a shortage of trained cyber security personnel, many organizations are on the right track in securing and mitigating cyber risks to their business. The challenge, according to Joseph Carson, chief security scientist and consultant CISO at Delinia, is that large security gaps still exist for attackers to abuse.

“The security gap is widening not only between business and attackers, but also between IT leaders and business executives,” he told TechNewsWorld.

Carson acknowledged that some industries are showing improvement. But the issue still exists.

“Unless we solve the challenge of communicating the importance of cybersecurity to executive boards and the business, IT leaders will continue to struggle to obtain the resources and budget needed to close security gaps,” He warned.

need a better career path

Organizations need to continue expanding their recruiting pools, account for bias that may currently exist in cyber recruiting, and provide in-depth training through apprenticeships, internships, and on-the-job training. It helps build the next generation of cyber talent, introduced Dave Geary, CEO of crowdsourced cybersecurity platform BugCrowd.

“By creating opportunities for career development and rallying behind our mission to help protect our customers, their customers and the wider digital community from cyberattacks, employees feel they have a greater say in themselves and the wider community,” he told TechNewsWorld. There is an opportunity to improve.”

Gerry said that over the years, we have been led to believe that there is a significant gap between the number of open jobs and the candidates qualified to fill those jobs. While this is partially true, it does not provide an accurate view of the current state of the market.

“Employers need to take a more proactive approach to recruiting from non-traditional backgrounds, which, in turn, broadens the candidate pool from those with only formal degrees to individuals who have incredibly high potential with the right training.” ,” They said.

maybe a better option

The recent release of the National Cyber ​​Security Strategy will demand more than it can offer. This could slow down processes massively, predicted Guillaume Ross, deputy CISO at cyber asset management firm JupiterOne.

It will be necessary to prioritize and reduce the attack surface as much as possible. Also, security measures should ensure that developers, IT, and even business/process management people integrate security into their daily work routines.

“Improving the security skills of a million developers and IT workers will have a much better impact than training a million new “security people” from scratch,” Ross countered with TechNewsWorld.

large scale universal solution

The skills and cyber security shortage is not just a problem for US industry. Ravi Pattabhi, vice president of cloud security at ColorTokens, an autonomous zero-trust cyber security solutions firm, said there is a severe shortage of skilled cyber security experts across the globe.

Some universities have started teaching students some basic cyber security skills, such as vulnerability management and system security hardening. Meanwhile, cyber security is undergoing a transformation.

“The industry is increasingly incorporating cyber security into the design phase and building it into product development, code integration and deployment. This means that software developers also need basic cyber security skills, including the use of the Mater Attack Framework and using pen test tools,” Pattabhi told TechNewsWorld.