Open-Minded Approaches to Addressing the Cybersecurity Skills Gap

Open-Minded Approaches to Addressing the Cybersecurity Skills Gap
Author: Sandy Silk, CISSP, Director of IT Security Education & Consulting, Harvard University, and Kris Rides, co-founder and CEO of Tiro Security
Date Published: 26 June 2020

It is more important than ever that organizations become creative in their approaches to addressing under-resourced security staffs. If you look at ISACA’s State of Cybersecurity 2020 report, which predates COVID-19, 62% of companies are understaffed and 57% have unfilled security positions. Most companies were not prepared to, almost overnight, arrange for most of their staff to work remotely.

We’ve also seen a marked increase in attackers trying to take advantage of the churn. This has increased risk, meaning a majority of security teams are even more overworked. Then, add to this that many companies have frozen or slowed hiring due to the pandemic, and you certainly need to fill the skills gap. We need people coming into the industry from alternative backgrounds more than ever. While it can be difficult right now for an overworked team to skill up someone who is coming from another internal team, the fact that they already know the business is a huge positive.

A non-cybersecurity background does not necessarily translate to being able to tackle security problems more creatively than others, but it brings a different perspective. First, let’s agree there is no traditional path to a career in cybersecurity to define what an alternative one would be; our profession is still too nascent. We’re not like medicine or law where we can even agree on a specific credential anyone needs to achieve. A college degree should not be a requirement, let alone one in a specific discipline, since there are many great minds who didn’t have the opportunity to pursue a degree but may be self-taught or have fantastic experience.

Our profession needs diversity in culture, thinking, privilege, gender, physical traits, etc., to better represent how people are interacting with and using technology in environments different from our own. The technology itself is a constant. Even though it’s ever-evolving, technology is still based in logic and rulesets. Our “wild cards” will always be the decisions people make about where, when, why and how to use it, particularly in combination with other technologies we ourselves may not know about or use. It’s impossible to solve a problem without identifying the variables.

Candidates with alternative backgrounds can be key to making a bigger impact on diversity within cybersecurity, which is an issue that the industry has been battling for years. We’ve started seeing examples of people in HR, finance and sales making internal moves into security with very successful results. Likewise, people are entering the industry with degrees in areas like psychology, law, and political science, rather than the typical computer science background. The companies that have been willing to be more flexible in their hiring approach have found that the knowledge and differing viewpoints that these “non-traditional” employees bring are insightful.

Regardless of the candidate’s background, there are consistent traits that make for a successful transition into cybersecurity – an obvious passion for the field and strong verbal and written communication skills. The best cybersecurity people have a thirst for knowledge and are able to synthesize ideas from multiple perspectives. People want to work with passionate individuals who communicate well, and cybersecurity is a great place for them to be, given that they need to work closely with so many parts of the business. That means that another trait that is non-negotiable, no matter the background, is embracing teamwork. We need to be able to pull together toward agreed goals with colleagues from various business and technology groups in our organizations, which means we must hear their ideas and concerns and reflect them in our recommendations.

The cybersecurity skills gap has been persistent and remains a daunting challenge for organizations of all sizes and scopes. Doing away with unhelpful, outdated notions of what it means to be a cybersecurity professional can set organizations on a more productive path to finding the people they need.