Recruiting to reduce risk: Addressing the cybersecurity skills gap

There is much talk regarding skills shortages and how it impacts a broad spectrum of industries. One area where this issue is especially pronounced concerns digital skills, with 76% of the global workforce admitting that they feel poorly equipped for the future of work. 

Drilling down further, cybersecurity skills appear in particularly short supply. The ISC2 Cybersecurity Workforce Study, 2023 , reports that even as the number of cybersecurity professionals continues to increase worldwide, the demand for these roles is growing faster still. Last year, the global cybersecurity workforce was estimated at 5.5 million, the highest ever recorded by ISC2, but this wasn’t enough to prevent the cybersecurity skills gap from growing by 13%. 

The need to close this gap is acute. The global economy’s increasing reliance on digital technologies means an inability to adequately safeguard assets is causing significant financial damage, with the cost of cyberattacks potentially reaching as much as $10.5 trillion annually by 2025. But with the threat landscape evolving all the time, ensuring that workers have the right cybersecurity skills to counter today’s risks isn’t easy

However, the cybersecurity skills gap needn’t be thought of purely in terms of risks and threats. In fact, there is a $2 trillion market opportunity for cybersecurity technology and service providers if they can adopt the right recruitment strategies and technological deployments required to fill the roughly 4 million cybersecurity jobs needed this year. 

There is hope that the cybersecurity skills gap can be addressed. We’ve outlined how below:

Widen your talent pool

If you have cybersecurity vacancies that need to be filled, it’s important you give yourself the best opportunity to engage with the right candidates. For this to be the case, you should cast your net for talent as wide as possible. 

Think carefully about your job description. Is it as attractive as it could be? Does it clearly outline what you’re looking for? Simply fine-tuning your job advert could result in a significant increase in the number of applications you receive. Similarly, think about where your ad is located. Make sure your vacancy is posted on job boards or social networks where it is likely to generate the most traction and encourage your current staff and other stakeholders to share it as widely as possible. 

In addition, place a greater value on candidate diversity. One of the best ways of increasing your talent pool is by focusing on non-traditional channels and demographics. In cybersecurity, this often means a focus on gender (women only held 25% of cybersecurity jobs worldwide in 2022) but there are other factors to consider as well, including age, religion, ethnicity, and cultural fit. Don’t place restrictions on your recruitment drive. Make sure your vacancies are welcoming for a diverse range of candidates.

Get your culture right

There remains a perception in some quarters that cybersecurity is … a little dull. However, this isn’t necessarily the case. Entice workers to your company by showcasing your values, by demonstrating how exciting and rewarding working in cybersecurity can be.

Don’t focus exclusively on the technical requirements of your cybersecurity post. Be sure to champion your commitment to corporate social responsibility and community initiatives too. Cybersecurity has implications for healthcare, manufacturing, government, education, the media, and more. So talk up how much of a difference individuals could make by taking on your vacancy. 

Think also about how your company culture is promoted. This shouldn’t only be in job ads, but embodied by your leadership personnel. These individuals should promote both technical expertise and communication skills so that they can take on a mentorship role for employees that embodies everything a cybersecurity role can offer.

Retain before you recruit

Research indicates that 60% of enterprises are experiencing difficulties retaining qualified cybersecurity talent. This only exacerbates the skills gap, with some professionals moving on to competitors and others leaving the industry entirely. 

Businesses need to work harder to retain their cybersecurity talent, who commonly cite a number of reasons for leaving their current role, such as insufficient pay, a lack of advancement opportunities, and burnout due to the scale and fast-moving nature of threats. If these issues are addressed before employees look to leave, businesses can focus on adding value to their cybersecurity workforce, building on the knowledge and expertise that is held by their existing cybersecurity staff. 

Promote internal hiring and cross-functional collaboration to ensure that your current cybersecurity staff have a sense of purpose in their work. Collect employee feedback so issues can be resolved quickly and, if employees do decide to move on, ask them the reasons behind their decision. As well as the damage to morale and workplace camaraderie, replacing talent can be a lot more costly than retention - as much as 33% of a worker’s annual salary according to some reports.

Invest in the right areas

One of the reasons why cybersecurity professionals leave a company or decide not to join is a feeling that businesses aren’t willing to invest appropriately. In the cybersecurity space, this is particularly notable given the fast pace of change being experienced. The threat landscape is changing all the time, with new exploits, such as the SocGholish malware , frequently making headlines. 

The approaches that malicious actors are adopting are constantly evolving, so businesses need to react accordingly if they want to meet their current cybersecurity needs - not those of a few years ago. As such, it is essential they invest in the right training and development programs for their cybersecurity employees. 

By investing in your staff, not only will this create a growth mindset that convinces your existing cybersecurity personnel to remain at the company, it will also show prospective employees that this is the kind of place that will encourage their professional development. 

Embrace automation

Another way of future-proofing your organization against the cybersecurity skills gap is to invest in another area - automation. By reducing the burden of manual tasks on your cybersecurity staff, the skills gap can be substantially alleviated.

Moreover, automation can detect threats faster than any manual cybersecurity employee by scanning assets constantly, evolving immediately as soon as new attack methods are discovered. Automation doesn’t mean human cybersecurity staff are obsolete, but it can augment their roles, allowing them to focus on adding value rather than manual work. 

New technologies like automation can play a hugely important role in closing the cybersecurity skills gap. As digitalization ramps up and attackers find novel ways to target expanding attack surfaces, improving your cybersecurity recruitment won’t be enough to meet rising demand. Aligning technology, like Hadrian’s Automated Penetration Testing, and the right recruitment strategy is the only way to remain one step ahead of the hackers and ensure that a cybersecurity skills gap doesn’t lead to a gap in your defenses.