Closing the Cybersecurity Talent Gap With New Candidate Pools

06/15/2022 9 min read
Esther Shein is a technology and business writer and editor whose work has appeared in CIO.com, Computerworld, TechRepublic, ZDNet, TechTarget, The Boston Globe, and Inc.

With cybercrime at its highest and the groups behind it getting bigger and more organized by the day, companies are struggling to find enough talent to join their cybersecurity efforts. Businesses are running against the clock to broaden their hiring scope and deploy extensive training initiatives to nurture the much-needed skills.

In 2021, data breaches rose 68% from the previous year, ransomware became so prevalent that Interpol now classifies it as a worldwide pandemic, and the money stolen by internet criminals tripled. With organizations like the World Economic Forum warning that “the sophistication and scale of cyberattacks will continue to break records” in the coming years, it’s no surprise that CEOs worldwide consider this the biggest threat to their companies’ growth—more dangerous than the global health situation and macroeconomic volatility.

Of the 1,223 IT and cybersecurity decision-makers surveyed for a 2022 report by Fortinet, 80% experienced one or more attacks that they could attribute to a lack of cybersecurity skills on their team.

Leaders are aware of their weak spots, and the demand for cybersecurity talent has reached a historic high: 63% of businesses say they have unfilled security positions, and 60% experienced difficulties retaining qualified cybersecurity professionals in 2021, according to a report from the Information Systems Audit and Control Association (ISACA). And information security analyst jobs are expected to grow 33% by 2030—faster than the average for all other occupations.

Cybersecurity’s future outlook: 3.5 million open roles and $10.5 trillion in cybercrime costs by 2025.

Although there's no consensus on when the security talent shortage started, experts agree that the COVID-19 pandemic not only exacerbated the crisis but introduced new problems: The sudden shift of so many companies into remote work created a significant demand for skilled cybersecurity professionals to keep operations safe, leading to a high rate of burnout for these jobholders.

The subsequent “Great Resignation” is also compounding the long-standing hiring and retention challenges that the cybersecurity community has been facing for years, according to Jonathan Brandt, director of Professional Practices and Innovation at ISACA.

“Cyber talent shortages are not going away and are complicated by workplace requirements that continue to outpace the traditional university development cycle,” he tells Staffing.com. “We must continue to challenge all assumptions and embrace additional pathways that cut the time for training and placement.”

HR and security leaders must deploy new strategies to attract, hire, and retain cyber professionals while looking for ways to leverage the transferable skills and potential of untapped talent.

Companies face challenges like long hiring periods and difficulties retaining cybersecurity talent.

The New Talent Pools

To discover talent that will narrow the gap, organizations should consider these sources:

Veterans

Officials at GuidePoint Security are taking an innovative approach to solving the cybersecurity workforce gap: They are training veterans leaving the military to become cybersecurity analysts. The fully remote firm—which provides cyber resources to corporations, government organizations, and federal agencies—recognizes that many veterans have “relatable skills” such as penetration testing and incident response training, Meghan Hermann, GuidePoint’s VP of HR, tells Staffing.com.

Through the company’s GuidePoint Security University program, vets learn skills such as penetration testing and incident response. Hermann says the company has hired every graduate of the program: Of 617 employees, 17% are veterans.

GuidePoint is also training candidates through the SkillBridge military program. Even in a climate with a strong burnout factor, the stability of cybersecurity analyst roles presents an attractive incentive for career-changing veterans. Within the growing, ever-changing cybersecurity field, GuidePoint will continue training people in different skills, Hermann says.

“The challenging part is making sure we’re finding the best opportunities for the vets who have 15 to 20 years of experience—but not necessarily in cybersecurity,” she says. Some of the veterans have a technical background and can, for example, call upon their network engineering skills to set up different military bases with LANs (local area networks) and routers; others do not have technical experience whatsoever.

The only criteria is that they have to be interested in cybersecurity, she says. “If they’re trying to get [security certifications], then it shows us they’re willing to go into this industry and we’re willing to invest in them.”

Neurodiverse Candidates

Some 85% of college graduates who self-identify as autistic say they are unemployed, Janet A. Lenaghan, interim provost and dean, Frank G. Zarb School of Business at Hofstra University and an expert in human resources management, tells Staffing.com.

While some people on the autism spectrum have skills that are well-suited to cybersecurity positions, such as attention to detail and the ability to stay hyperfocused for long periods of time, they don’t necessarily lean toward STEM and tech careers. Marcia Scheiner, president and founder of Integrate, a nonprofit that helps organizations identify and recruit professionals on the spectrum, says her organization spends a lot of time “myth-busting” the assumption that autistic people are instinctively drawn to tech roles. She says the journey to tech for talent with autism may have more to do with growing opportunities in that sector.

“We do early career-type placements and we’re seeing more of our candidates studying cybersecurity, but it’s a relatively new major,” Scheiner tells Staffing.com. It has only been over the past year or so that individuals on the spectrum have started majoring or concentrating in the field, she says.

Educational options are surfacing, including a program based in Australia called Genius Armoury that offers a cybersecurity training course and job postings to autistic individuals, Scheiner says.

Female Candidates

It is well documented that there are fewer women in STEM fields, but organizations can nurture that pipeline, Lenaghan says. There are a number of ways to encourage women to enter the cybersecurity field, she says, “from universities offering pre-collegiate women after-school and summer programs aimed at encouraging them to pursue STEM fields, to employers offering experiential learning opportunities to women during their undergraduate studies.”

Organizations also can create internal pipeline programs to help women develop the technical skills needed for careers in STEM, Lenaghan says. “It takes intentionality and resources to ensure the pathways for women to pursue careers in STEM are open and well supported.”  

Organic and Contingent Candidates

Claudia Ivanova, Head of HR at FISPAN, an enterprise resource planning (ERP) system provider for the banking industry whose past clients have included JPMorgan Chase, says that given the company’s continued and expected growth in 2022 and changing market needs, her team continues to search for individuals even when jobs are not posted. “We make it a priority to connect with organic candidates—individuals that reach out to us regarding opportunities—as well as with professionals in general with the skill sets we may need in the future,” she tells Staffing.com.

In addition to lucrative salaries, Ivanova has found that cybersecurity professionals are also seeking stimulating projects and mentorship. “Compensation can be a big factor, but many of the individuals I have met recently are much more interested in making an impact at the organization and working on something they are passionate and care deeply about,” she says.

Ivanova says hiring contingent workers is a way to expand the talent pool and pipeline. “Finding individuals [who] work with specific technologies and have an understanding in niche areas can be very challenging,” she says. “In hiring contingent workers, organizations can gain the expertise, skills, and knowledge necessary to propel the business forward.

Apprenticeship Graduates

In February 2022, global communications company Cox Enterprises launched a cybersecurity apprenticeship program in partnership with City of Refuge Atlanta, a local nonprofit organization. The two-year program starts with a bootcamp in which trainees—individuals from one of Atlanta’s poorest areas who have no college experience or traditional job qualifications—learn skills to prepare them for jobs as software developers and cybersecurity analysts.

“Many of them will leave our program as the first salaried worker in their family,” says David McLeod, VP and Chief Information Security Officer at Cox Enterprises. Cox Enterprises will hire six people who complete the bootcamps in its first year. There are plans for a second cohort this summer, McLeod says, and the hope is to form a new group every six months.

“We believe this apprenticeship program will serve as a playbook for other companies to close the cybersecurity skills gap and provide a life-changing opportunity for workers often overlooked by businesses,” says McLeod.

Revitalized Thinking

With about 40 openings on his team of around 500 employees, Kevin Tierney, VP of Global Cybersecurity at General Motors is getting creative in seeking solutions. Burnout among cybersecurity professionals became a problem because remote work during the pandemic blurred the lines between work and personal life, Tierney tells Staffing.com. His response has been to “acknowledge it exists and that we’re human.”

It’s a departure from previous discussions with staff when there was no talk about how people were feeling. “Now we focus on that and listen,” Tierney says. “We’re getting at the roots of problems before they become a huge issue.”

He’s also making sure there are opportunities for his staff to move into different roles and follow a career trajectory. Tierney says he is actively working on creating more cybersecurity career paths since the field is still relatively new. “We’re also giving people special projects, which gives them a bit of revitalized thinking because they see something new and they see different people.” While he acknowledges that he can’t change everyone’s job overnight, he makes sure those opportunities are within reach and encourages staff members to stretch themselves.

Cybersecurity professionals are often looking for challenging work, and Tierney says GM is fortunate that it can offer the opportunity to work on innovative technologies like creating autonomous vehicles. Many of his staff want to publish or present at security conferences, which Tierney celebrates.

Although GM historically focused on sourcing IT candidates from top universities, Tierney says the company has expanded its search to HBCUs to ensure that GM is getting talent from racially diverse pools.

And because not all security professionals go to college, Tierney’s team reaches out to nonprofits to find people with high school diplomas who they can train and hire. GM officials also attend security conferences and talk to hackers, he says. Those GM recruits have the opportunity to obtain a college degree if they choose.

“I was an electrical engineer who moved into cyberspace 10 years ago, so I can’t rule anything out,” Tierney says. “We’re too new a function. We have to be flexible.”

High stress levels and limited promotions are among the reasons why cyber professionals leave jobs.

New Opportunities Emerge

Several tech giants are also taking action to attract more people to the cybersecurity field.

In 2021, Microsoft announced a national cybersecurity education campaign with US community colleges. In March 2022, the initiative expanded to 23 countries, supporting the delivery and development of cybersecurity skills by local education institutions, nonprofits, governments, and businesses.

IBM has committed to skilling 30 million people globally by 2030 and has announced new partnerships to provide free online courses in cybersecurity, communication, presentation, and commercial skills.

(ISC)² is piloting an entry-level cybersecurity certification program, designed to attract more candidates and career changers to the field.

Amazon Web Services, Google, and Coursera offer apprenticeships, certificates, and coaching programs that teach security skills and introduce career pathways. In 2021, the Department of Homeland Security launched a federal recruiting tool to court young, diverse talent.

Organizations are addressing the workforce gap by offering training and flexible working conditions.

Deidre Diamond, founder and CEO of cybersecurity recruitment firm CyberSN and founder of the nonprofit Secure Diversity, says that despite many organizations’ motivation to invest in cybersecurity, they must first step up their recruiting efforts. Many cybersecurity professionals, especially those in technical positions, are not clamoring to switch jobs, even if they’re not satisfied at their current employer, she tells Staffing.com.

“If the right job gets in front of them they’ll interview, but most people are passive seekers who aren’t happy but also are not willing to scour job listings. They have to be reached,” she says.

Hofstra’s Lenaghan says although the number of university cybersecurity programs has grown over the past five years, leaders need to look at transferable skills such as critical thinking and problem-solving and consider how those skills can be applied to data security.

Looking Ahead

The good news is that the talent gap is slowly narrowing. In 2021, the number of additional professionals that organizations needed to defend their assets decreased for the second year in a row, from 3.12 million to 2.72 million.

But the point at which this situation stops being critical is still far off. Organizations must stay committed to hiring and training cybersecurity talent (what Diamond calls an “infrastructure of people”). Appointing a knowledgeable information security leader and providing that individual the resources to hire qualified, trained professionals from diverse sources is the path to minimizing security risks and protecting a business for the future.

Esther Shein is a technology and business writer and editor whose work has appeared in CIO.com, Computerworld, TechRepublic, ZDNet, TechTarget, The Boston Globe, and Inc.