For those who don’t know me, firstly hello! I’m one of the Board Members at Women In Cybersecurity UK (WiCyS UK). WiCyS UK seeks to encourage, attract and promote women in the cybersecurity industry.
Back in December 2021 I presented my talk, titled: “Addressing the Mythical Cybersecurity Skills Gap and Improving Diversity” at the Cyber Fringe Festival. During the talk I discussed the cybersecurity skills gap and offered advice to organisations looking to improve their inclusion and diversity.
First things first, what is this “skills gap” all about? Well, according to multiple studies, there is a continuing shortage of skilled cybersecurity professionals worldwide. One study by ISC2 estimates that there are around 3.12 million cybersecurity jobs that need to be filled. This number appears to be steadily decreasing.
Yes, there are clearly a lot of roles that need to be filled – I’m not disputing this fact. However, I believe that the focus of the “cybersecurity skills gap” is wrong; the world does not lack skilled people. Speaking from my experience interacting with people every day, there are an abundance of talented, skilled people out there who cannot join the industry due to outdated and inflexible hiring practices and entry routes.
So, what are the top reasons for this supposed “gap” in skills?
Hiring practices need re-thinking and updating
Entry routes into the industry are inflexible
Inclusion and diversity are often not a priority
The industry faces an image problem
So, how can we tackle all of this?
- Tackle the industry’s image problems – contrary to popular belief, cybersecurity is not just all hacking and coding (although there are many roles out there that fall into these categories). Raise awareness about the breadth of opportunity available – start in schools/education and reinforce the message throughout your organisation and networks.
- Re-think your hiring practices and broaden your entry routes – e.g., consider taking on juniors, apprentices, grads, allow employees to cross-skill or perhaps help people return to work after a career break. Be realistic about what you are looking for in a cybersecurity professional and be clear about what skills are needed for them to be able to do a particular role.
- Replace and update traditional models for what cybersecurity practitioners look like, and what their CV/resume looks like – soft skills such as empathy and communication skills are absolutely essential for cybersecurity professionals (if you can’t communicate complex info to a variety of audiences, it will fall on deaf ears and your cybersecurity strategy will fail). You can also re-write your job descriptions to encourage a broader range of applicants and widen the talent pipeline – my tips: remove essential criteria as it can cause some to self-select out of applying, consider your use of inclusive language and avoid stipulating unrealistic entry criteria such as CISSP/CISM/particular degrees (as not all skilled cybersecurity professionals have or require these). I’ve seen many junior cybersecurity job descriptions asking for 3-5 years’ experience, which is quite frankly absurd. These people are junior, which means they likely have NO EXPERIENCE – don’t set ridiculous and unrealistic expectations on people, barring their entry to the industry. Consider growing your own talent – remember it’s a long-term return on investment.
- Prioritise diversity and inclusion – many organisations adopt a “tick box” approach – e.g., each year hiring a % of people from minority groups. This is NOT true diversity. Instead, embed inclusion in your culture (which takes time) by encouraging an open, psychologically safe communicative environment (e.g., consider making inclusion a standing agenda item in team meetings and at corporate events to encourage open discussion, and encourage your staff to “bring their whole selves to work”. Don’t just talk the talk, ensure you walk the walk as well).
If the above points get addressed, then I expect we would see that this “skills gap” magically disappears. We can all work together to address it.