If you’ve been following cyber security news over the last few years, you’ll have noticed variations on the same story cropping up time and again: employers can’t recruit the people they need for cyber security, and as a result, millions of posts are going unfilled. The headlines often refer to this as the ‘Cyber Security Skills Gap’.
But just how accurate is this? After all, a skills gap is basically a mismatch between what employers want or need particular employees to do, and what those people can actually do when they walk into work. If you cannot find someone who knows how to run a penetration test, then that’s a skills gap.
However, if a business automatically discards candidates with hands-on hacking skills but who don’t have a particular college degree, it’s not so much a skills gap it is facing, but a recruiter expectations gap.
Overly rigid hiring criteria don’t work for anyone. It means that way too many skilled applicants fall by the wayside, while posts go unfilled. Thankfully however, there’s evidence that things are changing, with an extra 700,000 people joining the cyber security workforce in 2020 (up 25% on the previous year’s figures). Employers are being encouraged to be more creative when it comes to hiring, with more flexibility when it comes to years-of-experience requirements and less emphasis on traditional training routes.
For would-be entrants to the infosec profession, this is actually very good news. If you can repivot your existing skills, fill the gaps in your knowledge and pick up the type of practical know-how that’s in demand, you should be better placed than ever to fill the gap.
The hiring shortfall in focus
Here’s a quick snapshot of the recent state of cyber security hiring across various parts of the globe…
As reported in Techtarget, according to (ISC)2, the gap between open cyber security positions and those filled currently in the US stands at 359,000. Speaking to TechTarget, Bart McDonough of managed IT and cyber security provider, Agio said, “Cybersecurity leaders these days must understand that talent rarely comes in ‘fully baked’ and will need time and attention to train up.”
Vacancysoft’s 2020 report, Cybersecurity: Building Business Resilience highlighted a shortage of 140,000 cyber security professionals across Europe. An estimated 70% of businesses are lacking an adequate security team.
Last year, ComputerWeekly highlighted a massive growth in demand for cyber security applicants outside of the London bubble. Year on year, the number of advertised jobs in Yorkshire and the North East increased by 138%, along with an 85% increase in the South West. Only 10% of existing IT professionals have the cyber security skills the UK’s tech sector currently needs.
According to a recent estimate by the Data Security Council of India, the country will shortly find itself in need of about one million cyber security professionals. 49% of organizations surveyed for the 2021 State of Cybersecurity 2021 report say that they have unfilled positions in their cyber security divisions. According to R.V. Raghu, member of ISACA’s Emerging Trends Working Group, “It is not only important to better prepare fresh graduates, but also to bring a wider pool from all streams and equip them with the skills needed to succeed in a cybersecurity career”.
Skills Gap vs Hiring Gap
The talent is out there. It’s just that outdated ideas of what it means to be “qualified” means that there is often a barrier to recruitment. That’s according to a recent opinion piece for Forbes by Christian Espinosa, Cybersecurity Engineer, Author of ‘The Smartest Person in the Room’, and Founder and CEO of Alpine Security.
If employers insist on a very rigid wish-list on what to expect from candidates, then a so-called skills gap is inevitable. There simply aren’t going to be enough college graduates with 5 years+ in-house experience to go around. And Espinosa’s argument is that the value of theory-based college courses can easily be overstated. Candidates can sometimes look great on paper; they can ‘talk the talk’, but are lacking in the type of practical know-how that organizations actually need.
How are employers responding?
As we mentioned earlier, the last few years have been dominated by stories of the cyber security skills gap. But recently, there has been a shift: employers are starting to realise that it’s actually a hiring gap rather than a skills gap. Forward thinking businesses are becoming less rigid in their approach to recruitment, which is good news for anyone who’s arrived at infosec via non-traditional routes.
ISACA, the global IT governance and accreditation body recently published an article giving best practice tips for widening the talent search. These include...
- Setting out clear, achievable expectations in job postings and greater reliance on practical skills tests.
- Flexibility with years-of-experience requirements.
- Avoiding over-reliance on formal qualifications and focusing on up-to-date know-how.
- Looking for general evidence of inquisitiveness, willingness to learn, problem solving and communication skills.
Where this leaves potential cyber security employees
If you would like to transition to an cyber security role for your existing employer, what specific skills does the business require? If you are approaching cyber from a completely different background, what’s the best way to get started? If organizations are going to respond to the growing risks out there, the only way forward is going to involve greater flexibility in bridging the hiring gap. For would-be employees, there has never been a better time to focus on targeted, hands-on training to bridge their own skills gaps.
To ensure your skills are better aligned with the demand that’s out there, explore our Cyber Security Career Development Platform HERE.