As ransomware attacks, nation-state hacking campaigns, data breaches, and other cyber threats dominate the news, one item remains largely unreported: The growing need for cybersecurity professionals to fill more than 400,000 open positions across the U.S. private sector.
At this point, it is well-known that there are more cybersecurity positions than workers who can fill them. New industry statistics and a series of high-profile attacks have shed light on this talent gap, however.
There are more than 428,000 open cybersecurity positions in the U.S. private sector as of June 1, according to Cyber Seek, a job-tracking database developed by the Department of Commerce and CompTIA, an IT trade association. There are more than 52,000 job openings in California and another 40,000 in Texas. There are also many security positions available in New York, Virginia, North Carolina, Florida, and Georgia.
Cyber Seek stats show that cybersecurity analysts, cybersecurity managers or administrators, cybersecurity consultants, network engineers or architects, and systems engineers are among the top-demand titles and positions right now. Among those with certifications, the Certified Information Systems Security Professional (CISSP) is the most sought-after.
Security professionals are in such demand, especially for those with skills or those looking to retrain, that the White House highlighted cybersecurity jobs as one of the core tenants of the Biden administration’s American Jobs Plan.
The American Jobs Plan will build on that progress and deliver resilient infrastructure for the American people, including a renewed electric grid. According to a White House fact sheet published in May, “cybersecurity is a core element of resilience and building the infrastructure of the future.”
A reason that private companies have had difficulty finding enough cybersecurity professionals is that job demands are constantly changing. With the COVID-19 pandemic providing the opportunity to work anywhere, the situation has become even more challenging.
As threats continue to evolve and grow in number, there will always be an insufficient supply of cybersecurity professionals. Cybersecurity professionals typically specialized in particular fields or technologies. To be successful in the role today, a person needs both business and technology experience. The constant evolution of threats requires cybersecurity professionals to be able to adapt quickly. Such professionals are scarce.
If cyber networks face such a severe talent shortage, what can be done?
Rethink your hiring practices and pay cybersecurity and network security professionals a higher salary.
If an organization wishes to compete as an employer of choice in cybersecurity, it may need to differentiate its career path and pay scale from those of other technology roles. The U.S. government launched a new compensation system and talent management system to compete with the private sector for cyber talent. The agency has overachieved 50 percent of its hiring goals over the past year.
In addition to having more resources than most government agencies, DHS has attractive options that are not available to three-letter federal agencies, such as working from home. The recruitment process should also emphasize career path options, a flexible working environment, local culture, and security training.
Consider changing your hiring criteria and developing talent in-house.
Another appealing option is to assemble a team of experts from other disciplines, including system administrators, programmers, database specialists, and help desk professionals. There might be some adjustments to degree requirements, certifications, and/or other job requirements, but hiring passionate achievers with most of the necessary skills will still be possible. To attract interns and students in a win-win situation, establish partnerships with local community colleges and universities.
Become more involved in the private sector.
Many security leaders are using contractors and/or managed service providers (MSPs) to run either part or all of their security programs when changing their hiring practices is too difficult. Almost any technology or security function can now be purchased as a service, thanks to the market’s dramatic change in the past few years.
Although this solution seems obvious, you need to ensure you have the right contract staff or MSP solution on your team by strengthening your contract management skills. After an initial “honeymoon” period, beware of vendors replacing qualified cyber pros with unqualified ones. You should try to establish a long-term solution, not just plug short-term gaps.
You need to look beyond your organization for lasting government cyber solutions. By developing strategic relationships with other governments and nonprofit groups like the Multi-State Information Sharing and Analysis Center (MS-ISAC), economies of scale can be realized. Remember, outsourcing the work is possible, but not outsourcing the responsibility. Your team must work well together, no matter which direction you take, to enable the government to run smoothly.
Hiring and Retaining Cybersecurity Talent: A Practical Guide
Companies need to do more to attract cybersecurity talent, which means going beyond advertising for technologists with certain certifications.
Companies need to focus on the following four areas:
Cybersecurity careers branding: Cybersecurity careers are perceived as “uncool” and need to be positioned to compete against jobs in software development, artificial intelligence, and data science at companies like Amazon.
Find out how to recruit Generation Z: As this generation is entering the workforce, companies need to understand what is important to them, such as flexible hours, work-from-anywhere, and social causes.
Upskill your current employees: Training and career development are important to retain current talented workers. An employer with a clearly defined program will also be able to recruit better.
Education is an investment: By teaching cybersecurity in schools, future professionals will be able to better understand the opportunities available to them.
The core of this issue is that there are not enough skilled workers for the positions available. Although computer science is a growing major in colleges, only a small percentage of graduates go into cybersecurity.
