In a bid to address the chronic cybersecurity workforce gaps, enterprises are looking beyond traditional four-year degrees to find qualified staff.
More organizations are working to hire people with subject matter expertise, certifications or other credentials above, or even in place of, college degrees, CompTIA's State of Cybersecurity research found.
Security experts agree the industry may need more novel measures to help fill the shortfall.
“They need to start getting creative about how they can find, recruit and hire candidates,” said Brennan Baybeck, SVP and CISO for customer success services at Oracle and ISACA vice-chair.
With 4 million cybersecurity professionals needed worldwide, according to ISACA’s State of Cybersecurity 2023 report, there’s a substantial gap to fill, and requires collaboration between industry, government and workplaces.
To address the shortfall, partnerships between business and government agencies that train people in cybersecurity are emerging, and hyperscalers are offering free training and certifications, Baybeck said.
For its part, Oracle is supporting government initiatives in Singapore and provides a range of free training and certification programs.
“Hyperscalers may be driving more use of their platforms, but the topics and concepts provide valuable knowledge that will address most of the skill gaps and help chip away at the millions of open cybersecurity positions out there,” Baybeck told Cybersecurity Dive.
Baybeck believes the collaborative approach is a win for everyone and can target where the skills gaps are most pronounced. Particularly short-staffed areas, including cloud computing, security controls, coding skills and DevOps, according to ISACA’s report.
“With cloud technology usage growing exponentially throughout the world, it’s a formula that should pay off for hyperscalers, their customers and individual workers,” he said.
Changing the approach to hiring and nurturing staff
The pace of change is one of the primary drivers of workforce skills gaps. Enterprise technology in general and cybersecurity in particular are moving faster than traditional learning pathways can keep up with, according to the CompTIA report.
In response, organizations are recognizing different ways for candidates to prove their knowledge and skills. They're hiring less experienced people who can continue building their skills while also becoming familiar with corporate culture and objectives.
But to make this work, businesses need to rewrite hiring criteria and become open to non-traditional candidates.
Training existing non-security staff to level-up their skills to take on new cybersecurity roles is another option, the ISACA report found. The benefit is that in-house people probably have some of the other skills and requirements, such as soft skills, a college degree, and prior hands-on technology experience.
“Then it’s a matter of closing the specific skills gaps, which can usually be done if someone has the interest, passion and dedication to learn new things,” said Baybeck.
To assist in upskilling, Baybeck would like to see organizations offer more focused, modular learning programs, such as microlearning concepts that professional industry organizations or service providers offer.
“It would help people gain the skills needed to address the gaps, move into the workforce sooner and then they could supplement the cyber skills with a degree or certification,” he said.
The gap in soft skills in 2024
Soft skills, including communication, is the other major area that’s in demand at the moment, according to the ISACA report and the latest ISC2 Cybersecurity Workforce Study.
While organizations continue to look for people with technical backgrounds, because it’s an easier pathway into cybersecurity, they’re increasingly giving more weight to non-technical skills, according to ISC2.
“Over the last few years, we’ve seen organizations moving to hire for the non-technical skills first and organizations doing are more quickly dealing with their workforce gaps than those holding out for a more detailed skill set,” said Clar Rosso, CEO of ISC2.
The non-technical skills organizations are prioritizing include problem solving, curiosity and eagerness to learn, effective communications, critical thinking and analytical thinking, Rosso told Cybersecurity Dive.
Despite the fervor about the possibilities of generative AI, Rosso doesn’t see AI displacing the workforce, but rather changing the types of jobs people do which will put more emphasis on non-technical competencies.
“In an AI-driven world, we need more people who can apply their analytical and critical thinking skills to understand the data they’re looking at and whether it’s relevant and accurate, and consider the decisions to make against it,” she said.
Rosso expects to see an increase in demand for skills that touch on the safe and ethical use of AI within organizations and risk more broadly.
“Hiring managers may start to prioritize people who have risk assessment, analysis and management skills,” she said.
It’s part of a broader shift in cybersecurity that’s moving from an offensive approach to more of a defensive position around risk management.
“Risk is the basis of everything in cyber defense, understanding, analyzing, mitigating and transferring risk,” she said.
In taking this change of approach, organizations may need to step back from prioritizing specific experience and instead look at the competencies required for that task. Doing so could help address the workforce gaps by broadening the field of candidates and even improve diversity.
“We've had this workforce gap for so long, organizations are thinking differently about who and how they hire,” she said.
Correction: This story has been updated to reflect this story references ISACA’s State of Cybersecurity 2023 report.