As the founder of Fortify Experts, a nationally recognized leading cybersecurity executive search and staffing firm, we are pulled into the trenches of the cybersecurity employment gap every day. We are exposed to both the job seekers and the companies seeking security professionals. As a result, there are three critical issues I see rising up in the cybersecurity employment space.
#1: Few opportunities for newbies.
There are many college age individuals and other individuals who have had their careers stall which have heard of the massive cybersecurity employment gap. These hopefuls have jumped into the field to take advantage of what CSO Magazine is reporting as a zero unemployment field. They have been taking cybersecurity basic, advanced and even Master’s level courses in hopes of landing a new career in this ever widening space. Universities and security certification programs are seeing an increased interest and beginning to train up a larger numbers of individuals. As a result, there is a new wave of cybersecurity graduates coming out ready to be welcomed by an industry starving for new talent.
However, many are shocked to find employment is much harder to land than expected. They are getting doors slammed in their faces when they were expecting welcome signs. They are being told they need a minimum of 2-5 years of cybersecurity experience to be considered for entry level roles. Resumes of new graduates pour across our recruiters’ desks and the frustration level continues to increase.
Although the demand for cybersecurity professionals is high, most companies realize that becoming a good cybersecurity analyst or engineer is often a progression of skills that requires many years of other training prior to becoming a cybersecurity expert. Most often, the so called ‘security experts’ were experts in other domains before they became security experts.
For example, to adequately secure enterprise websites, companies want someone who understands the intricacies of Unix, Linux, web servers and web services. To secure applications, they want someone who has been in the trenches developing code, testing code and understands how code is written and how it can be exploited. To secure enterprise networks, they are looking for someone who has designed network systems and who has configured routers, switches and firewalls and therefore, knows the breachable weaknesses within those devices.
Unfortunately, all of this experience takes time and the cybersecurity domain is extremely broad and highly complex. The easy fixes have already been corrected. Adversaries are getting smarter and more sophisticated. Therefore, a recent graduate of a security program will be very limited on how they can contribute from the start. It would be rare for them to be able to identify or remediate advanced threats. Most employers need immediate results and don’t have the patience to train up recent graduates.
Related: Starting a Career in Information Security – Practical advice from security experts on how to accelerate becoming an effective security professional
#2: Gap widens for experienced security experts.
The gap for those security engineers and experts who do have the technical skills continues to widen because it takes years to develop that level of expertise. Furthermore, the demand for cyber talent will continue to rise as exploits become more sophisticated and widespread.
(ISC)2 earlier this year predicted that the cybersecurity employment gap will fall 1.8 million short of the available talent pool by 2022 while Cybersecurity Ventures predicts that gap could grow as high as 3.5 million as soon as 2021. Even if the gap is somewhere between, it is a large gap which will take years to correct.
To close this gap, employers will have to be willing to spend the time and resources to train up other non-traditional security resources. They will need to create programs to draw in women and less experienced technical employees.
One CISO that has gotten it right is Andrew Stanley of Philips Healthcare. He hires young graduates and also draws internally from their 100,000 employee base to attract anyone with an interest in cybersecurity. He has developed a highly-effective and intense nine-month long cybersecurity training program. His program is dedicated to helping non-technical staff get up to speed so they can effectively identify and remediate advanced threats in Philip’s global security operations center.
To achieve this, Stanley pairs each new hire with a senior security resource for the first 6 months of their employment. The senior resource is required to mentor and answer any question the new hire has. This creates a trusted bond and an outlet to ask all the ‘stupid’ questions that will translate into knowledge later. As a side benefit, it also trains the senior engineers to have more patience and even helps them develop their communication and leadership skills which can be lacking in some of the more technical security engineers.
After the 6 month initiation, if an employee shows promise, Stanley will send them to 3 months of intense SANS training which is the largest information security training program in the world. This training deepens their technical knowledge along with increasing their threat analysis skills. Employees can choose their own specialty paths and can become certified in any of a number of specialties. Those who do achieve certifications receive a raise upon completion.
Stanley has found that this investment has produced highly effective and loyal security employees. However, this comes at a cost. Excluding salary, he says he invests well over $30,000 in each newbie during this nine month training period.
This extensive investment in training is expensive and takes time. Most employers do not have the luxury of nine months to train up their staff nor the budget to fund that extensive of a training program.
The problem then becomes finding the experienced experts. Cyber experts have been overwhelmed with opportunities and now rarely apply to job postings.
In a recent review of Security Architect positions on LinkedIn by Fortify Experts, on average, each posting received less than 5 job applicants even after being posted for 30 days. In comparison with other more common IT jobs, the average was over 30 applicants during the same time period.
Demand is high, but active job seekers are very, very low. To find good security talent, companies must go back to old fashioned head hunting where they have to find then sell candidates on the opportunity. Either hire a firm or find internal recruiters who know how to network with security professionals and extract experts from competitors.
#3 Security leaders are ready to jump to security focused companies.
In most companies, the security team is often looked at as a necessary evil. A black sheep of the IT department. Security budget dollars are tight because it is considered a cost center, not a business enabler or revenue producing function. In addition, security leaders are unable to get funding for additional staff or security tools unless there is a breach. If there is a breach, the security leaders are the first to be blamed for it and if a major breach happens, they get fired. All the responsibility with very little executive or financial support. It is a vicious cycle which results in an extremely high leadership turnover rate. CIO Magazine claimed the average tenure of a Chief Information Security Officer (CISO) is only 17 months.
Therefore, this high churn of security leaders creates a flurry of activity when a leadership position is posted. Plus, the architects and technical security experts all want to throw their hat in the ring because they have heard the stories of big salaries and sign-on bonuses for those with CISO titles. Then, you add in the incumbent CISO’s, who work within companies who are unsupportive or do not take cybersecurity seriously. They also want to be considered if the leadership role comes with a higher degree of respect. For companies who do treat security leaders like a CXO’s and/or have them reporting to someone other than the CIO (such as the CEO, CFO or the Board directly), there is no shortage of security leadership candidates.
This flood of applicants creates another challenge for employers to sift through the many flavors of security leaders to uniquely match them with the specific needs of the company. Most human resource managers and many CXO’s, including CIO’s, do not have the in-depth understanding of their current security landscape nor what the future landscape needs to look like to be able to effectively choose a security leader. This lack of proper upfront qualification, in turn, sets up many security leaders for failure. This, in turn, contributes to the high turnover rate.
Before hiring a security leader, companies should engage with a trusted security advisor, such as a virtual CISO or security consulting or search firm, who can help them assess the specific security needs of the company. Then, partner with them during the search to thoroughly screen and qualify those candidates within each of the necessary security domains. This provides the company with the best path to making a long-term hire and in securing their corporate digital assets.
Tim Howard is the founder of Fortify Experts (top ranked Cybersecurity Search firm by Cybersecurity Ventures) which helps companies find exceptional cybersecurity talent through executive search, permanent placement and project consulting. Howard has been leading technology staffing teams for over 15 years and is the founder of three other technology and staffing firms. He has degrees from Texas A&M University in Industrial Distribution and Marketing.