ISC2’s 2023 Cybersecurity Workforce Study found the cybersecurity workforce gap has reached an all-time high, with “4 million professionals needed to adequately safeguard digital assets.” Not only is there a shortage of external candidates in the field, but the cybersecurity industry is also plagued with rampant burnout – leading to internal churn that widens the workforce gap. 

Security leaders have heard a lot about the talent shortage problem and not enough about how they can solve it. In an effort to redirect the conversation and make a change, here are five steps organizations can take to attract and retain cybersecurity professionals in this market.

1) Offer the option to work remotely — Since the COVID-19 pandemic forced companies to transition to a remote operating model in March of 2020, employees have gotten used to working from home and enjoying a better work/life balance. And, in many cases, company leaders have found that remote employees are happier and more productive, which is better for the business. With benefits across the board, many organizations are allowing employees to continue working from home either on a part-time or full-time basis.

In this new era of work, mandating employees to come into the office full-time could deter candidates and make it hard to fill vacant positions. Contrary, offering the option to work remotely opens the candidate pool, allowing a company to find the most highly qualified person for the job — even if they reside in a different state or country. 

2) Provide insight into cybersecurity career paths — Doing this can solve a two-fold problem. First, there is a widespread misperception that cybersecurity professionals sit behind a computer all day long, using their technical skills to thwart cybercriminals. While there certainly are people that do just this, there are also a variety of other cybersecurity career paths that individuals can take — for example, working in sales or marketing, heading up human resources (HR), managing communications or joining the legal team at a cybersecurity company. Promoting all the different types of roles that are available within cybersecurity can create a more diverse candidate pool and help those on the fence make the jump into this exciting field — increasing the chances of finding the right fit for the unfilled positions. 

Second, there are many individuals who may be 100 percent confident that they want to get into cybersecurity, but they procrastinate because they simply don’t know where to start. Creating awareness for organizations specifically built to help individuals begin a career in cybersecurity — such as ISC2 or Women in CyberSecurity (WiCyS) — can aid both internal employees and external candidates on their career journey.

3) Promote from within — To aid in employee retention, promote from within the organization prior to seeking external candidates. Individuals work tirelessly for their organization, and burnout and frustrations from being passed over on promotions can contribute to turnover. 

Cybersecurity is something that can be taught. So, if a company has an employee with the necessary soft skills — a good work ethic, dedication, drive and a willingness to learn — then, they can teach them the necessary technical skills required to be successful in the open position. The best candidates for the cybersecurity roles might already be employed in the company – leaders just have to broaden their mindset. 

4) Be open to non-traditional career paths — Similarly, if security leaders can’t hire from within, they should be open to external candidates with experience that relates, but doesn’t directly tie to, cybersecurity. For example, let’s say the company is looking for someone to join the threat intelligence team, and job responsibilities include tracking threat trends, providing insight into the human behaviors of threat groups, and recognizing traffic patterns. Be open to candidates who have experience with analysis and trend/pattern recognition in other fields, as these skills can translate to cybersecurity. 

One other important point to note is that hiring employees who don’t have a traditional background in cybersecurity can often provide a layer of diversity that brings different perspectives, allowing leaders to take a comprehensive view of security problems, so they can provide a holistic strategy to solve them.

5) Offer training and certification programs — Investing in training and development will provide current employees with the knowledge and experience they need to stay on top in an ever-evolving field. Not only will this benefit a business, but it will also help employees remain successful — boosting employee satisfaction and retention. Paying for cybersecurity certification programs is also a great way to show commitment to employees’ professional development, building employee loyalty while helping to close the cybersecurity skills gap. In addition to these internal benefits, training and certification programs also can be great incentives for external hires.

Make a change today

Security leaders have been hearing about the cybersecurity workforce gap for years, which means current strategies to recruit and retain cybersecurity professionals just aren’t working. It’s time they come together as an industry to solve this problem. The above best practices are strategies we can implement in the near-term to make a difference over the long-term. And, when they do this, they can start to tip the scales and close the talent gap that has been plaguing the industry for far too long.