The total number varies depending on where you look. CyberSeek says there are more than 714,000 cybersecurity job openings. Cybersecurity Ventures estimates that number could be in the millions in just a few short years. The (ISC)2 2021 Cyber Workforce Report says it’s already there, with more than 2 million unfilled positions that need workers with cybersecurity skills.
You get the picture. It’s a bleak one, and one that hasn’t changed much in the years since I entered the workforce. It’s only getting worse, and it’s a problem that we won’t be able to simply hire our way out of — the amount of talent entering the workforce will likely never make up for the shortage.
There aren’t enough graduates to support the needs we have across industries. And while creating more educational pathways for young people to learn cybersecurity skills and generate interest in cybersecurity as a career will always be a beneficial tool, we need to focus on other areas if we really want to solve the problem and create a better, more sustainable future for security professionals in the workforce.
We need a more holistic, cultural shift in the way we’re thinking, one that empowers security teams with the right process and technology, and creates the right pathways for people to want to stay in the cybersecurity field long-term.
Here are some areas all security organizations can focus on to create a better experience for security teams and help solve the talent crisis.
Put an end to firefighting and start being strategic
For one of the clearest examples of how the talent shortage holds security teams back, look at how most security teams are forced to work. Too often, they aren’t engaged early enough in the development lifecycle and end up putting out fires instead of doing meaningful work.
Leveraging automation removes much of the tedious and remedial manual work and frees security teams to focus their efforts on more strategic initiatives within the organization.
Doing that strategic work is when you’re learning, growing, and improving your skill set. If your day-to-day as an engineer goes from fire to fire, you’re not growing in your career. You’re not seeing the bigger picture. You’re not being put in a position where you can learn new things.
It leads to increased burnout rates and an overall uncomfortable work environment.
Automation can act as a force multiplier and help an organization rise above some of that firefighting and other more menial work inherent in paper-based workflows. It helps your team focus on addressing problems and building reusable architectures, thinking about patterns vs. solving individual cases one by one. It enables a more top-down approach instead of a bottom-up one.
Create a culture of collaboration
Automation is just one piece of the puzzle. For organizations to be more productive, they need to collaborate more effectively. Silos need to be broken down, and there needs to be a top-down mandate to operate this way.
Security teams are historically siloed from other teams, making it much more difficult for them to have a greater impact on the development lifecycle. When there’s friction between security and other teams, you can get stuck playing politics within an organization instead of doing meaningful work. It leads to much frustration, especially in larger organizations.
Security teams need to be more engaged and have a seat at the table. Many of our issues in development can be avoided if we simply follow this practice, and the end result will lead to increased employee retention and happiness — a win for everyone.
Build career pathways in your organization — and out
The path from a junior role to a senior role isn’t made clear in most organizations, and many companies make it too difficult for junior talent to grow on the job and advance their careers internally. Many junior-level employees feel stuck, even with an increased demand for senior talent.
As an industry, we can do better to give people meaningful training and clear pathways to whichever type of growth they’re looking for. We can do this by building out more strategic career plans and clearer benchmarks for progressions that make junior talent feel like they’re on the path toward advancement, all while supporting them with the training and continuous educational requirements that come up along the way.
Another element of pathway building includes incoming talent. Four-year degrees are great, but they’re not the only path and shouldn’t be a must-have requirement when recruiting talent. There are plenty of ways for young people looking to get into cybersecurity to learn and develop skills outside the traditional four-year college curriculum. Embrace those.
The bottom line
The security talent crisis isn’t going away. There will continue to be unfilled jobs in the industry, and organizations will struggle to keep up.
But that doesn’t mean we have to throw our hands in the air and give up. We have the ability to create a culture that embraces advanced technology and allows for a better workplace for all. We just need to be strategic in how we get there.