Fixing the cybersecurity workforce problem starts with us

Cybersecurity finally has a seat at the table! From enterprise executives, to boards, to government organizations, everyone seems to be prioritizing, or at minimum recognizing the importance, of cyber risk.

Enterprises are expanding security budgets to invest in new solutions and are giving their chief information security officers (CISOs) an elevated platform to communicate internally and externally. Board members are asking hard-hitting cyber questions and requiring team members to spearhead risk management programs and other cyber strategies.

The federal government is routinely publishing guidance and issuing legislation. Recently, we’ve witnessed the launch of the American Cybersecurity Literacy Act, software supply chain guidance for developers published by the National Security Agency (NSA), the Cybersecurity and Infrastructure Security Agency (CISA) and the Office of the Director of National Intelligence (ODNI) and numerous cyber-focused White House memos.

What’s most encouraging about all of this is the fact that it has created an opportunity for the public and private sectors to work together to bolster our defenses and mitigate shared risk. This is absolutely key to creating a more cyber-secure world, and we’re all taking that step.

This is excellent. This is what myself, and other CISOs and security professionals have wanted for years. And, while we are thrilled and celebrating this progress, we also recognize that there is a problem here as well.

There are hundreds of thousands of unfilled cybersecurity positions. Broadly speaking, any significant cybersecurity initiatives on a national level are going to be hampered by the industry’s current workforce challenges. When everyone currently employed in this space is wearing a dozen different “hats,” it is difficult or impossible to find time for specialization, experimentation, and innovation.

I’ve had a bit of a personal experience lately that produced some tangential thoughts on this topic. Essentially, I’ve realized we need to lower the barrier to entry to the industry. With this approach, we are one step closer to solving the problem.

The solution: Entry level should be entry level

This will come as no surprise to anyone who has been involved in cybersecurity recruitment. There may be many unfilled positions, but there is no shortage of interested folks. There are a plethora of recent college graduates, tinkerers, or self-educated enthusiasts who are looking to kickstart their careers in cybersecurity. They are curious, hungry to learn, and eager to break into the industry.

Many of these individuals make amazing candidates for an entry level role, but a majority of these positions are not as ‘entry level’ as advertised. That’s right, far too often an “entry level” job listing will require three to five years of experience or an advanced degree for an entry or junior level position — a catch-22.

Those that are truly entry level do not qualify, and those with three to five years of experience do not want to remain in entry level positions. So, these jobs remain unfilled, and the workload continues to pile up on the other security team members. Entry level should mean that no experience is required.

Organizations need to look for candidates that are passionate and willing to learn and then commit to mentorship and allocating funds for the necessary education and training. That’s the approach I took recently, and I was blown away by the responses I received.

A couple of months ago, we needed a security analyst(s) for our SecOps team. We had a choice of pursuing a single analyst with three to five years of experience or splitting the position into two entry level roles. We decided on the latter, and made the conscious decision to have these positions be truly entry level, meaning no experience was required.

When I shared the job openings on LinkedIn, I stated that our primary requirements were that candidates have a demonstrated interest in the world of security and a desire to keep learning. We were absolutely inundated with applications. My post on LinkedIn received nearly 350 likes, 60 shares and 150 comments almost instantly.

After two days, we had to turn off the job posting because we had received over 600 applications from people around the world representing all walks of life. I wish I could have hired everyone.

My experience is just one anecdotal example of the immense appetite for cybersecurity careers. We have to lower the barrier to entry, focus on mentorship and prioritize continual training and education. This will build our workforce back up and allow the private and public sectors to actually begin collaborating effectively.

Everyone needs to do their part

The U.S. government already hires an enormous number of college graduates for security roles, but I think they, and the private sector, can do much better. We’re not the only ones implementing this type of hiring practice. There are many other SMBs that are doing this as well!

And, if all of these SMBs can find a way to onboard and train truly entry level security professionals, then most other organizations should be able to as well. I can promise you, mentorship is not as daunting as it seems and is actually quite rewarding.

Spend the necessary time to train your entry level employees on one or two specific tasks that they can own within the first few weeks of employment. Implement monthly ‘lunch and learns’ with your team members to facilitate educational workshops.

As your team becomes more experienced, you can pass off the facilitation responsibilities to other members. Ensure that you are allocating portions of your budget to professional development. Send your entry level folks to educational conferences like Black Hat, where they offer numerous training sessions on-site. They can network, learn and absorb all at the same time. These are just a few of the ways that you can train new employees.

In a scenario such as this, where there is a large workforce shortage, yet a serious demand for talent due to the tumultuous climate of cybersecurity threats, we must all do our part.

We can’t sit back and wait for talent to come to us; we must create that talent. That’s the key to fortifying our walls against cybercriminals, implementing the latest initiatives stemming from the federal government and stopping the human impact felt every day across the globe from devastating cyberattacks.

This article originally ran in Today’s Cybersecurity Leader, a monthly cybersecurity-focused eNewsletter for security end users, brought to you by Security magazine. Subscribe here.

ON DEMAND: Business-impacting events such as severe weather, man-made disasters, and supply chain disruption are increasing in frequency and making impacts around the globe.

Employees don’t feel prepared to navigate an increasingly dangerous world, and they expect their employers to not only care about their personal safety, but to actively keep them safe.