The cybersecurity market has grown exponentially in the last 10 years. But as more companies look to hire cybersecurity professionals, the pool of potential candidates has not grown at nearly the same rate. This cybersecurity skills gap has left companies with open job recs (by the way, we’re hiring!) and no qualified candidates to fill them. How did we get here and what can we do about it?
How did the cybersecurity skills gap happen in the first place?
There have been many theories as to how the cybersecurity skills gap started: lack of collaboration between IT and engineering, lack of resources, lack of interest. Ultimately, the most logical and likely reason for the growing skills gap is timing. Cybercrime and the technology necessary to combat it have grown and developed extremely quickly. In the time it would take an ethical hacker to obtain their 4 year degree in cybersecurity, it’s possible that much of what they’ve learned will be outdated by the time they join the workforce. As new attacks are developed, organizations are looking for innovative ways to keep up.
Addressing the cybersecurity skills gap through education
Experts agree: the best way to address the skills gap head on is through education. Whether through increasing the number of college freshmen majoring in cybersecurity or educating a workforce that traditionally focused elsewhere, government entities, nonprofits, colleges and whole states are investing in educating the next generation of cybersecurity professionals. Here are a few ways that organizations are making that investment in education:
Some local governments and organizations have recognized the need to combat the skills gap through education and have started investing accordingly. But rather than waiting until college, states like North Dakota are beginning statewide cybersecurity education as early as 5 years old. North Dakota’s Governor Doug Burgum said, “Cyber Security is absolutely essential to our collective future. We are rising to the challenge to create a comprehensive, statewide approach to cybersecurity. We are creating a future that meets the needs of industry and provides career opportunities for our citizens.” This initiative, in partnership with the federal government, is meant to instill an interest in STEM, and cybersecurity specifically, from an early age, particularly for students that may have otherwise not considered a possible future in the field. The program focuses on project-based learning and builds in difficulty for each grade.
North Dakota’s model is one of the first of its kind but was built with scale in mind. The team behind the program hopes to replicate it in other states to expand its reach nationally. While it will take several years to know the effects of programs such as these on the children receiving the education, it’s certainly a step in the right direction.
Investing in girls
One of the largest gaps in the cybersecurity job market is the gender gap. Today, a mere 20% of the cybersecurity field is made up of women. This is due in large part to cybersecurity traditionally being classified as a “man’s job.” There are several organizations working to break this stereotype, many of which are focusing where this notion begins: at childhood.
Research has shown that from an early age, certain jobs are engrained into children’s minds as attainable or unattainable for them. Without clear role models in a certain field, it can be difficult for a child to imagine ever joining the field themselves. Organizations like the nonprofit Girls Who Code are defying that stereotype head on. With national chapters focused on instilling awareness and interest in coding and other STEM activities, Girls Who Code teaches the next generation of workers that they not only have access to cybersecurity jobs, but can excel at them.
Other organizations have similarly focused on increasing young girls’ awareness and interest in STEM. Girls Scouts can now earn a new cybersecurity badge based on a curriculum focused on learning the basics of computer networks, cyber attacks, and online safety. The national nonprofit is hoping that this new badge will create excitement and interest in a career field historically dominated by men.
Training from within
For those of us that can’t turn back time and redo Kindergarten with a major in cybersecurity, all hope is not lost. Some tech companies have begun identifying talent internally, rather than outsourcing cybersecurity positions. This doesn’t mean that Bill and Sarah in Customer Support have been secretly harboring their hacking and coding skills, but that, with the right training and education, employees that do not have a traditional education in cybersecurity can be trained and promoted to these positions.
Some businesses have begun using this approach as a way to retain and grow top talent while also filling hard to find positions. This is really a win-win for both the business and the employee, but obviously requires time and resources, whether in the form of internal training or tuition for external courses and certifications. According to one survey, only 33% of companies said that today they have a very high level of security understanding within their organization. Within that same survey, perhaps unsurprisingly, only 60% of companies use training to build security expertise. Companies that don’t train from within frequently point to the cost and time spent on these trainings as key deterrents. But if a business was to look at the time spent recruiting top cybersecurity talent and the salary costs of these positions, they may find that an investment in training internal personnel would actually save money for the company.
In order to address the cybersecurity skills gap, organizations need to branch outside of traditional means for identifying candidates. Training employees from other departments and investing in early education are two ways to do just that. In the coming years we will see the effects of these investments which will hopefully lead to a growing, diversified pool of cybersecurity job candidates.