Employee Experience

Companies Get Creative to Close the Cybersecurity Skills Gap

New strategies can help CISOs deepen a critical talent pool.

Bennett Hendrix III got hooked on the idea of becoming a cybersecurity sleuth after watching an episode of the serial killer drama “Dexter” in high school. He later Googled “digital forensics” and spent hours learning about viruses, malware and a booming job market. From that brief experience, he decided to pursue cybersecurity as a career.

But growing up in a mostly Black neighborhood near St. Louis, in a school system that offered no STEM curricula, made that difficult. Despite initially struggling in college, he ended up on the dean’s list and, just before graduating, paid his way to a job fair in Atlanta, where he applied to as many companies as he could. On the day he received his diploma, he got an offer from consulting and accounting giant PwC.

“Honestly, they didn’t find me. I found them,” says Hendrix. Now 24, he works as a PwC cybersecurity analyst, helping clients, such as a large retailer and a government agency, deal with access and identity management crises.

Today, more companies want to find people like Hendrix, and for good reason. Employers with significant security needs face a grand slam of business challenges: a global pandemic that shifted labor forces to remote working, a resulting economic downturn that has shrunk IT budgets, a major spike in recent cyberattacks and a long-standing global skills shortage.

In fact, 56% of companies surveyed in the 2020 (ISC)2 Cybersecurity Workforce Study say they don’t have enough cybersecurity staff. Other studies paint similarly scary pictures. According to Emsi, a labor analytics firm, the world currently needs 330 million cybersecurity professionals — but has only a little more than half that, about 178 million.

[Read: Three trends driving the need for endpoint security]

COVID-19 hasn’t helped matters. For starters, the number of cyberattacks has skyrocketed, as millions of people move from working on carefully monitored computers in the office to home PCs and smartphones running over commercially available broadband Wi-Fi networks. And rather than throw more bodies at addressing these attacks, many companies actually shifted cybersecurity staffers to the task of simply getting all those home PCs connected.

“In the rush to deal with other user issues, a lot of companies paid less attention to making sure all the latest security patches had been applied,” says John Pescatore, director of emerging security trends at SANS Institute, an IT research and training company. The pandemic also laid waste to spending plans. While 34% of firms surveyed in mid-2020 by the SANS Institute said they would increase spending on security due to COVID-19, 26% said they would spend less, and 40% said they weren’t sure.

Closing the gap

To help meet critical staffing needs, corporate recruiters are getting scrappier. Some are reaching out to traditionally under-represented groups, such as women, Blacks, and Latinos, to reach prospects like Hendrix. Many are focusing less on recruiting high-priced cybersecurity stars and more on retraining their own employees or hiring graduates of new cybersecurity courses being offered by community colleges, online boot camps and training companies, says Rob Sentz, chief innovation officer at Emsi, a labor analytics firm.

According to Emsi, more than half of cybersecurity workers have a master’s degree. However, many types of cybersecurity jobs do not require such advanced degrees, says Sentz. In 2019, many of the 700,000 people who became cybersecurity professionals graduated not from lengthy tech curriculums but from accelerated programs designed to give hands-on experience fighting today’s cyber threats. That way, they can be put to work on day one.

For example, Toronto-based York University created a 12-week version of a cybersecurity course that previously took months to complete. Independent cyber boot camps and online education platforms have also answered the training call, with programs costing up to $19,000 that let graduates earn certifications for today’s cyber threats in even less time.

Efforts like these are starting to pay off. For the first time ever, the talent shortage in cybersecurity workers shrank in 2019, according to the 2020 (ISC)2 Cybersecurity Workforce Study. This is due to those 700,000 new workers, but also to a decline in job openings from 4 million to 3.1 million, due to cutbacks from the economic slump.

Deepen the talent pool

At the same time, the pandemic has opened IT leaders’ eyes to what a workforce can look like. As with many other job functions, increased productivity for people working from home means security teams are more willing to hire people regardless of where they live.

Standard Chartered PLC, the London-based financial giant, has created a two-year apprenticeship aimed at tapping into a more diverse, global talent pool. “We’ve spent considerable effort exploring how to create a diverse and sustainable pipeline of cyber talent,” says Tanuj Kapilashrami, Standard Chartered’s group head of human resources.

Other wells of talent are also getting more attention. IBM’s Australian division recently announced a program to train 3,000 military veterans to join the profession. New York City is offering free access to 4,000 Coursera classes — including on cybersecurity — to unemployed and underemployed New Yorkers. Meanwhile, industry blogs and virtual conferences are full of advice on the need to stop writing daunting job postings requiring years of experience and specialized certifications in order to widen the candidate pool.

Develop from within

Ultimately, for most companies, the main source of new talent will come from within. Many employees have the requisite math skills and innate talents to quickly become effective security team members. Accountants, auditors, quality assurance managers or general IT experts are natural candidates, says Mark Hanson, head of talent analytics at Emsi.

“These professionals already know a lot about IT systems, they have immense attention to detail, and they understand how to track a chain of events to identify the cause of a problem,” says Hanson. For instance, an accountant is more likely to spot a sophisticated financial fraud scheme. And network administrators and IT staffers already understand how to protect the company without slowing down everyone’s computers.

[Read: How to improve IT hygiene]

What’s more, many of these workers hold jobs with uncertain futures. Companies that move IT services to the cloud often need fewer network admins. Accountants and people working in areas like administration or sales face the risks of automation. Companies such as AT&T, Morgan Stanley and the federal government, through its Federal Cybersecurity Reskilling Academy, have all seen strong interest from people interested in cybersecurity as a career.

At Standard Chartered, internal talent development is a big focus. In the past 12 months, 33% of the 700-plus security personnel it hired were recruited in-house, says Kapilashrami. She wants to increase that to 50% in the next few years and ultimately to 70%. “We’re focused on building an internal talent pool and re-skilling our workforce,” she says.

Inspiring cyber youths

Companies can only do so much on their own, of course. New thinking will be needed to completely restock the talent pipeline, says Pescatore. SANS, for example, recently partnered with the National Cyber Scholarship Foundation to launch CyberStart, a competition in which high school students compete for $2 million in college scholarships.

Students win by scoring well in game-like contests to save the environment, and in the process are exposed to subjects such as programming, cryptography and forensics.

Which brings us back to Hendrix, who mistakenly found his way into cybersecurity by watching a serial killer show. These days, he’s doing his part to ensure that under-represented youth have cybersecurity on their radar from a young age. Though the pandemic has shut down his in-person tech literacy talks at San Antonio–area schools, he recently published a book called “Saleen, the CyberTeen” about a young Black girl.

“My mission is to educate younger generations about the possibilities,” Hendrix says. “And there’s a growing recognition in the industry that they will be needed.”

Peter Burrows
Peter Burrows is a long-time technology journalist and author who has written for Business Week, Bloomberg News, MIT Tech Review and other publications.