Cybersecurity Skills Shortage: Myth or Truth?

It is not uncommon to see security job adverts asking for certifications and skills that are disparate, and often as far apart as the banks of the Amazon River. Often, these unrealistic expectations are packaged under the notoriously vague job title of Information Security Analyst/Specialist. The job advert will continue to explain that potential candidates should be able to do everything from risk assessments, cyber forensics, riding a unicycle, and doing penetration tests while skydiving. At this juncture I wish to offer the first piece of advice: stop this nonsense with immediate effect!

Most security job adverts ask for familiarity with common frameworks such as NIST, ISO, PCI-DSS and a host of other cool-sounding acronyms. Yes, a working knowledge of this is great, but is it necessary for the task at hand? When you are asking for a CISSP, but describing entry level work in your job description, you are effectively saying to the world: “I don’t really know what I’m doing. I looked at a few similar job ads on LinkedIn and selected these phrases and acronyms because they sounded cool. Effectively, I am contributing to the problem and fueling the misconception that we have a skills shortage”. I echo the first piece of advice: stop this nonsense!

By casting the proverbial hiring net so wide, you are effectively looking for a unicorn. While it is not impossible to find Information Security Unicorns, they come at a price, and they are not easy to attract or retain. The cybersecurity skills shortage is cited as this big problem. I cannot help but wonder if this shortage is self-inflicted. If we are looking for unicorns, there definitely is a shortage. If we are looking for teachable candidates with the right attitude, I am inclined to believe they are more readily available… at least as compared to unicorns.

If you find yourself needing a unicorn, you failed to build an effective information security team. By requiring one person to complete an array of disparate job tasks and functions, what kind of work quality do you anticipate you will receive? What kind of work-life balance do you envisage for this future unicorn? How long do you think this future employee/unicorn will stick around? We don’t see hospitals asking for brain surgeons that can double as heart surgeons and nurses as well, yet we find it acceptable to look for security analysts that should be able to do everything under the sun. Of course, when we cannot find these unicorns, we join the Cybersecurity Skills Shortage Choir.

Below are a few practical guidelines to consider when recruiting information security talent:

·       Be clear: Identify two or three non-negotiable skills that you require and be clear on this. Map your certification and training requirements to the skills you need. If you are looking for a penetration tester, is CISSP, CISM and CISA really necessary?

·       Partner for parity: If a specific security function is not going to provide your organisation with a competitive edge, or save a substantial amount of money, consider outsourcing it. For example, if your core business is property management, you have no business wanting to build an in-house 24/7 Security Operations Centre (SOC) from scratch. Rely on people with expertise, who can provide those services at scale, far better and cheaper than you can.

·       Be transparent: It is unlikely that someone will join your organization for less than what they are currently earning. Salary ranges are available and should be consulted. At minimum, state the salary range in your job advert. Failing to do this sends a clear message to potential candidates: “I am afraid my current employees might realise they are being underpaid. Furthermore, I would like to see what you are currently earning and offer you 15% on top of that. I am probably not the type of manager you want to work for”.

InfoSec unicorns, much like outliers, are truly great in their respective domains. Think of people like Elon Musk, Jeff Bezos, Faseeg Osman, or Nelson Mandela, these people do exist, but they are not generally available. Finding and attracting them is not going to happen on the back of a generic job advert, and a recruitment system asking them to retype the CV they need to upload as well. Remember, anyone can be great at anything, but everyone cannot be great at everything. Understanding this simple truth will solve much of the perceived skills shortage.