There is much discussion of a skills gap within cybersecurity. Cybersecurity Ventures predicts 3.5 million unfilled cybersecurity jobs by 2021. But recently, more people have been suggesting that the skills gap is a myth, that companies that can't recruit just don't want to pay market rate for professionals who are readily available. I have also seen firsthand many candidates who want to enter the industry but are struggling.
What has become clearer is that those who wish to enter the industry, perhaps after some training, find it very hard to do so. This situation is contributing to the view of a skills shortage. These candidates don't know where to start with applications and find it hard to make themselves stand out when they have no experience. The irony of this is that companies also find it incredibly hard to find entry-level talent.
One of the reasons may be that formal education is not the only route into the industry. We know that 81% of hackers are self-taught. That makes it harder for candidates to write a resume, and harder for employers to assess one. The best thing that those who want to enter the industry can do is network. This helps candidates and employers in a number of different ways and is a great first step for those who want to get into an industry.
The issue with companies hiring entry-level people into a cybersecurity job is that not many of the jobs are entry-level. There is certainly a demand for candidates at this level, but many of the roles that go unfilled are more senior. This problem is not unique to cybersecurity. Companies that hire at a more junior level and train people to do the job required can reduce their time to hire as well as the overall cost of recruiting for the role. Hopefully, it also increases retention as career progression is incredibly important to cybersecurity professionals. Rather than offering higher salaries, companies should consider what parts of a job description are essential.
Broadening the requirements of a job can open up a new pool of workers. There is under-employment among neurodiverse individuals, who are often put off applying by long lists of requirements. Women are also often put off by these wish lists. Making a more realistic list of requirements may attract candidates who are returning to work, including women returning after a period of maternity leave. This would have the added benefit of improving diversity in the industry.
There may be other sources of talent employers are leaving untapped, too. JPMorgan Chase hired roughly 2,100 individuals with criminal backgrounds last year — around 10% of its new hires. People returning to the workforce often have broader business skill sets, even if they do not have the cybersecurity experience. This fills a critical skills gap for those who understand the wider business and can communicate in non-technical language. Companies, in general, are limiting their talent pool by not opening up their requirements.
Those who question if there really is a skills gap would do well to carefully consider the reports that there is zero unemployment within the cybersecurity industry, that candidates can find a new job in under two weeks and often have multiple job offers to choose from. Some companies have unrealistic expectations or offer salaries way below market rate, and they are not the only ones struggling to hire. Very few organizations I work with within cybersecurity say they find it easy to hire. (The ones that do tend to have opened up their requirements and have a large percentage of their roles filled by women.) Salaries have also increased significantly to fight the demand issue. Some of the roles have increased by 40% in less than two years. The solution is not simply to pay more money.
The research highlighting the skills shortage is overwhelming, and all reports suggest this will get worse as the cyber threat increases. It is unsurprising that some people feel a mismatch between the data and their personal experiences, however. Companies would do well to consider what they can do to open up their talent pool if they are serious about ensuring they do not suffer as a result.
