Training security professionals for skills gap.
Image: Unsplash

The cybersecurity sector faces a severe crisis: a lack of qualified workers. In June 2022, Fortune reported that companies are desperate for cybersecurity workers. Cyber Seek lists more than 714,000 open cybersecurity jobs. And the demand for cybersecurity experts is expected to increase.

The U.S. Bureau of Labor Statistics says it will rise by 33% from 2020 to 2030, much faster than the average for all occupations. Cybersecurity Ventures assures the situation is part of a trend that began in 2013. Since then the number of unfilled cybersecurity jobs has risen by 350%.

For companies that are looking to hire cybersecurity professionals, TechRepublic Premium offers a hiring kit for cybersecurity engineers.

Who will be affected by the lack of security professionals?

The crisis affects all sectors. Through the Department of Homeland Security (DHS), the U.S. government launched in November 2021 the Cybersecurity Talent Management System (CTMS). CTMS is designed to recruit, develop and retain cybersecurity professionals by streamlining the hiring processes, and offering competitive compensation and career development opportunities. The business sector is also working to close the gap, with companies like Cyber Talent Institute, Sans Institute, Cybint and others emerging to respond to the crisis. In contrast, some companies like Deloitte offer in-house cybersecurity training and skilling.

An increasingly challenging cybersecurity environment, workers’ burnout, the increase of cyberattacks, lack of diversity and the long years it takes to train an expert are reported as the drivers of the crisis. However, some of these factors may be a matter of perception.

SEE: Mobile device security policy (TechRepublic Premium)

Why is filling cybersecurity roles so challenging?

To understand the challenges, TechRepublic spoke to Ning Wang, CEO of Offensive Security.

“Like many fields, it takes several years to become a cybersecurity expert. However, there are many roles in cybersecurity at an entry or intermediate level which don’t require two-to-four years of training,” Wang said. For example, Security operations center (SOC) analysts who work with a team to monitor and counteract threats, or incident responders, who create security plans, policies and protocols. On the other hand, other jobs like a penetration tester—which simulates cyberattacks and searches for vulnerabilities and bugs—require longer skilling times, and experience is often required.

Wang says that skill is a matter of perception, and the time it takes for a person to become an expert varies from case to case. “I have come across some incredibly committed and motivated people who have been able to earn our Offensive Security Certified Professional (OSCP) certification and get a penetration tester job in about a year,” Wang added.

Her advice? Know what to study, how to learn, be dedicated, find mentors and help when needed to achieve the goals. Wang also advises companies to find the right people to train and provide them with quality learning materials explicitly designed for their learning paths.

“Everyone learns by applying and doing, not just by watching and listening, so hands-on learning is critical for cybersecurity training. A training program that recognizes and incorporates these elements will achieve faster and better results, thus accelerating the training process,” Wang said.

Good cybersecurity experts develop hypothesis-driven problem-solving capabilities, figure out what to do when they are stuck, and learn how to get something done with limited time or resources.

New generations: Cybersecurity education gaps

Another factor that has been reported to be driving the job demand crisis is the lack of interest of new generations in cybersecurity. In 2018, a report found that only 9% of Millennials are interested in a cybersecurity career. Wang believes that this is another misperception. She says new generations are interested but they learn differently.

“The way this generation learns is different. Attention spans are shorter, and the need for instant gratification is much greater,” Wang said. She also noted that training modalities need to change to be effective for new generations who prefer video over text and short content versus long content.

“We need to create shorter training modules in the mediums the new generations prefer and develop atomic learning units that provide instant feedback,” Wang said. She calls for streaming technology to help students understand how to hack and for education to adapt to the irreversible new learning preferences.

Is AI the solution to the shortage of cybersecurity experts?

As Deloitte reports, companies are turning to AI, machine learning and automated security solutions as force multipliers. New automated security technologies are being used to monitor, scan and respond to attacks affecting an ever-expanding attack digital surface. These technologies have been praised as a solution to the chronic shortage of cybersecurity talent. As organizations leverage automated security technology and attacks evolve and increase, Wang says the approach might not be entirely on the right track.

“I think it is great that companies are developing automated tools to identify vulnerabilities and flag suspicious activities. However, I don’t believe these automated tools can close the unmet gap due to lack of security experts, because an algorithm can’t think critically like a hacker or a human being does,” Wang explained.

Machine learning models might be able to detect suspicious login and activities, but these applications are constructed on existing data. As attacks and vulnerabilities evolve they present new data that is not factored into the AI applications. This is known as a drift in a machine learning model. “No matter how we automate, these tools help us identify known vulnerabilities, but they cannot help us identify the new types of vulnerabilities,” Wang explained.

Further, the large majority of attacks are not breaching systems with advanced coding or forcing their way through highly guarded security systems. Cybercriminals have become experts in human nature. They are constantly finding new ways to trick workers into responding to an email, clicking on a link or downloading malware. Experts say that companies need to strengthen the human element of cybersecurity if they are to make their operations more secure.

“We need real people who are as talented as the cybercriminals, who can think like hackers, to identify these new risks to improve and train our AI and ML tools,” Wang said.

Leading cybersecurity organizations have come to terms with the reality and many are fighting fire with fire. Ethical hackers, bounty programs, and a hacker mindset approach are proving to be a practical offensive strategy to modern-day attacks, as TechRepublic recently reported,

“Essentially, the best way to defend is to know really well how you can get attacked. Developing the hacker mindset is essential to succeed in the cybersecurity industry. You cannot do this job simply by following a to-do list and ticking off a set of tasks,” Wang added.

SEE: Password breach: Why pop culture and passwords don’t mix (free PDF) (TechRepublic)

Hiring for aptitude and ability to operate under duress

Despite significant investments in cybersecurity solutions, the number of attacks is not declining. Organizations building security teams are still struggling to find talent that responds to cybercriminals’ elasticity, adaptability, resilience, and relentless techniques. So what should companies look for when hiring cybersecurity talent?

Wang says that security experts need to be critical thinkers and creative problem solvers with the tenacity of not giving up easily. They must have the patience to study, observe, and feel comfortable figuring things out by trial and error. These more innate aptitudes are much more complex to teach than the IT skills needed for cybersecurity.

According to Wang, managers should look for six attributes when hiring for aptitude:

  • Curiosity: Find candidates who like to ask ‘Why?’
  • Creativity: Find candidates who will find innovative ways to solve problems and aren’t afraid to think outside the box—as hackers do.
  • Grit: Ask new candidates about challenges or failures they have overcome. Someone who achieves goals by overcoming obstacles is a person with grit.
  • Willingness to work hard: Being intelligent and talented helps, but it is not enough to become a cybersecurity expert. Hard work is necessary.
  • Attention to detail: Much time can be wasted when careless mistakes are made, especially when writing code.
  • Desire to develop skills and deepen wisdom: Deep knowledge enables individuals to forge their pattern recognition skills, which is one of the most foundational aspects of cybersecurity.

It’s important for businesses and hiring managers to remember that very few candidates will tick every box—that’s why it’s important to hire for potential. “There’s also something greatly rewarding about recognizing talent and nurturing it through training. Those with aptitude will blossom quickly and the business training them will be rewarded handsomely,” Wang said.

TechRepublic Premium’s cybersecurity engineer hiring kit eliminates some of the guessing work in getting the recruitment process started. It includes a job description, salary ranges, interview questions and more. Click here to download the hiring kit.

Subscribe to the Cybersecurity Insider Newsletter

Strengthen your organization's IT security defenses by keeping abreast of the latest cybersecurity news, solutions, and best practices. Delivered every Monday, Tuesday and Thursday

Subscribe to the Cybersecurity Insider Newsletter

Strengthen your organization's IT security defenses by keeping abreast of the latest cybersecurity news, solutions, and best practices. Delivered every Monday, Tuesday and Thursday