The Cybersecurity Talent Crisis: Three Ways To Think Outside The Box

This post was originally published on Forbes.com on April 24, 2019.

After over a decade of helping growing organizations address hiring challenges and labor shortages, I know a talent crisis when I see one. The numbers are alarming: while the world has moved online, the supply of professionals to protect us hasn't kept up. The annual cost of cybercrime is expected to reach $6 trillion by 2021, yet the predicted shortfall in cybersecurity professionals is expected to reach 3.5 million. A recent report by PwC shows that the cybersecurity talent gap will hit 1.5 million job openings by the end of 2019 alone.

This talent gap has placed many organizations in an extremely tough spot. With so many job openings available through traditional recruitment channels, employers are facing increased competition to engage cybersecurity talent. With an abundance of roles and a lack of skilled employees, employers don't always receive applications from top talent. Companies are forced to hire people with little experience in the specialist skills required to operate top-tier security functions. For every ten cybersecurity job ads posted on Indeed, only about seven people click.

With supply and demand clearly off-kilter and the staffing and recruitment industry not keeping up, I have identified three actionable ways organizations can address the cybersecurity talent crisis today.

1. Think Outside Of The Morning Commute

It's time to stop thinking locally and widen our hiring net. In many professions, hiring at least some remote employees is quickly becoming the norm. Based on my experience helping companies scale remote teams, there are three important factors to consider when you're building a remote workforce. First, It's important to remember that in developing countries, it may be best to set up a satellite office so that those workers can use reliable power and internet services, which they may not have at their homes. Second, you might have to change the way you interview. People from some cultures will avoid anything that might be construed as bragging, so you may have to find other ways to tease out their accomplishments. And third, you might have to put in extra effort into understanding what motivates people — it may not be the same factors that motivate you and your existing team. Once you have that understanding, build the systems and incentives to support it.

2. Think Long Term: Poaching Should Not be Your Preferred Recruitment Method

“Full panic” mode is setting in for employers who are aware of the bleak jobs outlook in cybersecurity, causing employment teams and managers to bring in as much new talent as they possibly can, rather than investing in their current talent. I have spoken to CEOs at top security and technology firms who focus on culture and invest in their people, and as a result they have nearly 100% retention rates. I have also spoken to security leaders who plan for a constant yearly bleed of up to 50% of top performers after investing in their training.

Why are they leaving? For top performers, it's usually not just about money. As an industry, more long-term thinking is required. Many security teams are so understaffed that they don’t have the time or resources to train or advance their own employees. I believe organizations should be creating dynamic, motivating programs in order to recruit talent from existing IT teams, particularly individuals with operations, compliance or networking backgrounds. Not only is this solution far more sustainable, but it also helps to bridge the gap between cybersecurity and the rest of the business. If your IT team is already stretched, or perhaps you don’t have an internal IT team, then consider engaging an MSP to help you scale up your security capabilities.

3. Think People, Process Then Technology — In That Order

For many organizations and managers, including myself, it can be easy to fall into the trap of new technology, news and trends, making it harder to address situations like the industry recruitment crisis head-on. It’s important to have a plan. I have found that it is crucial to clearly define what cybersecurity is and isn’t in your organization. This will ensure you are not wasting time, expenses or resources bringing in talent you may not need. Bring in the right partners to do what you can’t (or, more importantly, shouldn’t), and don’t think that by investing in some new technology that you’ve done all you need to when it comes to cybersecurity.

While I am not a security analyst, I am an entrepreneur who has helped many organizations deal with talent shortages across all areas of their businesses, cybersecurity included, and the themes are the same. While the challenges of the current security labor shortage are particularly severe, with the three factors above, you can start laying the foundation for a better and more secure future for your organization. Remember: there is still time if you think long-term today, but the shortage will only get worse.