5 ways to grow the cybersecurity workforce in 2021

The cybersecurity workforce shortage and related skills gap stubbornly persists. Risks will continue to grow in 2021, so it’s vital that organization take action to grow their cybersecurity workforce. Here's five ways to attract talent now to begin to close the skills gap.

cybersecurity boards

The demand for cybersecurity professionals has surged over the past decade: In fact, by early 2020 the industry’s workforce gap had widened to a whopping half-million workers in the U.S alone, and 4 million globally.

It was in that context that the COVID-19 pandemic hit last March, sending the cybersecurity world into a wild, rapid shift in which millions of workers suddenly left the office and began to work remotely. Some companies made the leap literally overnight, leaving many cybersecurity professionals scrambling to secure cloud-based remote offices on the fly, even with new emerging threats on the horizon.

Yet, a year later, the cybersecurity workforce shortage and related skills gap stubbornly persists: According to (ISC)2’s 2020 Cybersecurity Workforce Study, while the global cybersecurity workforce need has narrowed slightly over the past year (from 4 million to 3.1 million), there are still nearly 400,000 open cybersecurity positions in the U.S. and the global cybersecurity workforce needs to grow 89% in order to “effectively defend organizations’ critical assets.” In addition, while actual security incidents have stayed at baseline levels, and despite the slightly-narrowed workforce gap, more than half of respondents (56%) say that cybersecurity staff shortages are putting their organizations at risk.

“This remains an emerging industry with threats shifting almost on a daily basis, including new threat actors, new technologies and the evolution of 5G,” says Erin Weiss Kaya, a Booz Allen talent strategy expert for cyber organizations. “Yet we’re still dealing with an 0% unemployment rate, with far more demand than we have current supply.”

The industry and risks are also only going to continue to get larger in 2021, so it’s imperative to start to implement strategies and attract talent now to begin to close the skills gap, says Ondrej Krehel, CEO & Founder of cybersecurity firm LIFARS and a digital forensics and ethical hacking expert. “Hackers are only getting smarter and faster, meaning defensive teams need to do the same, to build a strong cybersecurity team and ensure that companies do not suffer from manpower shortages,” he says.

The right skills are hard to find

However, finding and attracting talent with the right cybersecurity skills is no easy task. The list of necessary technical skills, even in today’s entry-level cybersecurity positions, is long. The “entry-level” cybersecurity job description, Krehel points out, often looks like a mid-level senior role in any other industry because of the extensive security or vendor certifications required. “It sets an unattainable bar,” he says.

In addition, non-technical skills, such as agility and flexibility, are harder to measure and recruit for, says Kaya — but they are just as desperately needed. “The necessary skill set requires not technical tools, but the ability to deploy tools and actually interpret the data,” she explains. 

Marcus Fowler, former CIA executive and current director of strategic threat at Darktrace, an AI company specializing in cyber, adds that organizations need to figure out how to get more out of existing security teams. “Without solving the work-to-worker gap, trying to solve the skills gap by hiring en masse will only make a small dent in a larger problem,” he says. That includes pairing the existing workforce with autonomous capabilities, he adds, so cybersecurity professionals can work faster and smarter.

“The power of artificial intelligence/machine learning to conduct the initial triage of all security incidents is how human teams are going to regain control,” he says. “An AI-enabled autonomous investigation capability allows the machine to do the early triage and investigation heavy lifting and prioritization. This frees up crucial time and energy for human security experts to actively, strategically take control of the incident investigation loop.”

That said, growing the cybersecurity workforce through better recruitment strategies remains a must. “I feel the industry has not fully embraced looking at non-linear, non-traditional entry points into cyber,” says Kaya. “The industry has fallen back on fairly traditional recruitment definitions of finding the already proven resource and on technical skills. We need to figure out: How do we look at aptitude as a mechanism for entry into the field? And then how can reskilling programs be used to reach that level of expert execution?”

These are five important ways experts say organizations can take action to grow their cybersecurity workforce in 2021 and beyond:

  1. Make job postings more attractive to diverse candidates

According to Dr. Pam Rowland, an assistant professor of cyber security at Dakota State University and co-founder of outreach organization CybHER, many organizations need to overhaul their job ads to attract diverse candidates. “Hiring teams need to think critically and redesign, rather than using the same strategies as the past ten years,” she says. For one, firms should abandon highly-masculine color schemes, as well as reconsider long requirement lists that “nobody in this world could meet,” she says. “Research shows that men will look at those lists and apply even if they are only qualified for 25%, but women will say, ‘I can’t do that, that’s not the job for me.’” Instead, she advises listing top priorities, but emphasizing the need for lifelong learners and critical thinkers. 

  1. Attract security-minded software engineers looking for opportunities

One great way to expand the available talent pool is to attract security-minded software engineers who have many of the right skills but are looking for opportunities to amplify their impact by engineering small, purpose-built tools, says Jason Meller, CEO and founder at Kolide.  These tools, which include vulnerability scanners, pen-testing utilities, and endpoint data collectors, are often too niche to buy from security vendors, allow other novice security practitioners opportunities to increase their capabilities, speed, and accuracy. “Surprisingly, many authors of popular open-source security tools are often underappreciated by their current employer,” he says. “If you reach out to these people with an opportunity to continue working on their passion project and the chance to observe how it performs in real world scenarios at your organization, it’s a win-win: You will have a passionate expert who is extremely invested in the future of your security team and the success of their co-workers.”

  1. Find talent by offering incentives to collaborate with the security team

Another great way to identify top candidates within the organization is to create incentive structures for employees to directly coordinate with the security team on meaningful priorities, says Meller.  “For instance, your company may have invested in an external bug bounty program for hackers to report problems, but what mechanisms and incentives are in place for security-minded employees to safely report issues internally?” Once these internal communication structures are in place, you might find you have repeat customers who are great candidates to fill junior positions today with the potential to quickly advance into experienced roles, he says. 

  1. Invest in employee certification programs

The industry needs to commit to training junior employees and providing the resources they need from day one to be successful, says Krehel. “Firms should create programs to help new grads get certified while on the job and learn in real time,” he says. Although certifications cannot make up for years of experience, Krehel points out that it will help junior and mid-level staffers gain a good practical grounding in all aspects of cybersecurity, including operations, forensics and policy. “It will likely also help increase employee retention by showcasing commitment to each individual’s professional growth,” he says.

  1. Draw out gender diversity by getting girls interested early

By high school, it may already be too late to get girls drawn into the world of cybersecurity. Rowland says that middle school is when they really start to decide whether computer science is right for them. “We have found if we can get them interested in middle school, then they’re set and ready to take high school courses that keep them engaged and are no longer so intimidating,” she says. “Once they get an idea of what cybersecurity is, they are more likely to keep exploring.”

Post-pandemic prospects for the cybersecurity workforce

As of 2020, the market size of the cybersecurity industry was $167.1 billion and predicted to grow at a compound annual growth rate of 10% from 2020 to 2027. With that level of growth, it’s clear that after a year of upheaval, building up and strengthening a qualified and diverse workforce will be even more challenging post-pandemic. According to the 2020 (ISC)2 Cybersecurity Workforce Study, 49% of respondents expect their organizations to hire more cybersecurity professionals within the next year.

But while there are no signs that the cybersecurity skills gap will significantly narrow over the next year, Booz Allen’s Kaya is optimistic over the long haul. She points out that the unprecedented shifts and emerging threats of the past year have actually made cybersecurity an evolving field that appeals to a larger number of people.

“I think there is heightened interest in this field, we’re beginning to look at non-traditional entry points to expand the candidate pool, and there are very effective mechanisms for re-skilling individuals who have a baseline to become experts,” she says. “This is an exciting time for cybersecurity: You’re taking on fascinating challenges and your life is never the same the next day.”