One of the prevailing stories in cybersecurity over the last few years has been the apparent shortage of cybersecurity talent, with some linking that workforce gap to the growing amount and frequency of cyberattacks on government and enterprises with bad actors appearing to be one step ahead of the cybersecurity industry.
Now, the cybersecurity industry, government and others have turned their attention to addressing that global shortage, which is estimated by (ISC)2 to be more than 3 million globally. With hackers and cybercriminals becoming more adept at bypassing cyber defenses, the tech industry has doubled down of its efforts to address a worker shortage and skill shortage.
However, Rik Ferguson, vice president of research at cybersecurity firm Trend Micro, says cybersecurity companies and IT teams just might not be looking in the right places – or paying enough.
According to Ferguson, there might not even be a skills shortage, but instead a certification and experience shortage.
“But there is certainly not a shortage of people who are willing and interested in the industry,” he says. “And there is definitely not a shortage of skills – it’s just that those skills may not be certified.”
You aren’t prioritizing soft skills
Ferguson himself started his career in IT in a technical support role after having virtually no professional experience in technology.
“The skills that I brought to that job, were skills that were innate to my character,” Ferguson says. “I didn’t have any certified technology skills, even though my job was going to be helping other people fix broken things.”
All it took for Ferguson was an interest in computers and a willingness to learn and necessary soft skills like problem solving and empathy for the working professionals that are relying on you to fix their systems and keep them secure.
“It doesn’t really matter what your role is – you have to be able to see things from somebody else’s perspective and understand how they perceive a benefit, a problem or how they are going to interact with the user interface you’re designing or how best to explain to them what you want them to understand,” Ferguson says.
Since then, Ferguson has become certified in a range of cybersecurity and IT disciplines, which simply provides paper proof that he is in fact a cybersecurity expert.
Next is the ability to admit you don’t know the answer to something and a willingness to learn and ask questions.
“It’s more important and more valuable to stop someone in their tracks and say, ‘I’m sorry, hold on a second. I don’t understand what you just told me.’ Than to pretend and let them go on,” Ferguson says.
You’re leaning too heavily on certifications
While Ferguson agrees that there aren’t enough people working on the good side of cybersecurity, he says the problem is largely with hiring practices. Organizations are quick to discard resumes that don’t have the experience they’re looking for and are “discarding a lot of diamonds in the rough” that have potential to develop into a white hat cybersecurity expert.
“By and large, enterprises and large recruiters are asking for the certifications to precede the experience,” he says. “I can tell you from experience that certifications without experience are basically worthless.”
You aren’t hiring people who are ready to do hard work
In the IT and cybersecurity field, technologists are currently working to help organizations transition to a hybrid work environment, which itself produces boatloads of cyber risk since the once defined IT perimeter is no longer a perimeter at all.
Coupled with the onslaught of ransomware, supply chain attacks and large-scale nation state compromises, IT and cybersecurity job candidates need to be well aware that these job environments can create some “uncomfortable” working conditions, Ferguson says.
“You must be aware of that upfront and you must be aware that it is going to be hard work,” Ferguson says. “It’s high pressure and you need to be motivated by that.”
You aren’t advertising salary in job postings
Companies should also stop keeping salary information secret in initial job postings, Ferguson says. Salaries in cybersecurity can vary greatly, and when an average ransomware attacks nets over six figures, having that information up front can help keep technically skilled professionals on the good side.
“If you want to attract people, they have to at least know what the range is,” Fergusons says.