Security news that informs and inspires

Amid Cyber Workforce Crunch, CISOs Think Outside the Box


As cybersecurity teams continue to grapple with the cyber workforce gap, security leaders are starting to sniff out candidates from unconventional backgrounds and better prioritize “soft skills” - including problem-solving abilities and empathy - in addition to technical skills reflected by certifications and training.

The cyber workforce gap has been a reverberating issue for years for enterprises, government agencies and other potential employers. While there’s no shortage of security jobs, industry stalwarts have previously pointed to challenges in recruiting skilled professionals.

The ISACA State of Cybersecurity 2021 report found that out of 3,600 security leaders surveyed, over half (61 percent) said they are understaffed, including 14 percent of respondents who believe they are “significantly” understaffed. Jonathan Brandt, information security professional practices lead with ISACA, said at this year's RSA Conference on Monday that the cybersecurity workforce shortage is a critical issue because understaffed teams translate to a higher number of successful cyberattacks.

“Despite efforts by the government and industry, little has changed,” said Brandt. “One challenge is that while jobs are in high demand, few entry level opportunities leave few entry points into the field.”

Bridging the Skills Gap

One prevailing pain point for companies in hiring cybersecurity talent is a lack of skillsets. In the ISACA report, the majority of respondents (50 percent) said they do not believe their applicants are well qualified for the position they are applying for. When asked about the biggest skills gaps viewed in today’s cybersecurity professionals, some respondents pointed to technical know-how - such as security controls implementation, software development related topics and data related topics or coding skills. However, the majority of respondents (56 percent) pointed to a lack of "soft skills."

Caitlin McGaw, president at Candor McGaw, said more cybersecurity job descriptions are being developed that look to bring in well-rounded employees with soft-skill attributes, particularly emotional intelligence and the skills needed to more effectively communicate in order to solve problems.

“CISOs are looking for candidates who understand and manage their own emotions, in order to communicate and emphasize with others and resolve conflicts,” said McGaw. “Resilience is another attribute - having optimism and grit, and being able to push through when you face challenges, is important in cybersecurity where people have to be able to get back on the horse in order to solve problems if something happens.”

In order to cultivate these types of skills, McGaw called for cybersecurity master’s and undergraduate programs to better underscore soft-skill development, such as an emphasis on group projects.

“Looking at top universities’ cybersecurity master’s programs, there’s not much outside of the hard skills, or teaching of technical skills, which does not necessarily foster strong soft-skill development,” she said.

Recruiting ‘Unconventional’ Talent

Beyond these skillset challenges, the cyber workforce gap in general continues to be an issue for businesses looking to bolster their security standing. The jobs are there - 55 percent of cybersecurity leaders surveyed by ISACA said that their organizations have unfilled, open positions - however, businesses are still struggling to hire cybersecurity professionals.

In order to manage the cybersecurity workforce gap, Cisco Chairman and CEO Chuck Robbins stressed at RSA that companies need to look in “unconventional places” for candidates with “unconventional backgrounds” - as well as focus on continually developing the skillsets of existing employees.

“We have to train people, re-skill people and develop existing talent in order to make it easier for them to get into cybersecurity,” he said.

Gregory Touhill, president of AppGate Federal, agreed, saying that he has observed enterprise employees who were not from traditional cybersecurity professions - including auditors and controllers or even former air force security police officers - make a natural pivot into cybersecurity due to existing skillsets, like business process analysis.

“Hiring managers need to strive for someone to work within the job description, but also branch out beyond it,” he said. “We’re looking for people who move quickly on their feet and adapt to change."

In order to hire these types of employees, McGaw said that hiring managers need to be willing to look at people who fit the need for the job, beyond merely looking at certifications and technical background experience.

“The key is having a welcoming culture… we need better job descriptions that don’t discourage people from applying,” she said.