The skills shortage within cyber security
Author: Nicola Lumb | Date published: 07/06/19
More than 50% of organisations report a “problematic shortage” of cyber security skills and there is no end in sight, but what is causing this skills shortage?
According to a global study of employer demand for cyber security expertise, the UK was identified as the second worst in the world. Employer demand outweighed candidate interest by more than a third, with only 31% of the cyber security jobs posted being searched for by candidates. There were more jobs posted than other countries, but the research shows there simply are not the candidates to fill them. So, what are the issues creating this skills shortage? And no, let’s not just blame Brexit (although it probably won’t help, we’ll leave that for a different article!)
Diamonds in the rough
Clients are looking for the finished article instead of looking for the diamond in the rough. Job specifications are a shopping list of everything they want a candidate to be; “Sheila, you can’t have a SOC analyst for £25,000 with a CISSP, OSCP, GCIA, an ambassador for Unicef, grow prize winning marrows and an ISO27001 lead auditor.”
Just looking through this can be daunting, no wonder there are less applications. If the candidate does have everything the job specification mentions why would they move to a similar job, they want to develop in their career? Companies need to reassess what they need and make sure they are looking for a diamond in the rough.
Would you prefer a candidate to be an expert in your tech stack, get bored within a few months and look to move on, or would you want someone slightly more junior with a passion to develop further, who you can mould? Junior candidates might not be able to hit the ground running, fixing everything possible, but what they will do is show a loyalty to the company for giving them a chance to develop.
A recent Tweet stated, “I think it’s interesting that UK is expecting cyber security experts hold some form of PHD successfully eliminating 90% of its hacking talents”. This highlights how companies (some companies, not all are bad at this!) are looking for that unicorn but also how candidates are becoming disillusioned with the current recruitment processes within the cyber security sector in the UK.
Talent conveyor belts
The top roles in the sector have fewer potential candidates available. The best way to solve a skills shortage is to promote from within, creating a conveyor belt of talent.
If you are looking for a senior malware analyst is there someone internally who could make the step up; maybe a SOC analyst who has a background in development, or maybe a software engineer with a passion for security?
By promoting within you can then look to replace these employees with people at the start of their career who are looking to develop within a company. This creates a culture where employees are rewarded for dedication and loyalty rather than having them seeking new roles every couple of years.
Graduates, graduates everywhere
Within the UK there are plenty of graduates looking to get into the cyber security industry. At a recent event at the University of South Wales there were approximately 100 students getting an insight into the industry, finding out what employers look for in their graduates. They were all eager to get into cyber security companies either as their first job, on graduate schemes or on apprenticeships.
This is one university, so across the country there is an abundance of talent looking to get into their first role. These graduates won’t have used all the technology and they won’t have all the commercial experience required for the role, however they will have a passion to learn, to develop and then you have a talent you can mould to fit your company.
Think outside the box
Candidates may have become disengaged with traditional recruitment methods, and after applying for 10 roles and not having feedback they have become disillusioned. Therefore, it is essential for companies to go out and become Inspector Gadget, seeking out talent in different areas; whether that is social media, networking events or hacking challenges. Candidates who might not work in cyber security, might like hacking as a hobby.
We recently helped a candidate with no commercial experience, but who’d just done their OSCP and OSWP find a new job. Do you think they would be offered a role as an Ethical Hacker within a corporate environment or would they be left out of the process because they haven’t got the right ‘key skills’ listed within their CV on the job boards?
Check out what the Cyber Security Challenge UK are doing by creating competitions for candidates, or the IASME community SOC powered by unemployed neuro-diverse people, or Immersive Labs with their training platform; maybe the skill set you are looking for can be found here rather than in the traditional methods of recruitment. “When you look under the rocks and plants, and take a glance at the fancy ants” there’s quite a few you might want to try.
It’s clear from the research that there is a skills shortage within the UK cyber security sector, there are less ‘star’ candidates applying for roles but the best way to combat this is to reassess your recruitment strategy. There are more and more avenues for sourcing candidates, and companies must engage with non-traditional recruitment methods, or use someone who knows about them, to help them bridge the gap. Ultimately, the talent is available, it is just about knowing where to look.
If you’re hiring cyber security talent and you want some extra advice, please get in touch.