CYBERSECURITY
The Workforce Perils of Cyber M&A
Workforce considerations for CISOs and security leaders should take when going through mergers and acquisitions via review of Cisco's purchase of...
Enterprises face significant challenges when it comes to acquiring and retaining top cybersecurity talent. Here are top challenges and how to address them.
The cybersecurity landscape has evolved significantly over the years, with digital threats becoming more sophisticated and frequent. In this ever-changing environment, the need for highly skilled cybersecurity professionals has never been more critical. However, enterprises continue to face significant challenges when it comes to acquiring and retaining top cyber talent.
State of the Cyber Workforce
Historically, the cybersecurity profession has been plagued by a talent shortage. Organizations struggled to find qualified individuals to defend against cyber threats effectively. While there have been recent improvements in the supply and demand of cyber talent, a pressing question remains: what is driving these marginal improvements?
Data from cyberseek.org shows cautiously promising trends over the past year, with the supply of cyber professionals compared to the demand of employers (quantified via available job openings) moving up from 69% in 2022 to 72% in 2023. The last time the data trended in a positive direction like this was in 2012—over a decade ago. However, one cannot discount the fact that the past year witnessed significant layoffs affecting organizations with large cyber teams and professionals, and as such, far fewer job openings being posted to recruiting sites.
Another thing to keep in mind when understanding the state of the cyber workforce is that the cybersecurity field is a highly dynamic one. As the technology and threat landscapes evolve, so do the demands for specific skill sets and expertise; take the viral rise in demand for AI skills over the past year as an example. Therefore, organizations are learning to adapt their hiring strategies to align with these evolving needs.
Challenges to Cyber Talent Acquisition
Shortage of People
The persistent shortage of qualified cybersecurity professionals remains a significant challenge. The demand for skilled experts outpaces the supply, leading to fierce competition among enterprises to secure top talent. This shortage should encourage organizations to think through how to elevate current professionals in order to make room for entry-level or malleable talent that can be sourced from colleges, professional/trade schools, or other non-cyber business units or professions.
Inadequate Job Descriptions
A critical issue that exacerbates the talent gap is the inadequacy of job descriptions. Often, these descriptions fail to capture the precise competencies and skill expectations required for the job. This disconnect between job descriptions and hiring manager expectations creates confusion and hampers the hiring process.To exemplify this point, figure 1 below visualizes N2K’s analysis of Identity and Access Management (IAM) related job descriptions and the competencies described within those JDs—defined by knowledge, skill, and ability statements. The analysis illustrates that the JDs fail to fully articulate the true competency expectations of the role when compared to what hiring/job managers describe as important (figure 2) when interviewed about their competency expectations.
Identity and Access Management Job Role Competencies
Figure 1: IAM job role competency expectations outlined in collected job descriptions;
Figure 2: IAM job role competency expectations defined by hiring managers via interview
In the images above, 60 competencies are represented and visualized for IAM roles. Each ‘petal’ of the Nightingale Rose Chart represents a distinct competency as defined by the NIST-NICE Cyber Workforce Framework, with the length of each pedal indicating proficiency expectations on a 0-5 scale. Competencies are color-coded and grouped into four different Competency Groups: Leadership (teal), Operational (blue), Professional (red), and Technical (purple). Even without a detailed description of the discrepancies, the disconnect is distinct. Visit here if you want to better understand how N2K analyzes work roles.
Misleading Job Titles
Another issue compounding the challenges of talent acquisition is misleading job titles. Many enterprises use broad and generic titles like "Cybersecurity Analyst" or "Cybersecurity Engineer." However, these titles often do not reflect the diverse responsibilities and skill sets required within the cybersecurity profession.For instance, a "Cybersecurity Analyst" on the Threat Intelligence team may have vastly different competency expectations compared to one on the Governance, Risk, & Compliance (GRC) team. To address this, it's crucial to incorporate functional differentiators into job titles, such as "Cybersecurity Analyst, GRC" or "Cybersecurity Analyst, Threat Intel."
Time to Hire
The cybersecurity hiring process is notoriously lengthy and expensive. Finding and vetting the right candidates can take months, during which time organizations remain vulnerable to potential threats. The lengthy hiring process can result in missed opportunities and increased costs.While specific statistics vary by industry and region, the general trend indicates that time-to-hire metrics in cybersecurity are longer than in many other professions. For example, a cybersecurity role will take 21% longer to fill compared to IT roles, according to cyberseek.org. This delay can put organizations at a significant disadvantage in their efforts to secure their digital assets.
Organizational Culture and Investment in Cyber Professionals
Cybersecurity professionals are not only seeking job titles and responsibilities that align with their skills; they are also looking for organizations that prioritize their development and well-being. A positive organizational culture that invests in its people can be a significant draw for top cyber talent.
This investment can take various forms, such as providing proper training budgets and opportunities for skill enhancement, flexible work policies (including work-from-home options), addressing staffing levels to prevent burnout, offering clear career progression paths, and creating a supportive environment that values the contributions of cybersecurity professionals.
Organizations that demonstrate a commitment to their cyber teams' growth and work-life balance are more likely to attract and retain top talent. In a competitive job market, these cultural aspects can make a substantial difference in talent acquisition efforts.
Conclusion
Addressing the cyber talent acquisition challenges faced by enterprises is crucial for their long-term success and security. The evolving nature of the cybersecurity field demands adaptive strategies and a willingness to rethink traditional hiring practices.
By recognizing the ongoing talent shortage, improving job descriptions, aligning job titles with actual roles, and streamlining the hiring process, organizations can navigate the challenges more effectively. It's essential to stay agile and proactive in the pursuit of cybersecurity talent to protect valuable digital assets and data.
Closing Thoughts
As we continue to witness advancements in cyber threats and technologies, the importance of cybersecurity talent acquisition cannot be overstated. Enterprises must develop a strategic plan for their workforce, invest in their hiring processes, foster a culture of continuous learning, and create an environment that attracts and retains cybersecurity professionals.
By addressing these challenges head-on and staying ahead of the curve, organizations can better defend against cyber threats and secure a brighter, more resilient digital future.