Improving the skills of IT security talents, a smart bet
With demand for cybersecurity professionals at an all-time high and companies facing severe staffing shortages, organizations should look to developing young cybersecurity workers as an employee retention strategy, according to a report of (ISC)².
The study, which surveyed 1,250 hiring managers at small, medium and large companies in the US, Canada, UK and India, also recommended organizations look outside the traditional candidate pool. cybersecurity to build resilient teams at all skill levels.
Among the findings: All study participants are responsible for hiring entry-level and junior-level positions in their organization, with 91% having hired staff at this level of experience in the past two years .
Entry-level and junior practitioners combined make up nearly two-thirds of participating organizations’ security teams on average, while larger organizations tend to have higher percentages of more experienced professionals on their security teams, according to the study.
Train talents at all levels
“Cybersecurity talent shortages are currently being felt across all types of roles and at all levels,” said Michael Skelton, senior director of security operations at Bugcrowd, an outsourced cybersecurity provider. “Positions remain open for months and qualified candidates have a plethora of options available to them. To meet the necessary demand from our industry, we absolutely need to train more people at all levels.
Generation Z and cybersecurity
He noted that the youngest generation in the workforce, Gen Z, is the generation that grew up “pushing all the buttons” to see what happened.
“They are dynamic, creative and passionate, which makes them perfect for an industry where creativity thrives and curiosity is needed,” he said.
His advice is: hire to train, don’t hire just to fill a seat.
“When hiring entry-level positions, also reposition or hire abilities to train,” Skelton said. “Having dedicated roles internally to grow new candidates, along with a culture of knowledge sharing and allowing for mistakes in the learning process is critical to the success of such programs.”
The report notes that previous research has highlighted some challenges when identifying qualified cybersecurity job seekers.
“The trend for many organizations is to seek candidates with the highest technical qualifications and relevant certifications, but expecting those qualifications is unrealistic for entry-level and junior candidates,” he said.
Joseph Carson, chief security scientist and advisory CISO at Delinea, a provider of privileged access management (PAM) solutions, noted that recent initiatives, including commitments to provide more security awareness training and more cybersecurity jobs, is a good step.
“However, we have to prioritize what we can do now and what we need to do in the future,” he said. “We need to accelerate the need for skilled cybersecurity workers and get them into the industry quickly, as the skills shortage is only getting worse.”
From Carson’s perspective, incident response and business resilience are areas where organizations will need to attract and retain the most resources and talent.
“When security controls fail to prevent attacks, it means the business must turn to its incident response and recovery capabilities to get the business back up and running,” he said.
He explained that in addition to incident response, a strong backup strategy that reduces the risk of ransomware, a strong privileged access security solution, and multi-factor authentication (MFA) will make it harder for attackers to succeed.
Andrew Hay, chief operating officer at LARES Consulting, an information security consultancy, said he was personally a strong supporter of hiring workers who will then be trained through on-the-job training. ‘use ; Hay added that he has used this method in the past to develop ambitious and creative individuals in various roles.
“However, not all companies can wait for the person to gain the work experience required to have the short-term impact they seek,” he noted. “Some organizations need a qualified person immediately and can’t – or won’t – wait to train someone who could grow into the role.”
To ensure this approach of hiring entry-level security professionals for their potential pays off, Hay said it’s important to create a formal program around this strategy.
“Set your expectations early and measure candidate success against those expectations,” he said. “Also, overcommunicate to make sure everyone understands what’s expected.”
lost in translation
Mark Lambert, vice president of product at ArmorCode, an application security provider, agreed that cybersecurity is an “extremely hot” job market right now.
“It’s especially hot for people who have the ability to communicate with development teams,” he added. “The biggest challenge organizations face is that they can’t find individuals who can translate security concepts into actions that development teams can perform quickly.”
Lambert said the top three things he would recommend graduates focus on when entering the workforce include awareness of the software development process.
“If you haven’t already, go online and take a free Java development course, create a GitHub project and learn the basics – you don’t even have to set up any tools on your computer; it’s all in the cloud,” he said.
The second is to run security tools on an open source project. He named WebGoat or JuiceShop as two Open Web Application Security Project (OWASP) projects that many companies use to evaluate security tools.
“And many security tool vendors have free or community versions,” he said. “Get free accounts set up and run them on open source projects or public websites and learn how these tools work.”
Third, he recommends that those entering the IT security workforce be part of the community.
“Find an OWASP chapter in your area and start networking,” he said. “Attend the sessions – many are still virtual – and indicate on your CV and on LinkedIn that you are a member.”