Just watching the news in recent years — from WannaCry and NotPetya outbreaks, to the recent Colonial Pipeline ransomware attack — cybersecurity is one of the most pressing issues of our time. In the past two decades, amateur hackers have grown into full-fledged cybercriminals, stealing passwords and money from consumers and businesses all over the world.
At organizations both large and small, cybersecurity professionals have been thrown into an unprecedented storm, facing some of the toughest issues. Despite an ongoing shortage of qualified cybersecurity personnel, teams across public and private sectors are working hard to tackle new challenges and protect their organizations.
For large global enterprises and fledgling startups alike, a strong security posture is a business imperative. As the digital transformation of business accelerates, cloud adoption grows, digitally connected workforces disperse out to remote home offices, and the Internet of Things brings more devices and objects online, cybersecurity professionals and technologists are facing tough challenges to protect our assets. Verizon's "2021 Data Breach Investigations Report" has shown us that threat actors continue to adapt to this ever-evolving attack surface. Meanwhile, the industry faces another problem: Cybersecurity professionals are in high demand but short supply. This skill shortage is impacting how we can respond to and mitigate attacks. One (ISC)² Cybersecurity Workforce Study puts the global cybersecurity talent shortage at more than 4 million people.
According to Gartner, with the uptick of attacks in the last several months, in part due to increased remote working and online shopping, the global pandemic has further escalated this situation. It's a common phrase we hear in the field — "there just isn't enough talent."
With Cybersecurity Awareness Month in progress, this important moment should be a stark reminder to not only implement good cybersecurity hygiene but also to reignite our commitment to narrowing the gap in our talent shortage. It will take the entire industry to accomplish this.
One way to address the ongoing problem is to expand and reevaluate our own requirements when it comes to hiring and implementing apprenticeship programs and training for individuals who haven't been on a traditional technology career path. Cybersecurity problems are complex and broad, so increasing the mix of our talent pool should be a top priority. While many security issues can be mitigated by artificial intelligence and machine learning, there are other tasks that can only be solved by people. Young up-and-coming cyber defenders, working alongside seasoned veterans, can bring a fresh perspective while getting valuable on-the-job training as they launch their careers.
We must break out of our traditional models of what we think a cybersecurity professional looks like and start rewriting our job descriptions. Prioritizing practical experience over degrees is another way to attract strong candidates. We want more people to be part of the industry; it's not just about filling desks or head counts. Unabashed curiosity and the ability to solve problems and think outside of the box are skills we need to focus on when reviewing resumes.
Ultimately, cybersecurity is about safeguarding companies' information assets, which includes keeping their employees' and customers' information secure. There are many professionals from all walks of life who want to lend their hand to help build a safer digital world.
What You Can Do to Grow Your Talent Pool (and Help Our Industry):
- Rethink your hiring strategy: Let's be honest, few cybersecurity professionals began their educational journey thinking, "I want to be a cybersecurity expert!" While many universities have begun launching formal information security degree and certification programs, the field is still relatively new, and the talent pipeline is narrow. To widen that pipeline, consider using fresh, non-gender-biased language for your job descriptions, focusing on core requirements instead of lengthy lists of technical specifications. Also consider candidates who have experience outside the tech field and who will provide a new perspective and ideas to address cyber issues.
- Broaden diversity efforts: The STEM gender gap starts early, and we lose scores of potential female cyber defenders because young girls aren't encouraged to engage in technological curriculum or activities. A similar gap exists in underserved minority communities. Verizon partners with several mentorship- and development-focused organizations (for example, Women in CyberSecurity, Girls Who Code, and the National Society of Black Engineers) to help develop the equitable and representative workforce we need.
- Offer on-the-job training: Upskilling and reskilling are key to closing the cyber-skills gap and the opportunity gap for workers who lack technical skills or a four-year degree. For example, through partnerships with Generation and Multiverse, Verizon provides candidates with paid on-the-job training and skills development in areas like software engineering, cloud, and IT. We also turn to our own ranks for new talent, offering an infosec-focused upskilling program and tuition reimbursement to help build our security workforce "from within."