Think of the hottest high-tech regions and two words likely come to mind: Silicon Valley. There’s no question that the area stretching from San Francisco to San Jose continues to be the undisputed world leader when it comes to technology innovation and development, and of course, tech talent. This is especially true for cybersecurity technology and talent. So, naturally, it’s typically the first place many cybersecurity employers look when recruiting.
However, there’s a bigger perspective I feel we are missing, even ignoring: Untapped talent.
We’ve all seen the statistics about the cybersecurity staff shortage. One specific report, The Cybersecurity Workforce Gap, published by the Center of Strategic and International Studies, reports that by 2022, "the global cybersecurity workforce shortage has been projected to reach upwards of 1.8 million unfilled positions." Further, "Workforce shortages exist for almost every position within cybersecurity, but the most acute needs are for highly skilled technical staff." Many other reports put that number above 3 million.
To me, this is both overwhelming, but also puzzling. It makes me wonder how much of the cybersecurity talent shortage is self-inflicted. Here are some of the variables in that equation that we as security professionals can address.
Hiring desires don't align with salaries
A recent Forrester report calls out what many of us in the hiring industry have seen for years: "The deeper failure of bias, expectation, compensation, and commitment to effective recruiting and retention."
Often times, recruiters and hiring managers are looking for superheroes but pay them entry-level salaries. Forrester's Chase Cunningham notes, "Job postings will require a bachelor's degree with five to seven years of experience with all kinds of technology, and a master's degree preferred, but by the way we only want to pay you $85,000 a year."
This alone creates huge alignment problems in organizations and the industry as a whole. You can’t expect to hire world-class talent if you're not willing to pay them what they're worth, and what the market requires you pay them.
Unwillingness to challenge biases
Many people who do not have technical degrees are automatically and immediately disqualified from careers in cybersecurity. This is a serious problem. While I understand the technical nature of many positions in this space, one can have immense technical knowledge and talent, without a computer science degree.
One of my industry colleagues told me that some of the best software engineers in his company had philosophy degrees, not engineering degrees. Cybersecurity also needs non-technical talent to help lead the next phase of what we need - strategists, leaders, product leaders, and facilitators to help companies better protect themselves.
One of the places I’ve personally seen such incredible talent is Northern Ireland. The country has such diversity in its talent pool, and most don’t realize it. This may be a shock, but Northern Ireland is now the top area in the world for investment in US cybersecurity development projects. The region boasts an impressive roster of international companies as well as innovative cybersecurity startups, and it’s all supported by world-renowned university research and a strong incubation and entrepreneurial ecosystem.
Northern Ireland was also ahead of the game in foreseeing the need for cybersecurity education and training and has been investing heavily in it for two decades, with government, academia, and the private sector teaming up to encourage widespread adoption. The result is an absolute hot spot for world-class talent. We would not have known that this country was such an amazing pool of talent had we not started to challenge our assumptions about hiring in the cybersecurity industry.
The Bottom Line
The cybersecurity threat landscape doesn’t look to be changing any time soon, so the need for skilled talent will only continue to grow. But we need to start looking everywhere for talent, not just what and who we think are the right candidates and backgrounds.
Remember what Silicon Valley used to represent – that anyone, from any background, was able to create something from nothing, to defy the odds, to prove that technologies can be built by those with different viewpoints and qualifications, and still drive huge innovation, the very innovation that was fueled by recognizing that talent can come from all countries, experience levels, and different educational backgrounds.
- Rethinking Cybersecurity Hiring: Dumping Resumes & Other 'Garbage'
- Tips for Writing Better Infosec Job Descriptions
- It Takes an Average of 3 to 6 Months to Fill a Cybersecurity Job
- Indeed.com: Slight Dip in Clicks on US Cybersecurity Job Listings