The choice to study IT or computing often begins in school, and (unless you’re me) is a choice many give a lot of thought. One qualification leads to another, gradually increasing in difficulty, prestige and investment, and eventually someone walks through the door to that first job, completing a journey that began some years before.
This may have been the traditional career path once upon a time, but especially in the technology industry, recent demand has been far outstripping supply, contributing heavily to the cybersecurity skills gap. Recent investment in cybersecurity and its emergence as a core pillar for all businesses also means that professionals in the field are some of the most highly sought-after.
While the term ‘skills gap’ is often thrown around rather casually, the statistics reflecting its impact paint a concerning picture. According to the recent ISACA State of Cybersecurity report, Europe alone is experiencing a shortage of between 260,000 to 500,000 qualified cybersecurity professionals. Worldwide, 62% of cybersecurity teams are understaffed. 78% of cybersecurity leaders believe that most organizations are under-reporting the number of attacks.
So what skills, qualifications, and mindset does someone looking to ‘bridge the gap’ in cybersecurity need?
A bridge needs good foundations
According to Dr. Joye Purser, “On the job experience is number one. It is gold.”
Now, Dr Purser is someone whose advice is worth heeding - in terms of experience, you don’t get many more experienced than her.
Former White House Budget Lead for Defense Technology, and now Global Lead for Field Cybersecurity at Veritas, Dr Purser knows a good deal about the industry.
Speaking from my own experience (which pales in comparison), I know that entry-level positions are overwhelmingly competitive - and if you’re not the best at what you do, with the experience and qualifications to back it up, you often don’t stand a chance.
Unfortunately, the cruel irony that haunts many applicants is that they lack the experience needed for a position in which they could gain said experience.
Retention in the past few years has also been a significant struggle for cybersecurity teams, as job-hopping - the practice of climbing the career ladder by changing jobs every few years - has become the norm.
So why spend the money and time training a new starter who will inevitably leave after being trained up, when you can poach a fully qualified professional by throwing those would-be training costs into their salary?
Well the supply of professionals is not cyclical, and eventually someone somewhere needs to hop on the cycle. Luckily for those looking to enter the cybersecurity industry, you need not go back to school. In terms of the soft skills you need, Dr Purser, in common with many industry leaders, believes in problem solving.
“When you are faced with a challenge - whether that be a difficult conversation, whether that be a complaint, whether that be a challenging assignment - rather than to react in frustration, to have a spirit of curiosity and think, “Hmm, how can we resolve this?”.”
Adapting to a changing world
This ‘spirit of curiosity’ was a phrase that stuck with me. The world of cybersecurity is changing constantly; new threats are emerging; new technologies are being developed; new individuals with both malicious and good intentions are entering the field, meaning no two days are the same, and there is always something new to learn.
“I also find that being a communicator is quite important,” Dr Purser expands, “because as a cyber security professional you may need to have some depth of technical expertise, but then you need to understand the audience at a higher executive level and talk about how that ‘gap’ or ‘vulnerability’ can result in risk to the organization- and if you can communicate in terms of risk, then that's how you are able to affect change within a business.”
This is clearly a skill that has shown very tangible results among executives, with 63% now ranking cybersecurity as their primary business concern and 74% stating that their C-suite is fully invested in its relationship with its security team.
“The more that the good guys can share information, which is built through trusting relationships, the better off we will all be.”
The hard skills required for the cybersecurity field are a different beast entirely. The top five listed in this year's ISACA State of Cybersecurity were; identity and access management (IAM); cloud computing, data protection; incident response; and DevSecOps.
“Now, at entry level, cybersecurity is a tremendous equalizer in that it doesn't take a formal education. So those who are of lesser economic means need not be able to or need not go to university to be a competent professional in cybersecurity,” notes Dr.Purser.
“They need to have a willingness to learn new things and get out of their comfort zone. I was just sharing that last year I obtained my CISSP certification (Certified Information Systems Security Professional). CISSP is the gold standard in the cybersecurity industry. I took a one week boot camp last year and the number of students in my one week boot camp class was one student, and it was me.”
“It's very intense - eight hours a day of really intense delivery of really detailed information. It was intimidating, and the five hour exam was intimidating, but I passed it on the first try. So that's an example of how at any level, cyber security requires you to get out of your comfort zone in order to be successful.”
Internal training vs external hiring
It’s important to note that many businesses from the mid-size all the way up to global enterprises will have a dedicated cybersecurity department responsible for protecting business infrastructure and data from attacks.
According to ISACA, one of the main ways that businesses are looking to mitigate skills gaps internally is via ‘training to allow non security staff who are interested to move into security roles’. Whether that training is done in-house or through a third party, there are fantastic opportunities available for employees to switch to the cybersecurity field.
Dr. Purser was keen to highlight the support that is available to those looking to retrain or upskill for the cyber security industry. “There are some non-profit organizations that facilitate the wrap around services for entry level cybersecurity professionals in which businesses will pay for the internship or the apprenticeship and then the non-profit helps with coaching, helps them generate a resume, helps them understand appropriate business behavior, business attire, emotional control - all the things that are required to succeed in a business environment. Those are really shining examples of how to help early career people get into those jobs.”
Another method of combating the cyber shortage is through encouraging more women into the field. As we have already seen, getting into the cybersecurity field is something that can be done by anyone at any level, so what are the factors that are particularly important for women?
“I think that there are very few women at the top leadership levels in cybersecurity and one strategy is for the leadership of the organization to mentor and coach women who are at mid-career level because it's really important for anyone at mid-career to have access to assignments - professional assignments - that are highly visible throughout the organization because that allows them the visibility to be seen for the quality of their work- to be eligible for promotion,” Dr Purser notes.
Ambition is another skill that Dr. Purser reflects on her own journey into the field of cybersecurity. “I’ve always been eager to pursue professional activities where I can really see the results of my work and one central thread running through most of my professional experience has been the promotion of new technology and the promotion of innovation.”
“I entered the cybersecurity community in 2010, much by happenstance, and I would say that I enjoy it because being able to protect others and helping others just makes me feel good, that I'm on the side of the good guys, and that the challenges every day in security are new and that really at the end it's about problem solving in order to help others.”
