By Reinier Moquete, Founder and CEO, CyberWarrior.com
Attackers are constantly evolving the tools they use, learning how defenders are protecting data and finding the gaps to get in. Defenders need to plug all the holes, while attackers only need to find one. Couple this with the fact that we are living in transformational times where generative AI models are being primed to ingest vulnerabilities and auto exploit them, and you have an increased urgency of tackling vulnerabilities.
Today’s available cybersecurity workforce isn’t keeping pace with demand. Despite adding nearly 500,000 workers to the industry in 2022 — increasing the total employee number to 4.7 million — the gap is growing faster than the actual headcount.
While it’s true that businesses and governments are trying to protect society, from K-12 schools to critical infrastructure, it’s also clear to industry professionals that they are overwhelmed by the speed of attacker innovation and are not ready for the implications of automation and artificial intelligence technology being weaponized to make cybersecurity advances against defenders who spend most of their time responding to security alerts and putting out fires. With rare exceptions, namely the banking industry, innovation is nowhere to be found in security programs because those that control budgets often don’t understand its value.
Partnering with managed security services providers is often necessary to combat cyber warfare and advanced cybersecurity threats. Even with those partners under contract, there’s still a gap in finding the internal talent organizations need to run the other components of their security program. What is causing this void, and how do companies and government agencies satisfy their growing need for cybersecurity expertise?
- Hire those with the same hunger as attackers, not an army of passive participants.
The shortage of cybersecurity professionals is a pressing concern, requiring a concerted effort to nurture new sources of human capital. Finding and vetting cybersecurity talent is a rigorous process due to the critical nature of the work, leading to longer hiring cycles compared to other fields. Many organizations rely on outdated methods that don’t effectively identify candidates or assess real-world skills, leading to misalignment with business needs.
Historically, hiring managers have looked for candidates with pre-existing knowledge and skills, particularly those with specific problem-solving abilities. Given that most security tools today are AI enabled and can automate a large percentage of tasks out of the box, recruiting managers are facing a shift in hiring strategies and must adopt different ways to define skill requirements and vetting for them. The focus now lies in finding talent with the ability to understand the bigger picture including overall architecture and how the various pieces of the security program come together, that can execute platform integrations, and that can triage risks based on the priorities defined by management.
You don’t need an army of people, you need committed cyber warriors who are hungry to learn new things regardless of how many personal hours on nights and weekends it takes to learn it, and who have the level of determination that attackers have. You need to focus on hiring people who are willing to put in the work to stay one step ahead, people who are constantly researching new threats, innovating, and growing.
- Cultivate entry-level engineers to ensure equity of opportunity and a loyal talent pipeline.
The industry is grappling with burnout and high turnover, exacerbated by regulatory pressures such as the SEC’s requirement for swift breach disclosure. To address this, companies must cultivate entry-level security engineers to ease strain and pave the way for tomorrow’s coveted architects. Unfortunately, and for reasons that are core to the talent gap, entry-level positions often have stringent prerequisites like degrees, years of experience, and high-end certifications, deterring potential candidates.
Underserved communities face additional obstacles in accessing cybersecurity training, including limited awareness, financial barriers, inflexible programs, language constraints, and technology limitations. The lack of inclusion in the field is a significant concern, as it hinders the opportunity for fresh perspectives and out of the box solutions born from diverse thinking.
As the saying goes, “comfort creates weak men and struggle creates strong men.”
People that have gone through adversity often grow up the most tenacious – the best example of that is America’s history as the country of immigrants and of people that risked everything in search of opportunity. This great American experiment is only 250 years old, however we are the undisputed world leaders… why do you think that is? Because people that cross oceans in wood boats and walk through deserts are relentless. These people have few options for economic prosperity and have the perseverance to push through obstacles towards improving the wellbeing of their families.
That grit, that hunger, that commitment to uplifting themselves and their families, that is usually the profile of black hat hackers – yet not necessarily of defenders who have been raised under the blanket of privilege and comfort that a middleclass upbringing affords them. On the other hand, if you give economically disenfranchised people an opportunity, wait until you see what they will do to keep their seat at the table. Tapping into this pool of talent will define not only successful cybersecurity programs yet also successful companies that can compete within the fast-evolving global marketplace we are living in today.
- Leverage global talent solutions
In the current market landscape (“Internet 3.0”) many of the barriers of communication that existed over the last decade or two have been removed. This opens the door for organizations to operate beyond geographic boundaries, embrace a global approach to talent, and ensure financial sustainability via business models of shared value as the cornerstone of their corporate strategy.
For most business transactions, we just want an outcome at the lowest possible cost. Leaders must look at their four buckets of talent (full-time employees, contractors, project-based engagements, and managed services) and create a culturally-aligned workforce strategy that integrates global talent and domestic personnel as a way to optimize costs. One region that is developing into a hotbed for technical talent is Latin America.
From time zone proximity to the U.S. for a better work/life balance for both teams, to cost savings, language proficiency, flexibility, availability of talent, regulatory familiarity, Latin America is an example of an emerging market without large pre-established global delivery centers yet with the necessary infrastructure to become America’s primary talent supplier. Companies that don’t have a business model that integrates global talent supply chains are already at a competitive disadvantage.
To meet the demand for security professionals, collaboration is essential. Revising entry criteria, offering accessible training options, and fostering talent sourcing programs that leverage a diverse talent pool with untapped tenacity. By embracing these strategies, cyber resiliency can thrive, protecting our increasingly digital world and reflecting the strength of global interconnectedness.
Image by javi_indy on Freepik