Make or buy? 5 tips for fostering cybersecurity talent

In this skills emergency, organizations can easily get ambushed in the ‘make or buy’ debate.
4 December 2020

Even before the arrival of COVID-19 prompted UK businesses to embrace remote working at speed, and at scale, the cybersecurity skills shortage was already a significant problem.

Now it’s been brought into even sharper focus. Today, close to half of all businesses admit they have a cybersecurity skills gap. Close to another third say the problem is “advanced”.

In this skills emergency, organizations can easily get ambushed in the ‘make or buy’ debate. But hiring new talent is just part of the solution — once people are in the role, they will still require ongoing development to keep their cyber skills current.

Plus, finding and keeping top talent for the long term will also require some strategic thinking when it comes to supporting people in roles and providing the long-term career opportunities that keep people engaged and motivated.

Ultimately, building a sustainable cybersecurity workforce requires a hybrid approach that is both focused on acquiring top talent with specialist skills and retraining and upskilling existing staff. Truly smart firms will also cast their net wide to consider other potential internal candidates with the aptitude, attitude, and competencies to become the security stars of the future.

One thing is for sure, the cybersecurity talent shortage isn’t going away anytime soon. With the number of unfulfilled cybersecurity jobs predicted to hit 3.5 million by 2021, even companies with deep pockets will struggle to buy in all the talent that’s needed to close the security skills gap.

# 1 | Think outside the box where recruitment is concerned

Many businesses apply the same old conventional job posting and recruitment channels in a bid to fill all kinds of cybersecurity roles. Overlooking the less obvious, but in my opinion, often richer sources of potential candidates who will have the exact skills or experience required for an advertised role.

Many IT leaders are already active participants in a multitude of knowledge networks and communities that represent a rich seam of opportunity when it comes to ‘meeting’ and evaluating potential candidates who represent an exact match for their business. Whether that’s infosec conferences, threat intelligence forums, specialist user groups or platforms like Twitter.

These alternative routes to finding the specialist go-to skills that the company needs can prove to be highly targeted and productive.

# 2 | Repurpose and grow

Before advertising a position, look at the existing team of personnel to see if there is someone that can be developed to take on the role. Already familiar with the company and the culture, these people will be able to hit the ground running fast, once they’ve acquired the additional skills and capabilities that are needed.

Ultimately, ensuring that everyone in the existing team has a defined career path, complete with development plans designed to further build out their technical capabilities, is the key to retaining a highly motivated cyber workforce.

# 3 | The art of attraction and retention

More organizations need to invest more time and effort into a well-structured workforce management program to ensure the enterprise gets – and keeps – the cybersecurity professionals it needs.

According to a recent global study by ISSA and ESG, 70% of cybersecurity professionals still don’t have a well-defined career path. And while 29% wanted their organization to provide more cybersecurity training, 44% rated hands-on experience as equally important to becoming competent in a new field.

Clearly, companies need to rethink how they develop the skills, roles, and proficiencies of their teams. A tick-box certification program isn’t enough – people need managed exposure and opportunities to hone their skills in new fields.

# 4 | Widening the net

Security teams can help address the talent gap by identifying internal candidates who may not have a security background but have all the right attributes needed to take on a cyber role. Already familiar with how the company works, and often strong in non-technical skills like teamwork and communication, accelerating the skills acquisition of these candidates can pay long term benefits.

Kicking off a ‘security champions’ program is the first step to identifying who these employees are, together with ‘competitions’ to find people with the right thinking skills. In WW2, the War Office recruited top solvers of cryptic crossword puzzles to work at Bletchley Park.

# 5 | Raising the motivation and engagement bar

Creating the right working environment is key to keeping people engaged and motivated. Alongside great team dynamics and flexible working options, creating a supportive and highly collaborative environment where creative thinking and new approaches are encouraged – and the emphasis is on achieving group goals or outcomes – will be key.

With the pressure on for organizations to up their cybersecurity preparedness, finding – and keeping – top talent requires a holistic and adaptive approach that includes giving the best people the right technologies and experiences they will need – and being invested in their future and success.

This article was contributed by Tim Bandos, CISO at Digital Guardian.