Overcoming the cybersecurity talent and skills shortage
Pionen, as a cybersecurity consulting firm, is often asked to help customers overcome their lack of capacity and capability. We step in to support delivery of their projects, ultimately because there is a huge gap between demand for and supply of cybersecurity professionals.
To address the talent shortage we obviously need to attract more people into the cybersecurity sector. But there are major problems with staff retention. Much effort goes into recruiting professionals, but not enough into retaining them.
Staff retention rates in cybersecurity are typically around 18 months to 2 years, and are unfortunately falling, with people often on the move even sooner. This is across the board, not just in the public sector. Often, staff leave almost as quickly as new hires arrive.
Understanding the reasons why people are looking to move on is crucial, and it usually comes back to the management of the team. Many cybersecurity professionals feel like they have been left in the doldrums.
To retain staff, managers need to sit down with individuals and understand their career aspirations, create a clear plan, and work with them to execute it. This makes them feel listened to and gives them a future in the organization. Mapping this plan against their skill sets, education, training, qualifications, and badges helps to build an employer value proposition that improves retention rates. Word spreads, and the organisation becomes more attractive to potential hires.
There are examples of organisations that have made a real impact and hung onto their staff, but there is still much work to be done. Many job specs contain unrealistic wish lists. However, organizations can consider hiring more junior staff, even if they are too busy to train them.
Of course working in the public sector comes with constraints, particularly around money. But many cybersecurity professionals stay in the public sector because they have a higher purpose - to protect and secure the networks that keep society going. Organizations can recruit purpose-driven graduates and provide them with interesting projects to keep them engaged and trained. It's essential to help them make a career for themselves, rather than hiring them and then abandoning them in the SOC for years.
Long Term Strategy
Recruiting ten people and losing four or five is not ideal, but it's a numbers game. Organizations need to take a long-term view: create a conveyer belt, and a talent academy that can train and promote staff.
The UK Cyber Security Council does fantastic work mapping out careers and qualifications for young people. There is also a push for more diverse and balanced shortlists. While the number of students opting to study computer science in the UK is rising, the subject has the biggest gender gap in the curriculum: this imbalance must be addressed. The NCSC is doing fantastic work getting into schools to get kids interested in cybersecurity and technology. Salaries in the field are going through the roof: we need to fan the flames and get kids engaged from an earlier age.