Login to profile

Building a robust cyber security workforce

Strategies for cyber security recruitment, retention and competency development

5 March 2024. Originally published on CS Hub

With hackers evolving faster than markets, demand for cyber security professionals has surged exponentially. As organizations grapple with the ever-growing complexity of cyber threats, there’s a critical need to not only attract but also to retain skilled individuals while fostering diversity and ensuring competency benchmarks within the industry.

Attracting the right talent is crucial. According to ISACA’s latest state of cyber security report, some 71% of respondents have unfilled cyber security positions, with unfilled non-entry level positions outnumbering entry-level positions two-fold.

Clearly, there are jobs out there that desperately need filling – especially when we consider the fact that cyber crime is predicted to cost the world US $10.5 trillion annually by 2025 – but we also need to ensure people are qualified to do the work required.

Recruitment strategies

This is the Catch-22 situation for those new to the industry; they are keen to work in the sector but lack the proven experience to land a job. Internships, apprenticeships and mentoring programs should be top of every company’s recruitment priorities right now. Add in encouragement to study for entry-level certifications – offered by CREST – and within a couple of years, a new recruit can demonstrate both experience and a certification.

Traditional recruitment approaches must evolve to embrace diversity and create an inclusive environment. Casting a wider net to encourage individuals from varied backgrounds and experiences can inject fresh perspectives into the cyber security realm. There is still a gender gap, with women woefully underrepresented in the industry. In fact, according to Women in Tech, women still only account for around 26% of people working in IT – falling short of the 30% “critical mass” figure where women can feel heard, affect policy and make change.

Adapting recruitment procedures to ensure fairness and equity in the selection process fosters a level playing field, enabling talent from diverse backgrounds to shine.

READ: The need for diversity in a cyber security workforce

Emphasize competence over headcount

Developing higher quality people working in cyber involves implementing strategies to attract, assess and retain top talent with the skills and expertise necessary to address evolving cyber security challenges. More rigorous screening processes are key in assessing candidates’ technical skills, problem-solving abilities and cyber security knowledge. It’s good practice to utilize technical assessments, coding challenges and scenario-based interviews to evaluate candidates’ capabilities accurately.

In addition to technical proficiency, prioritize soft skills such as communication, collaboration and adaptability. Seek candidates who demonstrate a strong commitment to continuous learning and professional development.

Ongoing training and development programs enhance the skills and expertise of cyber security professionals. Offering opportunities for certifications, workshops and continuing education keeps your team abreast of the latest cyber security trends and technologies.

Continuously seek feedback from candidates, employees and hiring managers to improve recruitment processes. Iterate on your strategies based on any insights gathered to enhance the effectiveness of your recruitment efforts over time.

While expanding the talent pool is imperative, nurturing individuals who demonstrate genuine proficiency in cyber security is equally essential. Identifying what “good” looks like in the industry is paramount, and aligning recruitment standards with competency-based assessments ensures candidates possess the requisite skills and knowledge.

Retention and competency development

Retention hinges on more than competitive salaries. We are still seeing mid-level cyber staff suffering from burnout, and employment perks and incentives don’t work when people are being pushed beyond their limits. Good talent retention involves fostering a nurturing culture of continuous learning and growth. Upskilling and providing pathways for career progression through recognized certifications empower employees.

Organizations should invest in their workforce, offering training programs that enhance technical skills, foster leadership and build the soft skills crucial for more holistic cyber security roles. CREST certifications, for example, serve as valuable benchmarks for competence. However, a broader perspective on competency is necessary. While certifications are a cornerstone, diverse methods of measuring competency (such as hands-on experience, problem-solving abilities and continuous learning initiatives) should also be acknowledged and valued.

Industry competency and collaboration

To bolster national cyber security capabilities, a collaborative effort is imperative. Industry bodies like CREST play a pivotal role, offering platforms like the Skilled Persons Registry, which provides a global view of competency beyond CREST certifications. However, government and regulatory bodies must step in to further professionalize the sector. Establishing standards, fostering educational and career pathways, and incentivizing cyber security careers can make the field more appealing.

When it comes to growing national capability and capacity, government and regulators must play a larger part in professionalizing the industry, making it more attractive for people to forge a career in or change careers.

Governments and national cyber bodies must constantly strive to keep the skills gap from widening. The problem here is to continuously monitor what is being taught and trained, we must ask if the skills being taught today will even be relevant in five or ten years. It may take decades, or a generation, to build up the skill set required to face the challenges of the modern cyber security sector.

We must address the question of whether the skills being developed will be right for the future in the face of unprecedented advancements in technology – including the likes of AI and quantum computing, for example. Governments tend to work on a three- to five-year timeline for campaigns such as cyber recruitment programs – and that simply isn’t long enough.

A holistic view of competency transcends certifications. Emphasizing practical skills, fostering mentorship programs and encouraging industry collaboration can bridge the gap between theoretical knowledge and real-world application. This collaborative approach aligns with the industry’s rapid evolution, ensuring professionals are equipped to effectively handle diverse and sophisticated cyber threats.

Banish burnout

Burnout is a very real problem in the cyber sector. A 2022 study, for example, found that 66% of US and Europe-based security sector respondents experienced significant levels of stress at work. Meanwhile, the Chartered Institute of Information Security’s (CIISec) 2022-2023 state of the profession report showed that nearly a quarter (22%) of respondents work more than 48 hours per week.

Stress and fatigue certainly contribute to missing flags and breaches, and the ever-increasing volume of attack attempts only contributes to people feeling overworked and overwhelmed. Add in the fast pace of start-up culture, and it’s clear a renewed focus on staff wellbeing is required if we are to retain those we’ve spent a great deal of time and energy in training.

READ: The importance of mental health in cyber security

CyberMindz is at the forefront of helping employers and employees with their mental health. Confronted with “the intense work demands of an industry that involves often 24/7 vigilance against a growing tide of cyber threats,” CyberMindz was set up to offer direct support to employees to restore and rebuild their emotional and cognitive health and alleviate suffering.

There is hope – for example, in the form of CyberMindz’ 36-month Staff Retention and Optimization Plan – which lays the groundwork for long-term mental wellbeing and burnout avoidance.

As the digital landscape evolves, the need for a bigger, more inclusive cyber security workforce becomes increasingly pronounced. Strategies to attract, retain and develop competent professionals must pivot towards inclusivity, competency-based assessments and a collaborative industry approach.

While certifications like those offered by CREST are crucial competency benchmarks, a broader view of competency and a concerted effort from various stakeholders are key to shaping a dynamic and resilient cyber security workforce capable of safeguarding our digital future.