The cybersecurity talent gap

How and why we keep missing the mark

Cybersecurity Jobs Report: 3.5 Million Openings in 2025
(cybercrime magazine, 2021)

How long have we been talking about this subject — 5, 10, 20 years? I’ve been in cybersecurity for almost 30 years and trust me, it was an issue back then as well. It’s frustrating that we all agree with the issues but can’t implement change. In my opinion it is worse than ever. Since this month’s magazine theme is Human Resources, I’ll try my best to blend all this together. A challenge for sure but worth the effort. 

Let’s talk about education first. Almost all higher education institutions now have cybersecurity curriculum and there are many trade schools that teach cybersecurity. There’s also a ton of specialized training and certifications one can achieve to get in the industry. Heck, we’re even teaching cybersecurity in K-12 now and it’s not just to teach them how to protect themselves against cyber threats, it’s also to get them interested in a career path that can be very rewarding. So why the shortage? Here’s another of my opinions. We’re not teaching the right things.

I’ve been teaching cybersecurity the past 12 years. The first curriculum I taught was very technical such as pen testing, vulnerability and patch management, firewall management, intrusion detection, security frameworks, etc. Those classes were very small and the main comments were, “It’s too technical or I’m not technical.” So, we started another education path with more of what I call the workspace skills in cybersecurity. Communication, collaboration, risk management, leadership, etc. Those classes started filling up quickly and it certainly helped get more people interested that in the past wouldn’t have considered it. But, when they got their first job in cybersecurity, they learned they weren’t exactly prepared. I met a person recently who had graduated from a very respected university with a degree in cybersecurity. His first job was on the vulnerability management team for a major bank. I asked how he liked his job and career. His response was, “It’s a boring job and I’m looking to get out.” I translated that to mean it’s a technical role, he’s not technical and he’s giving up. 

Note to Human Resources and Leaders: If you hire someone in a cybersecurity role, let them know it’s technical and they will need to develop their technical skills. Also let them know there is nothing boring about cybersecurity. If a person in another department is transferring to a role in cybersecurity, be sure and set them up for success by providing the technical training they will need in the role.

Now let’s talk about pay for cybersecurity. It’s kind of a sore subject for me. I recently noticed a job posting for a security analyst with a starting pay of 45k. I assumed entry level until I read the requirements. There was nothing entry level about it — there were a lot of technical requirements. I was at that pay level back in 1994 and I had the technical skills and requirements. So, who is going to fill these roles? Someone who meets the requirements is probably going to move on. The organization ends up taking a risk on someone willing to accept the pay and will spend a lot of time and money to train them — only to lose them to higher paying jobs — or the organization “settles” for someone who will work for that pay range and never gain the skills required, exposing the organization to risks. 

Note to Human Resources and Leaders: Be willing to pay your cybersecurity talent according to their skill set and abilities and be willing to increase their pay and provide training to keep them. Don’t just hire the first one to accept the pay. Be prepared what you must do to get the right person and keep them. 

Texas Bankers ISAO:

If your community bank would like to receive more information on our cybersecurity services, please don’t hesitate to reach out to me at [email protected] or visit www.texasbankers.com/tbisao.