Is the rush to the fill the skills gap threatening technical competency?

There have been concerted efforts to encourage people to enter the cybersecurity profession. Back in February, the UK Cyber Security Council launched its Cyber Career Mapping Tool to help prospective candidates determine if they have transferable skills, for instance, and there’s been more emphasis on the importance of soft skills such as problem solving, communication and leadership by industry groups such as (ISC)2 in its Hirers Guide. But is flooding the market with non-technicals the best way forward?

Rushing to fill the skills gap with semi- or unskilled professionals from other sectors could threaten the integrity of the profession and the resilience of businesses. According to Cyber security skills in the UK labour market 2023, almost a quarter (22%) of cyber sector companies say they currently employ staff who lack the necessary skills needed. Double that number (44%) said the job applicants they have seen lack the necessary technical skills and this is forcing the business to either compromise or wait it out.

Why businesses are struggling

Four out of ten cyber vacancies were described as hard to fill for this reason and 67% of cyber firms reported having hard to fill vacancies. But compromising on requirements can be costly. One recruitment agent noted that in roles advertised for 6-9 months, businesses often resorted to hiring people without the required skills and capabilities but as they then ended up in a role they were not qualified to do, this inevitably led to attrition. 

Staff turnover is expensive because it typically sees the business spend out on training and getting the candidate onboarded can take time, leading to a loss in productivity. Typically it takes entry or junior level candidates six months to get up to speed. Get the hire wrong and you risk not only losing the money you invested in human resource but also creating instability, potentially compromising the security posture of the business.

Playing the long game can also directly impact the functionality of the business, with 44% saying this has inhibited their ability to meet their business goals to either a great or some extent. Another report, the  (ISC)2 2022 Cybersecurity Workforce Study, found the skills gap is preventing security teams from functioning in an optimal way, with 48% struggling with risk assessment and management, 43% reporting oversights in process and procedure and 39% tardy patching. 

Those effects directly correlate with the most prevalent skills gaps identified in the government survey, the top three of which were security testing (35%), governance and risk management (31%) and secure system architecture and design (30%). 

These skills cannot be quickly acquired but nor can any business afford to wait for the trickle of candidates coming through traditional channels (7,000 individuals entered the cybersecurity workforce in 2022 leaving a shortfall of 11,200 people). In fact, many of the hard to fill vacancies tend to be for those with four to five year’s experience, which means those enrolling on cyber security courses won’t be eligible to fill those roles until 2030, while some employers look for specialist qualifications such as CISSP and CISM which personnel can only take once they are in senior positions.

How we can solve the technical skills gap

What this all means is that we need to think very carefully about how we go about filling the void. There’s an education part needed to persuade employers to look at technical competency in other ways, including the self-taught route, to widen the net. But, at the end of the day, cybersecurity is a technical field with highly specialised roles, which means any recruitment drive based solely on soft skills such as problem solving, communication and leadership will have to offer a significant investment in training.

So far, employers have been reluctant to make that investment because the perception is that once candidates are trained, they’ll jump ship to a competitor. However, this does candidates a dissservice. Security professionals predominantly take certifications to improve skills (64 percent) or to stay up-to-date with current trends (53 percent) and only 15 percent do so in order to apply for a job outside the organisation, according to the (ISC)2 survey. Moreover, it found twice as many people would prefer to take an internal promotion rather than go for a new job.

What’s far more likely to result in personnel leaving is a lack of career progression and a poor cyber culture. Indeed, of those that were happy at work, 76% said they were likely to stay in their organisation for the next two years compared to 48% who had low satisfaction rates. Key to this was inviting and valuing employee input, yet only 28% of organisations were found to have schemes in place to facilitate this, says the (ISC)2 study.

While investment in training and career progression are a must in addressing the skills gap, many organisations have had to feel their way with both. There’s been very little structure in the industry, which has made it difficult to recruit for roles and provide a formal pathway for career progression. Indeed, it’s not uncommon to find businesses advertising for the same role with completely different skillsets, for example. But that could all be about to change.

The UK Cyber Security Council has developed 16 specialisms in its Cyber Career Framework and is in the process of developing a roadmap of qualifications, knowledge and expertise that align with the roles they contain. This should greatly aid employers, recruiters, training institutions and even candidates by taking the guess work out of the recruitment process and it could make it much easier to widen the talent pool. All we need to do now is find ways of opening up those training avenues to put an end to untrained, unexperienced candidates being put in front of employers.