Solving the Cyber Skills Shortage In-House

If you’re short on cybersecurity staff but also on recruitment budget, it may be time to look inwards. Pieter Danhieux presents a simple but effective strategy for upskilling talent

These days, CISOs are facing enormous pressure to hire the right staff. Recent research by the UK government found over 160,000 cybersecurity job postings in the last year – an increase of 30% from 2022. Security professionals understand the high demand for their skills and, as a result, are able to negotiate high salaries and benefits. Hiring new employees can cause a spiralling wage bill (not to mention recruitment costs), putting pressure on budgets.

This, in turn, leads to hiring shortages, increased pressure on existing staff, and ultimately starts a vicious burnout circle. The mismatch between supply and demand leads to many skilled workers accepting offers from large corporations, earning high salaries that many smaller companies just can’t compete with.

“Research by the UK government found over 160,000 cybersecurity job postings in the last year”

What’s more, the lack of security talent hinders an organisation’s growth, putting the entire team in a vulnerable position against threat actors. Each week, we see an increase in the number of organisational attacks, while security teams are overwhelmed and stretched thin. CISOs need to be resourceful when offering solutions: If the burden is too much for existing talent, maybe they should think about developing talent from within.

Through proper learning pathways and guidance, senior leadership can help transition high performers to technical, security-defence-driven roles. An average organisation in the UK invests around £3,000 per employee on training and development. This is, understandably, focused on developing people within their current role, and towards greater responsibility/promotion. By upskilling outside of an employees’ typical skillset, CISOs play a critical part in approving annual training budgets to build a new, security-focused workforce.

Upskilling talent the right way

Despite these costs, there remains a nearly unshakeable belief in corporate hiring culture that outside hiring is the best way to secure talent. But as CISOs shift away from this mindset, here are three best practices to consider when developing an internal upskilling programme:

• Look in the right places for talent: For cybersecurity skills, a great place to look is within the IT department or software developer teams. These individuals will already have a solid technical background and a potential desire to explore security. Even talented developers are often let down by organisations that don’t prioritise security enablement. Secure code training would therefore help eliminate common vulnerabilities at the code level, the need for future patching, and imbue a better understanding of security overall.
• Identify top concerns: Training can be seen as a burden, something to ‘trudge through’ rather than a valuable experience. For candidates to thrive, they need hands-on, interactive experiences, including exploration of real-world challenges that mimic scenarios they could encounter in their workday. If managers can elicit internal feedback to identify the skills training employees want and need, they can elevate the training experience. Employees will feel more empowered, leading to internal satisfaction, loyalty and improved morale.
• Make security training a business priority: Security shouldn’t just fall on the shoulders of the CISO. Integrating a culture of ‘security-first’ in all areas will reinforce its importance across the business, encouraging a variety of departments to explore additional skill sets and interests. This step is only possible when CISOs collaborate with all C-suite officers to identify which skills best support essential security requirements.

While businesses scramble to fill cybersecurity gaps, threat actors continue experiencing massive growth, ready to make the most of their targets’ lack of resources and readiness. Organisations are faced with a choice to counter these threats: either hire cybersecurity talent at great cost or focus on the staff ready to be trained in these roles. This previously untapped resource will help equip an organisation to defend against current – and future – attack vectors.