Your next security hire might not come from tech
As technology use grows exponentially, attack surfaces are widening and security teams must expand. But in the labour shortage, where are these new workers going to come from?
The UK tech industry has a skills crisis, with more than four in ten CIOs telling us they face skills shortages when trying to recruit: a number that is only growing as the value placed on balancing professional and personal continues to shift heavily to the latter.
Security is one of the worst-affected areas of the industry, with demand far outstripping supply of staff. Simon Hepburn, CEO of the UK Cyber Security Council - an independent body for the cyber security education and skills sector - says the skills gap is largely because tech is a victim of its own success.
"As technology continues to grow in quantity and complexity, there are more people, organisations and governments looking to attack the technology for gain. We need to have more and more people in our organisations whose focus is to try to defend us against attacks, and as well as being generally short on technical staff in general and security people in particular, we simply can't educate and train those people we do find quickly enough."
One of the Council's most important roles is to close that gap and encourage more people to enter the industry. Its careers route map, for example, shows new joiners the paths they could take in their professional development so they know what to expect and aim for in the future.
But the work doesn't just fall on organisations like the UK Cyber Security Council. It's just as important for companies to do their part - and rethinking recruitment processes is a good start.
"Companies need to think constructively and laterally. There is no way at all we can find pure security specialists quickly enough, so we need to be clever and look outside the tightly defined area of cyber. Why not look to people like risk and compliance specialists - many of the skills they already have are a perfect fit for cyber security. And when one considers that much of security is about soft skills - training, educating, engaging people, communicating - the scope of whom you can attract becomes even greater. In addition, it has been shown those who are neurodiverse are well suited to careers in cyber security."
In fact, the need to look outside your traditional practices goes beyond security and can apply to all technical roles. Especially in the current labour shortage, companies need to be more creative than ever with their recruitment - as well as offering employees flexibility that they might not have considered pre-pandemic. "By doing things a bit differently, you stand a much greater chance of attracting the best talent," says Hepburn.
That applies to security training, too. There's no reason you can't recruit your next security professionals from within, and giving everyone a solid grounding in security is an important first step. But no-one is enthused by the same old training videos, and it's often a case of ‘in one ear, out the other'.
"We need to continue to educate our people, but we have to make it interesting. Make it relevant, make it different, make it innovative - just do something that's not the boring old online training or standing in a conference room. And why not engage your marketing and comms people to help - they make their living by making things attractive to people, so why not turn them inwards and get them to help make your cyber training engaging and non-dull?"
So, there you have it. The labour shortage is only growing worse as demand rises, and companies that want to expand their security team need to make sure they consider much more than qualifications or hard skills. Who knows? Your next CISO could be sitting in your compliance team right now.