In conversations with other CISOs, one topic that comes up frequently is the cybersecurity skills gap: specifically, how to attract and retain new talent while ensuring current team members get the necessary training and upskilling opportunities. It was a popular discussion point among panelists and attendees at the recent Fortinet Championship Security Summit.
It’s easy to see why this continues to be a concern for CISOs everywhere. According to the 2021 (ISC)2 Cyber Workforce Report, the global cybersecurity workforce needs to grow 65% to defend organizations' critical assets effectively. And while there's progress happening—the number of professionals required to fill the gap has gone from 3.12 million down to 2.72 million in the past year—it’s clear that there’s still a sizeable talent shortage.
Short-staffed security teams and those lacking more senior-level professionals are making it difficult for organizations globally to keep their critical digital assets safe from threats. According to the Fortinet 2022 Cybersecurity Skills Gap Report, the organizations surveyed say that the cybersecurity skills gap has contributed to 80% of the breaches experienced.
While it’s tempting to focus recruitment efforts on individuals who already work in the security industry, recruiting from this group alone won't help to close the cybersecurity skills gap fully. It's essential to recognize that there are multiple paths one can take to enter the cybersecurity field. The 2021 (ISC)2 Cyber Workforce Report shows that slightly more than half of cybersecurity professionals got their start outside of IT—17% transitioned from unrelated career fields, 15% gained access through cybersecurity education, and 15% independently explored the field.
The key to solving staffing challenges requires a multi-pronged approach, and a critical part of the solution involves evaluating and hiring candidates from varying backgrounds.
Women, veterans, students, and other untapped populations are among the talent pools that can be tremendous assets to cybersecurity teams and help fill the skills gap. Many organizations, such as WiCyS and Cyversity, are focused on diversifying the industry by providing training and mentoring programs to expose more individuals from underrepresented groups to the field.
Growing the candidate pool for filling cybersecurity openings by proactively pursuing these communities is an excellent method for filling this gap. A recent survey shows that many organizations are already working to build more diverse teams. For example, 89 percent of companies around the globe have explicit diversity goals as part of their hiring strategy. These same organizations say they have formal programs in place to recruit more women (75%), minorities (59%), and veterans (51%).
The Great Resignation of 2021 is still going strong well into 2022, meaning there's no better time to find job seekers interested in learning new skills or changing careers. According to data from the Pew Research Center, nearly a quarter of workers say they are very or somewhat likely to seek out a new job in the next six months.
Programs such as IBM SkillsBuild have partnered with the Fortinet Training Institute to offer free learning opportunities for individuals to develop skills, reskill, or upskill for a career in cybersecurity and then connect learners to various employers to jump-start their careers. Many of these programs also have specific initiatives to assist underrepresented groups, such as veterans, in finding employment in the security industry.
Retaining the security talent you have on staff should be a top priority. Offering your team members ongoing learning opportunities to gain new skills or sharpen existing ones can play a critical role in retention. Data shows that ongoing training programs for security professionals are effective, with 95% of the surveyed organizations stating that technology-focused certifications have a positive impact.
In addition to offering learning opportunities, take the time to recognize high-performing security teams. While this sounds like a simple task, it’s easy to get caught up in your day-to-day activities and overlook moments to congratulate individuals for a job well done. Whether it’s a simple “thank you,” a shout-out in an all-hands meeting, or a spot bonus, give your team members the recognition they deserve.
While security teams certainly play an essential role in protecting an enterprise's digital assets, cybersecurity is everyone's job, regardless of their role at the company. Employees can and should be a strong line of defense—but this is only possible if they’re aware of and know how to identify the methods threat actors use.
That's why implementing ongoing cybersecurity awareness programs for all employees is so critical. While the training content you select may vary based on your organization or industry, all employees should have basic security knowledge. Make sure to cover topics such as recognizing and managing threats associated with phishing attacks, ransomware, social media use, social engineering, passwords and authentication, and physical security, among others.
By diversifying hiring strategies and implementing cybersecurity training programs for all employees, companies will see a real improvement in their security posture overall, along with increased employee satisfaction and less turnover.
Find out more about how Fortinet's Training Advancement Agenda (TAA) and Training Institute programs—including the NSE Certification program, Academic Partner program, and Education Outreach program—are helping to solve the cyber skills gap and prepare the cybersecurity workforce of tomorrow.