Shortage of communication, analytical skills part of widening cybersecurity talent gap
A few days ago, in between catching flights and dozing off in an airport terminal, I read an article about the recently published findings from the 2017 Global Information Security Workforce Study.
There were a few obvious conclusions that I expected to come out of this report, such as the ever-widening cybersecurity talent gap (hence the title), but there was one item in particular I found to be quite intriguing. In the third paragraph of the introduction, the GISWS asserts, “This year’s Study reveals we are on pace to reach a cybersecurity workforce gap of 1.8 million by 2022, a 20 percent increase over the forecast made in the 2015.”
Of course, it is. The threat landscape continues to change, so it should come as no surprise that as companies experience breaches or (for whatever reason) are shown to be in possession of or disseminating private information, that lawmakers continue to push for increased regulation.
This regulation and enforcement then contributes directly to that shortage while creating jobs. If you think that not doing business in the EU will save your business from having to comply with GDPR (or something like it), think again. Facebook CEO Mark Zuckerberg’s congressional hearings are setting the US up to have similar regulation put in place.
What I did find most surprising from the report was that some of the top skills that hiring managers are looking for from applicants is to possess high degrees of communication and analytical skills. This finding is in line with both the 2013 and 2015 reports that had also highlighted these as being just as important as possession of technical ability.
The report goes on to identify that 87 percent of the global cybersecurity workforce started in another career entirely. This convergence of career paths provides a tremendous opportunity for unique perspectives and skills for any organization.
How often have we seen marketing or sales material that promotes the non-technical professional? And how can we possibly expect that all cybersecurity professionals are experts in the same ways? We certainly wouldn't expect that all IT professionals are experts in everything IT. Or would we?
The underlying issue, however, appears to be from some self-perpetuated misconceptions. The misconception is that to have a career in cybersecurity (or to be seen as a professional), one must first possess some advanced level of technical skill. Technical expertise is essential and in-demand for many positions in cybersecurity, but ultimately may not be a good predictor of the value that a candidate might bring. Technical knowledge can be learned, and in some ways may be easier to acquire, then, say, learning to be an active listener.
If anything, this report helps to solidify that what we are communicating in discussing the global shortfall in cybersecurity talent is ineffective. We aren't reaching the right target talent areas who might be highly effective in many other ways (such as driving governance through leadership and influence), which are of equal importance to technical ability.
The message should be that there is plenty of opportunity for both non-technical and technical analytical cybersecurity professionals, provided they know how to communicate.
(This post originally appeared on the ISACA blog, which can be viewed here).