Cultivating Cyber Talent

You may have heard the below phrases recently:

“Cyber Talent Shortage,” “Cyber Skill Gab,” “Cyber Headcount Problem,” “Cyber Draught,” “Cyber Expectation Misalignment”.

If talent hunting is hard today, it’s only likely to get harder tomorrow. The cybersecurity employment projections are bleak. While the list of creative phrases summing up the problem has increased, what have we really achieved so far, and are we any closer to a solution?

I wanted to revisit this topic, as its appetite in discussions has only grown. Bringing together opinions from the basement to the boardroom, I’ve spent the last few months gathering the views of Cyber Grads, Hiring Managers, and Executives to weigh in on why everyone is still struggling to solve the Cyber Talent problem.

Examining the problem from the beginning, I’ve asked the question, do we have a talent shortage? Yes, it’s not a fairy tale. 61% of cyber security teams are understaffed, 55% have unfilled roles and 50% say their applicants are just not well qualified[1]. But, if my overflowing inbox of budding cyber grads is anything to go off it's clear from the junior layer that there isn’t! So why are these statistics so grim?

Many ‘freshly minted’ cyber grads often spend years of upskilling before landing their first security role. Why? Despite most cyber security degrees support the learning of critical analysis, problem-solving, communication, and investigation skills. These are insufficient to meet the demands of a contemporary cyber security role[2]. Michael Choeng, National Cyber and Tech risk leader at Crowe Australasia points out “Cyber technical theory may or may not be utilised in the industry – we need more emphasis on day-to-day skills. A lot of Cyber is psychology that goes into solution, it’s not only technical.”

But the problem doesn’t just lie within academia, it's systematic. Plugging in ‘entry-level roles in cyber’ into the usual job-seeking channels yields poor results. Jobs advertised ask for a minimum of x years proven experience. You’ve seen these before. Our present hiring methodology is rigid, particularly in our ignorance of how men and women view job advertisements differently. Identical job ads that used more masculine than feminine wording affected perceptions of gender diversity, job appeal, and anticipated belongingness but not of personal ability[3]. Additionally, there is a lack of feedback loops, where little to no constructive feedback is provided from Hiring Managers and candidates are being ghosted by recruiters. Couple these points together and you create a significant barrier.

Richard Atherton, CISO at Visy describes “The industry has a headcount shortage, not talent – We aren’t hiring enough from scratch, mostly its hiring for experience (“minimum x years”)”. Why is it so difficult to hire from scratch? From the view of leadership, the risk of an organization facing a cyber-attack outweighs the need for entry-level skill, which is why nearly all roles in cyber require x amount of 'proven experience'. To provide real value to an organisation, cyber graduates need practical day-to-day working knowledge. At present most aren’t equipped to provide this straight out of University or TAFE.

So yes, there are a few problems... what can, and should the industry do about it?

Look at hiring in a fresh way

One solution could be found in our Leaders IT business.  Leaders IT is a subsidiary of Peoplebank and offers what’s called a Capacity Uplift Solution. This is a unique alternative to the “right-sizing” that usually accompanies an economic downturn. By utilising a candidate pool of highly talented, but not necessarily highly experienced candidates we offer a partnership with clients to co-develop successful candidates, through specialised training both formal (which can lead to professional qualification) and on-the-job mentoring. The client benefits by employing the best and brightest new talent as a “blank canvas” to shape into exactly what they need, whilst increasing capacity at a cost base lower than the traditional consulting model.

Additionally, here is some advice for our juniors trying to get into cyber roles

Daniel de Jager, Security Manager at Moula aptly describes the underlying issue with our graduates as not being able to “hack the barrier”. Daniel provides valuable insights for graduates to overcome this barrier. “Cyber grads need a portfolio of evidence that shows how they will demonstrate value. Github, online presence, blogs, papers, YouTube channel, discord servers, and slack groups are fantastic ways to learn and upskill.” Don’t stop once you have graduated, speak with professionals and learn what they work on daily. Forensics, Pentesting, Log Analysis, Malware, Data Science, Big Data, PLUG-IN – Know the vulnerabilities and exploit them. Start CODING, get this on your resume, and get noticed!

Hiring managers and leaders within security are currently facing the issues of staffing in a heavily depleted candidate market, high contract rates, and soaring salaries. This, coupled with highly specialised technical security skills presents added complexity to an already difficult equation.

Automation is helpful but it won’t solve the problem. You can’t solve a process problem with a widget. Start investing now! To alleviate this issue companies, start considering implementing programs to augment and upskill their current workforce to meet future demand. We need to start developing a cultivating mentality of talent rather than looking for a ‘superstar’ to solve everything.

In conclusion, when we recognise the barriers, we can see that the issue has multiple dimensions:

  • Low Growth in Cybersecurity Sector
  • Soft Skills gap/Hard skills gap
  • Risk vs Skills balance

All of which can be addressed in multiple ways:

  • Addressing the above at the grassroots level
  • Improving the hiring process
  • Building more culturally and neurodiverse teams
  • Maintaining a Cultivator vs Superman mindset

We need a multi-pronged, long-term strategy to solve this equation. As mentioned earlier, utilizing a system that focuses on developing candidates can be a key differentiator that might break the existing cycle of struggle in the cyber talent industry.

The Capacity Uplift Solution specifically develops graduates, career transition, and return to work candidates in both soft and hard skills, aligned to your culture and strategic direction, developing their capacity to become high-performing members of client teams. Once part of the Capacity Uplift Community, their experience can take talented people and accelerate their development into successful, productive, permanent resources. 

If you would like to hear more information, please get in touch!

Call Peoplebank on 03 8080 7200 or 1800 People (736 753)

[2] J.L. Hall and A. Rao, “Non-Technical skills needed by cyber graduates,” 2020 IEEE Global Engineering Education conference (Educon), 2020, pp. 354-358


In this article: