Fill the cybersecurity skill gaps in your tech foundation


Business and society are shifting to a tech foundation. Cybersecurity has become essential to protect our vital daily functions, as businesses or individuals.


That’s why the World Economic Forum said that cybersecurity has become a critical “helping” profession, like medicine, education and law enforcement. “We have built great technology that now underpins human progress across economies, society, health, humanitarian efforts, and of course business. Yet, training and hiring the talent to secure these innovations isn’t keeping pace,” said the organization’s report on cybersecurity skill gaps.


The most recent International Information System Security Certification Consortium (ISC)² Cybersecurity Workforce Study said that the number of cybersecurity jobs worldwide grew from 2.8 million to 4.2 million in three years — but that about 2.7 million of those jobs are unfilled.


“These figures resonate with most of our clients,” said Grant Thornton Cybersecurity and Privacy Advisory Services Managing Director Maxim Kovalsky. 


Headshot of Maxim Kovalsky

“Cybersecurity leaders say ‘Our existing staff cannot keep up with the number of threats we are facing and the amount of technology that we need to protect. We’re generally behind the curve.”

Maxim Kovalsky

Grant Thornton Cybersecurity and Privacy Advisory Services Managing Director

“Cybersecurity leaders say ‘Our existing staff cannot keep up with the number of threats we are facing and the amount of technology that we need to protect. We’re generally behind the curve,’” Kovalsky said. When cybersecurity leaders cannot get the funding to hire the skills they need, they often post jobs they call “entry level” — but that classifies the pay rather than the skills required. 


“If we look at entry-level cybersecurity job openings, the requirements will often be three years of experience, a certification or two, and then a catalog of technical skills,” Kovalsky said. “So, companies want to hire, but they say experienced candidates with the skills they need are asking for more money than they can get approved — and well-funded cybersecurity programs are sucking up all of the high-end cyber talent. Meanwhile, recent college graduates contact me and ask, ‘How do I break into this industry? I spent the last four years earning a degree, studying in this field, and I can’t land an interview.’”


Kovalsky said there is a way to connect these conversations, and fill skill gaps, but it requires planning.


Choose planning over panic


In a tight workforce market, the natural alternative to hiring skilled candidates is to develop candidates with the right aptitude, rather than skills. “It’s true that, when you get people with minimal or no hands-on operational cybersecurity experience but with the baseline of knowledge, the right aptitude and a desire to learn, you can plug them into a workforce development program to help them become productive members of the team within a short timeframe,” Kovalsky said.


The biggest problem with a cybersecurity development program is that it requires experience implementing training programs, dedication and time — a commodity in short supply within most cybersecurity teams. “Cybersecurity leaders say, ‘That theory is great, but we’re already stretched too thin. No one on my team has time for that. Plus, we’re cybersecurity professionals — we don’t really do workforce development — I don’t know how to do it and my staff doesn’t know how to do it. So, how are we going to put that program in place?’” Kovalsky said.

Headshot of Maxim Kovalsky

“There’s a perception that talent development is not a fire that needs to be put out immediately — which is how most cybersecurity professionals spend their time, including CISOs. Their jobs are intense. The world is on fire. Always.”

Maxim Kovalsky

Grant Thornton Cybersecurity and Privacy Advisory Services Managing Director

“Cybersecurity professionals are too busy running a hundred miles an hour and doing a thousand different things,” Kovalsky said. “And I think there’s a perception that talent development is not a fire that needs to be put out immediately — which is how most cybersecurity professionals spend their time, including CISOs. Their jobs are intense. The world is on fire. Always.”


It’s becoming clear to many cybersecurity leaders that letting job postings languish for many months while their hiring managers find the ideal candidate with just the right experience is no longer sustainable. While having team members on board with the experience to serve in mentorship roles is critical, the path to long-term sustainability of the cybersecurity program is a process to hire, train and promote candidates with little to no professional experience.


Today’s cybersecurity teams must tackle a more complex range of issues, and even existing team members need to know what skills are required to work in new areas.


“There’s an increasing specialization in cybersecurity,” Kovalsky said. “To do cybersecurity well, you need people who are concentrated in each particular function.” That’s part of why cybersecurity training has become more popular, advanced and specific. There are new training platforms for cybersecurity, outside of the standard e-learning lecture content. Now, students can work in virtual environments, simulate attacks and respond to attacks where they’re assessed in real time as individuals, or as teams.


Skills development programs can help organizations both expand their hiring pipeline and upskill existing staff. Yet, a recent Grant Thornton survey showed that almost half of cybersecurity teams are not formally investing in developing their team’s cybersecurity skill. 

Kovalsky highlighted an even more surprising result from the survey: “Out of those who have a cyber workforce program, nobody rated their program as effective.” Respondents further indicated that the biggest problem with effectiveness was that their programs were not customized to the organization. “They have something in place, but it’s generic. Maybe they subscribe to an e-learning platform and give folks access to it. But other than providing fundamental knowledge, the courses have little relevance to the technology ecosystem at their organization and, for that reason, they are not effective.”


How to win the war for cybersecurity talent


“The thing that’s required to turn this around is a change in approach and mindset within cybersecurity organizations,” Kovalsky said. “As we examine the cybersecurity capabilities for an organization, we have to be ready to say ‘You have the process, you have the technologies, but let’s look very closely at the people side of it. How do we better equip them with the knowledge, skills and competencies to be more effective?’” Kovalsky said.


“A couple of years ago, cyber workforce development was barely a topic,” Kovalsky said. While some U.S. government federal agencies led the adoption of the National Initiative for Cyber Education cybersecurity workforce model, the private sector has taken little action. “Now, we’re starting to see some private companies hiring cybersecurity workforce development managers from the government sector who are bringing that mindset with them,” Kovalsky said.


As cybersecurity leaders come to accept that they cannot keep up with technological transformation and the latest threats by hiring for experience alone, they are realizing that establishing a culture of continuous learning and development will be crucial for longer term success. But how does one get started? The U.S. Department of Homeland Security (DHS) published a Cybersecurity Workforce Planning Capability Maturity Model that includes planning for workforce supply and demand.

One key component in fostering a culture of continuous development is alignment between individual and organizational goals. “All professionals — from entry-level staff to senior managers — seek a transparent pathway for career development, so they know ‘These are the competencies for a junior analyst or engineer, up through management and leadership levels,’” Kovalsky said. The organization must provide the resources for its employees to continue advancing their abilities, and the organization must integrate its expectations with performance appraisals.


When organizations develop the training and resources to empower a cybersecurity workforce development framework, they give staff members a pathway to further development. They also open the aperture on the new candidates that they can recruit and develop in-house. However, they need to start with recruits who have the right aptitude, and a baseline of relevant knowledge, if not experience.


Take action


To further feed the pipeline of recruits and take workforce development to the next level, organizations need to consider new approaches. They need to put people before technology, rethinking traditional hiring practices and even reimagining the role of third parties.


Can the work be done more effectively?

No cybersecurity organization has enjoyed unconstrained growth, even in the face of public incidents. At some point, leaders face the reality of having to “do more with less.” Freeing your staff’s time should be your top priority. Assess current workflows to determine if your cybersecurity professionals are being directed to follow inefficient processes. Seek to understand where processes can be short-circuited — by deploying automation or tooling — or where a “good enough” solution may be sufficient — both would free up time to take on back-burner capability improvements.


Can retention be improved?

Many studies show that career stagnation is one of the top reasons talented employees leave. Create a culture of continuous learning and development by demonstrating that learning is not simply employees’ individual responsibility, but a priority for the organization. Clearly articulate the importance of expanding skills and knowledge to remain abreast of emerging technologies and threats, provide training opportunities aligned to those expectations, and incorporate professional development requirements into existing performance management across all levels.


Can we afford not to hire inexperienced staff?

Managers are conscious that their staff members are already task-saturated and on the verge of burnout. So, when managers have an opportunity to increase headcount, they are naturally inclined to look for candidates that meet a long list of criteria rather than recruit entry-level staff. While that approach may seem to solve a burning issue of the moment, the path toward building a sustainable cybersecurity workforce is a diversified recruiting pipeline. Managers who have the tools and processes to integrate professionals from diverse backgrounds and experiences into their teams will become stewards of the organization. These managers help the organization meet its obligations to protect the business over the long term, without a sole reliance on superheroes.


Can the mind-numbing work be outsourced?

Employees performing repetitive tasks will eventually feel as though they’re stuck on a hamster wheel, never gaining a sense of accomplishment as reward for their efforts. While automation is the obvious solution, for some organizations it may be more cost-effective to outsource tasks that are repeatable but difficult to automate without significant investments. Consider selecting service providers who have been able to solve your problem by having to perform the work at a scale needed to satisfy their entire client base. Begin by assessing the work executed by roles with the highest level of attrition, and shifting them to service providers who can achieve the same outcomes more cost-effectively. This will achieve two goals: your staff will be able to focus on performing higher-cognitive tasks (which increases job satisfaction), and your managers will gain the much-needed breathing room to reimagine how the work can be performed more effectively once they are ready to bring it back in-house.





Our cybersecurity and privacy insights