With more than half a million cybersecurity positions currently open across the country, there is a pressing need to encourage more people to take up careers in IT security—a challenge the White House is now addressing.

The Biden Administration, through the National Cyber Director, announced a revamp of federal hiring practices to prioritize skills-based hiring for technical employees. This transition, affecting nearly 100,000 federal employees, will be implemented next summer. Furthermore, federal contractors supporting government agencies, such as the Department of Energy, will also shift towards skills-based hiring practices in IT and cyber contracts.

The initiative was driven by the findings of the SANS Institute – Global Information Assurance Certification (GIAC) cyber workforce research report, which highlighted a paradigm shift toward prioritizing certifications over traditional degrees in cybersecurity education and workforce development.

However, internal confusion and a lack of standardization hinder hiring efforts. The challenges include salary competitiveness and misaligned skill sets.

Tech Titans Launch Education Initiatives

Several major private sector tech companies, including Cisco, Motorola and Verizon, announced their own programs to build up the nation’s cybersecurity workforce, including innovative education and training initiatives, along with certification lifecycle management.

Jeremy Rabson, managing director of GIAC at SANS Institute, explained the reasoning behind the paradigm shift towards prioritizing certifications over traditional degrees in cybersecurity education and workforce development.

“In the simplest of terms, what we have been doing so far isn’t working,” Rabson said. “Historically, assessing candidates based on their academic credentials has created unrealistic standards and a critical hole in cybersecurity talent.”

With cyber threats increasing in velocity and volume, organizations cannot afford to overlook this approach, Rabson added.

The report found more than 37% of cybersecurity managers believe that HR could better support cybersecurity recruiting efforts by developing a deeper understanding of cyber roles. Similarly, 46% of HR managers emphasized the need for enhanced collaboration between HR and cybersecurity managers.

However, more than half of organizations do not currently use the National Initiative for Cybersecurity Education Framework (NICE) framework, a resource developed by the U.S. government to standardize the way organizations categorize and describe cybersecurity work roles. Wider adoption of the NICE framework to standardize job roles across organizations can facilitate communication and collaboration between HR managers and cyber professionals, improving candidate flow and shortening recruiting time. “Until this occurs, managing the continuous influx of potential candidates through third-party websites can demand a considerable amount of time and effort,” Robson said.

There is a strong consensus that the best approach is to blend on-the-job training with traditional technical training, including classroom, certification, and lab-based training.

“Luckily, these findings provide optimism for the future. Some organizations are managing this process well,” Rabson said. “If more across our cyber community can adopt these techniques, we will be able to actively modernize the cyber workforce and further combat evolving cyber threats.”

Cybersecurity Skills Gap Pervasive

The cybersecurity skills gap is representative in many industries and for companies of all sizes, Omri Weinberg, co-founder and CRO at DoControl, pointed out. While looking for individuals to train in specific skill areas, it’s also critical for individuals to be trained to see the wider landscape that makes up the security industry.

“Opening an individual’s eyes to the different paths that a cyber professional can take allows these resources to train in multiple skill areas and cover additional ground to reduce the skill shortage overall,” Weinberg said.

Weinberg agreed with Rabson that the HR process still “isn’t quite there yet” when it comes to finding talent in the cybersecurity industry. Plenty of people are not being given an opportunity to tell their work story or be hired. Some of the hiring issues stem from the need for a candidate with every skill on the job requisition, which can be far from reality. “The gap can be minimized when hiring managers and HR representatives work closely together to understand when a candidate is qualified for a role and is also a fit for the companies’ culture,” Weinberg said.

Photo credit: Markus Winkler on Unsplash