Cybersecurity Talent Shortage: Why HR Needs to Map Unconventional Career Paths

“Have you ever considered a career in hacking?”

This may be an unusual way to start a career coaching conversation in most workplaces, but it’s an important question to ask employees from non-technical fields–and women in particular.

Increasingly, businesses of all types need more professionals–from ethical hackers to application security engineers–who can effectively ward off and respond to cyber attacks. According to a 2018 report released by ISACA (a non-profit professional association focused on information security), 50% of cybersecurity professionals say their enterprise is experiencing an increase in security attacks compared to a year ago.

But the demand for professionals with cybersecurity skills is continuing to outpace supply, putting many organizations at risk: A 2017 study led by Frost & Sullivan predicted that the global cybersecurity workforce gap will reach 1.8 million by 2022, a 20% increase over the forecast the firm made in 2015. According to ISACA, the “ratio of qualified applicants to open positions leaves much to be desired from the point of view of an enterprise trying to recruit the right security team members.”

Multiple long- and short-term solutions abound, from more educational partnerships to the recruitment of military veterans. Some experts have stressed that hiring managers need to shift the focus away from existing qualifications. In fact, 30% of people working in cybersecurity have come from non-IT or engineering fields, according to Frost & Sullivan, indicating that technical skills can be acquired on-the-job. There has also been a push to attract more women into what is typically a male-dominated profession.

But in spite of these efforts, the gap persists, and the gender needle has barely budged: 48% of women are in the US workforce, compared to just 14% in the US information security workforce, according to PWC. Evidently, we still have a long way to go before the trajectory of the cyber talent shortage shifts, leaving many HR departments scrambling for talent.

Tapping Non-Traditional Sources of Cybersecurity Talent

There is a silver lining, however, for those HR leaders who see a glut of open cybersecurity positions on the horizon. While employers will likely need to compete on the market for some positions, there may be some untapped sources of cybersecurity talent within the organization. The trick is to find them.

Cybersecurity is multidisciplinary, requiring knowledge of technology, human dynamics, finance, risk, law, and regulations–but attracting people to the field is difficult. The good news is that if a few outliers have already taken unconventional paths to cybersecurity, they will have left a data trail in their wake. This information can be used to find more internal candidates and support them as they acquire new skills.

Encouraging more people to pursue cybersecurity by highlighting growth opportunities during one-on-one conversations with managers may be more effective than a general internal hiring campaign.

If you are an HR leader who needs to ward off a cybersecurity talent shortage, ask these questions of your workforce data:

1. What types of transitions have other employees made in the past to get into these roles?

The path to cybersecurity can be non-linear and full of course corrections. Shelley Westman, for example, who is now a Partner at Ernst & Young in Cybersecurity, started her career as a lawyer, then left the field, and went to work at IBM in a number of different roles ranging from procurement to product management before she arrived at a role in hardware security.

Looking at the many twists and turns that women and people from outside of technical fields experienced in the journey to a career in cybersecurity can help you broaden your internal candidate pool.

For example, let’s say that you know you are going to need at least three more information security analysts in the long term. Start by looking at who is currently in these roles: Are any of them female? Did any come from backgrounds outside of IT and engineering?

If you see any commonalities, such as female business analysts eventually getting into computer forensics, you can then encourage line managers to broach the idea of a cybersecurity career with people in these roles during career coaching conversations. The goal, of course, is not to push people into these roles, but to let them know in a career coaching context where there are opportunities for growth in the organization.

2. How long does it take to transition from a non-technical role?

“Ideally, a major in computer science provides the foundation…But if you’re driven and passionate about cybersecurity, you can come from any background,” states a cybersecurity consultant in this Bureau of Labor Statistics career outlook interview.

Indeed, technical skills can be learned, but take time to acquire. To get an accurate understanding of how long it typically takes for someone from a non-technical background to move into a particular cybersecurity position, determine what the average time is for someone to get into that role. If there are multiple steps involved, this can be calculated by adding up the average time in each step. The managers and employees can either use this information to reevaluate goals or gain a realistic understanding of how much work is involved.

Visier Machine Learning data visualization showing a prediction for who has the highest propensity for promotion

3. Who are the best mentors?

Transitioning to cybersecurity can be intimidating. The movement history of your workforce can help you identify other people who have previously gone through a similar job transition and who also come from the same professional background as your internal candidates. It can also help you connect female employees with other women. These people can act as valuable mentors as people acquire new skills and face new challenges.

A manager may resist having his valuable team member mentored by individuals from other departments. It’s important to remind the manager that this can help him earn a reputation as a talent catalyst and that he can grow his own career as a result. In fact, recent research released by Gartner identified that those managers who improve employee performance the most are “connector” managers who “guide their direct reports to people and resources beyond their own sphere and expose employees to the best opportunities to acquire experience, skills, and capabilities at the time they are needed.”

Defending Against Cyber Attacks With an Arsenal of HR Tactics

Armed with historical workforce data, HR leaders can help managers guide career conversations to attract potential internal candidates, better estimate timelines to get non-technical people the development they need, and uncover hidden gems of mentors who can guide people through tricky transitions. This is one weapon in an arsenal of tactics that HR can use to defend the organization against cyber threats.

Author Photo
Ian Cook |
Curious about the differences between gaussian and pareto distribution? Ask Ian. Want to know what it’s like to kite ski North of the Arctic Circle? Ask Ian. Not only is he an expert in statistical analysis and HR metrics, he’s also an avid cyclist, skier and runner. At Visier, Ian helps customers drive organizational change through linking workforce analysis to business outcomes. He is responsible for the workforce domain expertise within the Visier solutions.