The talent shortage in cybersecurity could disappear if organizations had looser needs and spent more on educating existing staff, Canadian experts say.
“I think the resource challenge is actually manufactured,” Michael Glover, former CISO of an online betting firm told this week’s IT World Canada MapleSec Satellite series on Wednesday. “The reason is we’re painting too small a confine for the roles we’re looking for.”
What IT departments need are people with the ability to move quickly and juggle many tasks at the same time, he said, as opposed to many technical qualifications. “Software developers can make great security guys because there’s a tremendous amount of security baked into it (their jobs).” Instead, we demand “people with 15 years of experience. Those are the roadblocks being generated. We are now choking out the market We’re saying, ‘You can’t come into this space even though you’re a seasoned IT professional [because] you don’t have every checkmark we’re looking for.’ And I think that’s the shortcoming we’re dealing with.”
Michael Teske, principal security author at Pluralsight, a U.S.-based developer of online IT training courses, agreed. “I fit that mold. I came from a career as an IT person and I dove into the cybersecurity space because it intrigued me and I like learning new things. I think what we’re overlooking is finding people that learn very well. We can make them into cybersecurity people. They don’t have to be experts because there are so many roles that people can get into in security.” There should be no problem with letting these people start in entry-level jobs, he said.
Unfortunately, panelists agreed, the pressures on infosec staff make some leave the profession, which doesn’t help the shortage problem. “There’s a lot of frustration in the security world, especially at the executive level,” said Glover. And he gave a long list of why: Staff are asked to do three or four jobs because IT teams are short-staffed, when infosec leaders ask for money they are told the marketing budget is more important, days are long for leaders and they don’t get time off in compensation, if a vacation scheduled it can get canceled and if there’s a data breach, the blame game starts and “the security team is hit by a train of buses.”
On the other hand, Naveed Zahid, associate vice-president of engineering transformation at insurance giant Manulife, said the talent shortage is a real problem. He spoke of the problems of hiring IT staff even though the company’s technology hub is in Waterloo, Ont., the heart of Canada’s technology sector and the nearby University of Waterloo’s highly respected computer science department is churning out graduates. “It’s taking us quite a bit of time” to fill Manulife’s “countless” IT openings, he said. “Whenever we start sourcing we usually only get a handful of individuals applying.” Competition is strong, with salaries a “competitive” factor.
One reason why infosec staff leave the profession, he added, is that organizations don’t do enough to showcase their successes. There are cybersecurity heroes in every firm, he argued.
One solution, Zahid said, is giving employees — including infosec pros — the opportunity for career growth. Every organization should have a well-defined career path for staff, he maintained.
The insurance company runs ‘Manulife University,’ he said, which offers a wide range of training courses — including a five-day security engineering course to help meet the hiring problem. Instead of making a list of desired years of experience or certifications, he added, to entice applicants, job descriptions should say, ‘Here’s some of the things/challenges you’ll be working on.’”
“The opportunities are endless in whatever career you choose,” said Teske, “especially in cybersecurity. It’s not up to your employer, it’s up to you where you want to go.”
Companies are losing opportunities to hire imaginative staff, maintained Glover. “There’s a lot of good talent available. I think companies are painting too narrow a box for people. They’re not doing themselves a favour.”