According to a recent global study of employer demand for cyber security expertise, the UK came out the second worst in the world. Research shows that employer demand beats candidate interest by more than a third, with only 31% of the cyber security jobs posted being searched for by candidates. In the UK there are more jobs posted than in other countries, but the research shows that there are just not enough candidates to fill them. So where are these candidates, and what are the reasons for this skill shortage? This article will focus on the main issues around this skill shortage and reflect on what can be done about it. Unfortunately, there is no cure-all to fix this problem. There are, however, several approaches available to companies that can help to address this issue.
THE DIAMOND IN THE ROUGH
One of the main reasons for the apparent skill shortage is that companies are looking for ‘the perfectly polished candidate’. More often than not, this means that recruiters have to look for a needle in a haystack. The company provides a job specification that is like a shopping list of everything they want a candidate to be: From hard skills to soft skills, they read like comprehensive lists of everything that a company wants a candidate to have to fulfil the role. Just looking through the list can be daunting for any candidate – no wonder there are fewer applications than would otherwise be the case. If a candidate has everything the job specification outlines, nine times out of ten, they are not going to want to move to a similar job; they want to move up and develop in their career.
This is where companies need to reassess what it is they actually need in a candidate, and not look for a skillset which doesn’t exist or isn’t tangible. Would you prefer a candidate to be an expert, get bored within a few months and look to move on, or would you want someone slightly more junior but with a passion to learn and develop further, who you can mould into what you want? From my point of view, the second option is always the best. The candidate might not be able to hit the ground running and fix all of the problems within a given department, but what he will do is show loyalty to the company for giving him a chance to learn more and, as long as they have a good personality fit, will be able to develop and grow along with the business. As I was writing this article, I decided to look through Twitter to see what the general consensus was from candidates in the field and came across a tweet which stated: “I think it’s interesting that [the] UK is expecting cyber security experts [to] hold some form of PhD successfully eliminating 90% of its hacking talents”. This demonstrates how companies are looking for that gem, but also how (and I’ll come to this later) the diamond-in-the-rough candidates may have become disillusioned with the current recruitment processes within the cyber security sector in the UK.
DEVELOPING A CONVEYOR BELT OF TALENT
It is evident that the top roles in the sector are hard to fill, and there’s less and less potential candidates to choose from. The best way to solve a skills shortage within your company is to promote from within and create a conveyor belt of talent. If you are looking for a senior malware analyst with a background in reverse engineering, try to see if there’s someone internally who could fit the bill, maybe an SOC analyst who has a background in development, or maybe a software engineer with a passion for security. You can simply promote these people into a new role, and then look to replace them with newbies, those who are at the start of their careers and are looking to develop and grow within a company. The reason this would be successful for your business is pretty simple: It creates a culture where employees are rewarded for dedication and loyalty rather than have them seek new roles every couple of years somewhere else. Then, and this takes me to my next point, newbie cyber security graduates can be brought on board from the classroom to help them develop. This, in turn, then bridges the skills gap.
GRADUATES, GRADUATES EVERYWHERE.
Within the UK, there are more and more graduates looking to break into the cyber security industry. Last week I attended an event at the University of South Wales, giving the current students an insight into the industry and what employers are looking for. There were approximately 100 students from 1st to 3rd years, all eager to get into cyber security companies, either as their first job, on graduate schemes or on apprenticeships. This is just one university, which means across the country there’s an abundance of talent looking to find their first role. Again, they won’t have all the technical or commercial experience required for the role, but they will have the passion to learn and to grow; and there you have a talent who you can mould to fit your company.
THINK OUTSIDE THE BOX.
Maybe there’s a simple reason why candidates are not applying for roles. Maybe they have become disengaged with the traditional recruitment methods, which after applying for 10 roles and not having an email back or courtesy call to say they have not been successful, they’ve become disillusioned with. Therefore, it is essential for companies to go out and become Inspector Gadget, seeking out talent in different areas, whether that’s social media, networking events or hacking competitions. Again, through my Twitter account I found 22 profiles of potential candidates who were not working within the industry, but were sharing cyber security tweets. Having a look at a few, I noticed that hacking was a hobby for them, something they did outside of their ‘normal’ 9-to-5 jobs. Do you think they would be offered a role as an Ethical Hacker within a corporate environment, or would they be left out of the process because they don’t have the right ‘key skills’ listed within their CV on the job boards? Recently, there have been organisations like the Cyber Security Challenge UK creating competitions for candidates. Maybe that skillset they are looking for can be found here rather than in the traditional methods of recruitment.
It’s pretty clear from the research that there is a skills shortage within the UK cyber security sector, and there are less ‘star’ candidates available and applying for roles. But the best way to combat this is to look at the traditional methods of recruitment and at whether we can improve these. There are many avenues for sourcing candidates; it’s just about knowing where to look rather than waiting for candidates to apply for the roles. Companies have to engage with non-traditional recruitment methods, or use someone who knows about them, to help them bridge the gap. Ultimately, the talent is available.