There was already a shortage of cyber skills before the COVID-19 pandemic hit, and since then we’ve had a perfect storm of home working and the Great Resignation to make things worse still.
But is there an unexploited resource out there that could help fill the skills gap? Sonny Sandelius, assistant director of workforce programs at cyber security training skills company SANS believes there could be in the form of an army of the hobbyists and DIYers.
We spoke to him to learn more about whether this could be an answer to the skills crisis.
BN: Why are enterprises reluctant to look beyond traditionally educated candidates?
SS: I suspect for several reasons. One being that they are recruiting for the known, meaning they know what they’re looking for with a set of predetermined requirements, which can be validated via a college degree, industry certification(s) and/or direct work experience. That is much easier to recruit for than supporting new hires from unconventional backgrounds through various stages of their employment, who may need additional training and support on the job initially.
The other may be the knowhow — how and where can I find new talent outside of the normal pool of candidates? Since everyone is fishing in the same pond where there are no fish left to catch, you need to start being creative. Start looking at military veterans and transitioning service members, the underemployed and unemployed, the stay-at-home moms ready to get back into the workforce, even people working in supermarkets. Think career changers: the people who sit at home trying to figure out how Wireshark works, who play around with Metasploit, and participate in Capture-the-Flag competitions. This group of people are already showing a passion for the field and are trying to find a way in, and if you as an employer can create a pathway for them, they will quickly become valuable members of your organization. This may mean that you need to offer training — but with the imbalance in supply and demand, what other options do you have?
BN: Should there be a greater role for vocational training and apprenticeships to fill entry level posts?
SS: Yes. Historically, apprenticeships have played important roles in various industries such as the field of electrical workers or carpeting to name a few. Over the last few years, we have seen more and more apprenticeships pop up. They are great, if they lead to actual hires and have a built-in support and learning system that helps the apprentice to learn and excel while in the program. They should have instruction lead components to make sure apprentices have the combination of hands-on skills and theoretical knowledge available to them. As for vocational training, these can be replicated by looking at current vocational training programs, but with a focus on cybersecurity. They must have state-of-the-art training available, otherwise they may not be long lived as the landscape of IT and cybersecurity is constantly changing, and the training must reflect these changes.
BN: Doesn’t recruiting self-taught talent risk a less professional approach?
SS: I don’t think so at all. We are constantly recruiting for our SANS Cyber Immersion Academies and one of the key areas we focus on with our applicants is just that. What are they doing on their own to learn? Are they trying to learn Python programming? Are they spinning up a virtual machine to test things? Have they dabbled around with Nmap or John the Ripper? It is difficult to learn this without a formal pathway, but it shows the passion and drive to learn which should be built upon. You may have to correct some of their learning on the job as well as offer more formal training, but you know that hiring a person with that drive and curiosity to learn and figure things out will become competent enough to contribute to your mission. Perhaps you need to create a training program, either via a partnership with a training institution or allocate funding to train them up while onboarding. 400-600k open positions need to be filled in the US so you need to get creative as there is not enough people to do this work.
BN: Why is it important for HR teams to understand the needs of cybersecurity?
SS: I believe it ties into understanding the needs more in-depth and translate it into HR’s candidate screening. If you do not know what you should be looking for, you will try to check certain boxes but may miss great candidates with high potential, but who do not necessarily meet all your requirements. HR should be sitting down with the team who needs hires, and talk through the requirements; are there some things we can be more flexible on? What are you really looking for in a new hire? I believe this will help HR better understand who and how to screen their applicants.
BN: The IT world evolves quickly, how important is ongoing training and development?
SS: It is very important. If you do not have the right skills in place, your information and assets will be more vulnerable. The more technology we use, the more rapidly the landscape and threats change, and we need to be able to keep up with the bad folks. You must be willing to spend more to lose less. Increasing your training budgets will not only help your organization to be more secure, but most likely also help you retain your cybersecurity practitioners. You are making sure they are well trained but also fueling their passion to learn and stay current. This is a win-win in my book.