From security managers, analysts, Security Operations Centre (SOC) leaders all the way up to CISO level and heads of compliance, there are many different job roles in the world of corporate cybersecurity.
Penetration testing, disaster recovery, incident monitoring within SOC, data privacy and data protection are just some of the specialist cybersecurity skills employers are looking for. But you also have security vendors, the sales side which includes product development and product marketing as well as security consulting firms.
To help us better understand the nuances and specifics of this candidate-led market where the competition for talent is fierce, we caught up with our Practice Lead for Cyber Security, Alex Weishaupt. Here are his thoughts on all the industry’s current hot topics.
On cybersecurity skill shortages
Although the underlying indicators have not changed during the past couple of years, the skills gap is growing. People were talking about 1.6m open jobs in 2020 and now predictions have more than doubled to 3.5m. Demand is still growing but we still have a huge gap in talent, which has been further exposed by the pandemic and the increase in cybercrime. Organisations weren’t fully prepared for remote working and WFH is a less secure environment with a greater potential for loss of data, intrusion and risk of corporate fraud. This is a huge issue for the security community.
On the European market for talent
Although there are significant skills shortages, these aren’t uniform across Europe. Southern Europe for example is ahead of the curve – these countries were early adopters in prioritising security and were the first to offer degrees in the subject. Eastern Europe too has a sizeable talent pool, with highly trained cyber experts. The UK has the advantage of being part of the Commonwealth so again has access to a bigger base of candidates. The major problem is in western and central Europe, so Germany and the Benelux countries – companies here were slower on the uptake.
On the need for greater diversity
Diversity is a huge problem. The lack of women in IT has been a talking point for some years, and the same applies to cybersecurity. There is still a marked imbalance but the number of women entering the industry is gradually increasing. Jane Frankland, one of the best known influencers in female cyber security, summed it up perfectly in her book title ‘InSecurity – why a failure to attract and retain women in cybersecurity is making us all less safe’. Women also need to be encouraged to be more self-confident; it’s a question of mindset and belief that they can succeed in a male dominated industry.
On the evolving role of the CISO
“While the role of the CISO [Chief Information Security Officer] as the person responsible for information security has been around for a long time, it has evolved considerably over time. Gone are the days of installing a firewall and some anti-virus software in the early internet days. Now cyber criminals – the ‘dark side’ – are developing many sophisticated ways of entering into systems, stealing IP or breaching personal data. The general threat has grown considerably. The worst thing that can happen to an organisation is a loss of reputation – that’s the main damage that a security incident causes. It’s not surprising that we’re starting to see more CISOs report directly into CEOs – in Israel for example, it’s a legal requirement – rather than to the CIO or CTO, which is far more common.
On the importance of soft skills
The fact that security can be seen as a business blocker whereas it is in effect an enabler brings its own challenges. That’s why you need to be an excellent communicator, able to explain a technical subject in simple terms and keeping the wider business informed of security matters. Collaboration is also key as you’ll always be working in a team whether your own or partnering with other functions, so stakeholder management is essential. Credibility, responsiveness and ethics are really important for any leader, who must develop, coach and guide their teams. Whatever your role in security, you must also be passionate about lifelong learning and development.
On building a cybersecurity career
There isn’t a typical career path although most in the industry come from a technical IT background whether that’s software engineering or pure informatics. So you start with an IT degree, specialise in security, gain some leadership experience, move around different areas such as security auditing, consulting, into an operational security role and then move up to CISO. Interestingly, current CISOs have followed different routes, albeit they still will have a technical background but may have moved into security because it was a passion or to help out their organisation. An interesting development over the past 18 months is that lots security vendors are hiring experienced CISOs – who are seen as thought leaders or evangelists – for their sales organisations.
On AI and machine learning
Human talent shortages create a gap for AI, which can add value on certain levels. For example, it might increase detection rates by 5% but there are also many false positives. So the human element is crucial. Furthermore, AI tools require a big investment on time and money – you’re looking at IT systems storage, upgrades and maintenance, which also requires manpower. The other danger is that too heavy a reliance on AI will make it easier for cyber criminals to penetrate systems, so you’ll still need human intervention – you can’t just leave it to the robots!
Alex's 6 top tips for hiring managers
1) You have to know what you are looking for and be really specific – find out what your real need is. Be very clear on what the interpersonal skill requirements are, such as communication.
2) Identify positions that are most critical to your enterprise’s security. As talent is in limited supply, establish targeted priorities based on your requirements. HR and line managers must work closely to develop a hiring plan.
3) Don’t ignore your internal talent pool. There might be some really good IT professionals who can be upskilled and onboarded very quickly. Average time to hire will be around seven months.
4) The typical tenure for cybersecurity roles is 18 months, so to increase retention your package has to be competitive. Don’t just think about the monetary side but offer flexible working, training and development.
5) Avoid the trap of a generic job description. Make it about the purpose first then work the content around it. Remember, the onus is on you to sell your organisation to the candidate, not the other way round.
6) If relying on external support for hiring, select the right provider with a strong reputation in the community.
And his 3 top tips for candidates
1) Keep up to date with industry developments. Never stop learning,
2) Be flexible, consider the priceless experience of a career move abroad.
3) Communication is absolutely crucial, so really work at this!
For the full interview, check out our podcast: