There Is No Cyber Labor Shortage

COMMENTARY

The unfortunate truth is, if you're looking for an entry-level position in the cybersecurity field, there aren't many on-ramps. The wide-ranging security certification bodies and training organizations that dominate the industry have convinced many — maybe even most — cybersecurity leaders that "number of certifications" or "years of formal training" are the only metrics by which potential job candidates should be judged. What's more, the emergence of both undergraduate and graduate-level cybersecurity degrees has placed another arbitrary barrier between otherwise qualified individuals and the jobs they want. Don't have the right degree? Too many organizations will tell you not to bother applying.  

Unfortunately, the meaningless requirements and barriers we place in front of candidates are only likely to get more burdensome with time. Want an entry-level security operations center (SOC) position? Please arrive with a bachelor's degree in cybersecurity, Security+ (CISSP preferred) training, and $30,000 worth of SANS courses. Oh, and be prepared to work third shift for a while.

Yes, those credentials have value, but treating them as mandatory artificially raises the barrier to entry for new security professionals. Hiring managers often are hesitant to hire candidates perceived as undercredentialed when they believe there must be a "perfect" candidate out there somewhere. But the truth is, a perfect candidate probably isn't interested in a third-shift SOC position — which means hiring managers need to reevaluate where they look for new employees and which qualifications matter most. 

Solving the Shortage by Broadening the Candidate Pool

It isn't just organizations themselves that fall into this trap — recruiters do, too. As effective as recruiters are at gathering candidates, they usually aren't cybersecurity experts — which means they aren't always capable of discerning between cybersecurity candidates ready to deliver value and those who are simply good at marketing themselves. Understandably, they look for shorthand ways to help them narrow down candidates: Degrees, certifications, training, and other measurable factors obviously are attractive. They become de facto indicators of value, and their absence is treated as an indicator that a candidate is unqualified — or at least not a fit for a technical role. 

The result is self-defeating. By narrowing down candidate pools based on a small number of arbitrary qualifications, organizations and recruiters end up self-selecting candidates who are good at acquiring credentials and taking tests — neither of which necessarily correlate to long-term success in the cybersecurity field. Prioritizing this small pool of candidates also means overlooking the many, many candidates with analytical potential, technical promise, and professional dedication who may not have gotten the right degree or attended the right training course. By tapping into these candidates, organizations will find that the "labor shortage" that has received so much attention isn't such a hard problem to solve, after all.  

Solving the Problem Requires Adopting a New Approach 

Of course, recruiters and hiring managers aren't the ones who suffer when they overlook potentially valuable candidates. Yes, the companies struggling to fill critical positions will continue to feel the impact of the so-called labor shortage, but perhaps even worse is the fact that it cuts off a path to prosperity for countless individuals who fail to meet a list of arbitrary qualifications. Any security organization worth its salt should have a strong training program in place, and entry-level positions should be treated as just that. Candidates with the right traits and skills are qualified — whatever their résumé may say. Helping them make the most of those skills is up to the organization.

This is why the White House's cyber workforce workshops — well-intentioned though they may be — are misplaced. Fueled by a limited understanding of the true indicators of success for a cybersecurity career and an inability (or unwillingness) to tackle the root cause of the labor shortage, these workshops have only served to exacerbate the problem. The workshops invite schools and certification bodies to brainstorm ways to improve access to education and training — without stopping to consider that an overreliance on education and training benchmarks is a core part of the issue at hand. Education and training programs are great, but they scale poorly and continuing to treat them as the gold standard only serves to gatekeep opportunities in our industry. The recent announcement from the White House that candidates for IT positions should be evaluated based on skills rather than degrees is a step in the right direction, but it doesn't go far enough to encourage emerging talent.

Where, then, can organizations find qualified individuals to fill their SOCs and run their vulnerability management programs? The answer is simple: They can be found in all walks of life, and from virtually every background. They can be found graduating high school, unconvinced by the merits of higher education and ready and eager to join the workforce. They can be found in fields ranging from closely related IT roles to those a bit further afield in biotech, retail, physical security, and other industries. They can be found in virtually every geographic region and in every imaginable demographic combination. Hiring managers simply require the willingness to organize their teams with the space and time to develop emerging talent. Countless other industries already do this — and (despite what many security professionals like to think) cybersecurity isn't exceptional. There's nothing unique about this industry that prevents it from approaching talent acquisition the same way. 

The Cybersecurity Labor Shortage Is a Lie

None of this is meant to imply that succeeding as a security analyst is easy. It isn't. It takes a strong analytic mind, a willingness to explore and grow, and a level of comfort with new and evolving technology. Perhaps most importantly, it requires a hiring manager willing to invest in a potentially unproven candidate. But the pool of individuals with the characteristics needed to succeed is far larger than many organizations and recruiters often believe — they just need to look in the right places. The sooner the industry recognizes how artificial many of the most common barriers to entry are, the sooner security organizations can realize that the so-called "labor shortage" is a lie — one that's been told for far too long.