By Andy Pantelli, CISSP, CCSP

With our increasing digital footprints ensuring security, confidentiality and integrity has never been so important. With increased awareness of cyber risks and visibility of attacks, we should be more equipped to protect ourselves than ever before. Unfortunately, we have a growing cybersecurity skills gap, and lack of security professionals. According to ISC2 research, the global workforce needs to grow by 73% to effectively defend organisations critical assets and roughly 4 million more skilled cybersecurity professionals are needed worldwide.

Unfortunately, with a general economic downturn post-pandemic we are experiencing a dampening of the appetite for investment and recruitment across businesses in both the private and public sector. The journey of career transitioning or starting out in cyber seems to hold many barriers including but not limited to lack experience and understanding of which pathway to take. Choosing between specialities like Incident Response, Threat Intelligence, SOC, Red Team, Blue Team or Architecture (the career options go on), and then accessing study materials, finding resources, labs, etc.

Many employers lack consideration for diversity of experiences when trying to attract talent, they must take a chance on a candidate with little or no time spent in cyber but that may have other transferable skills. In addition to this, the level of expectation, experience and skills required for junior- or entry-level positions should be reevaluated. It therefore falls upon security professionals and the cybersecurity industry collectively to address this imbalance.

The greatest help security professionals can provide is by investing their time to support, mentor, assist and provide advice. This act of giving back is highlighted in ISC2’s Code of Ethics cannon, “Advance and protect the profession.” While mentoring a cyber transitioning colleague recently he said to me, “You’ve been lucky in your career.” Where I was lucky was that an employer gave me an opportunity to show my worth, they saw potential. But that luck would not have helped me without my time spend studying, earning certifications and gaining experience.

The Cyber Landscape

Cyber is the bedrock of reducing risk in the enterprise, whilst offering assurance in our interconnected personal world. It is no longer considered niche at C Level or a boardroom afterthought. Increased sophistication and resources of our adversaries haveto be countered both reactively and proactively. Security professionals not only need foundational skills but are required to constantly adapt and to continually learn of the tactics and techniques that we will face. This paradigm shift from reactive, in what was once primarily about repelling attack, has now become proactive with threat intelligence, resilient architectures, zero trust, defence in depth and secure by design as promoted by the NCSC Guidance Secure Design Principals.

The next generation of security professionals, be they from the armed forces, boardrooms or lecture halls is stepping into a rapidly evolving landscape. It is no longer enough to understand threats, but instead security professionals will need to anticipate tactics and threats that malicious actors are constantly evolving.

Certifications vs. Experience

This is the ever-persistent debate, not just in cyber but in many business sectors. Having sat on both sides of the interview table, I have found for most hiring managers this is less a question and more a preconception. We are all products of our experiences, environments and other dynamics that shape us. So, when you find yourself in an interview, the hiring manager has their own perspective; for some, the most important factor may be on paper and for others it is more about what you have done, and the potential they see in you. Admittedly, having worked in highly-regulated environments, industry and vendor certifications are sometimes a mandatory requirement, be that in the public or private sector.

The key here is not to become focused or obsessed with a ‘one or the other’ mind-set. While having experience and certifications is ideal, these don’t have to be the deciding factor in the job offer. Hiring managers should look at the potential of the individual. One of my best hires was a graduate who was lacking experience, especially for the large enterprise in which he would be operating, but he possessed enthusiasm, intelligence and a work ethic to learn and develop. Within 12 months he was running a vital part of the infrastructure alone, without support due to attrition in the team. The faith I and the employer had was repaid to us by his development and excellence in the workplace.

Finding the Balance

On one hand, we have the skills gap, and in the other we have a combination of workers looking to retrain, military vets looking to start the next chapter in their professional lives and students coming to the end of their studies looking to start their journey. Matching these up would solve the problem, you would think. But the problem is just that: matching these up. As we have touched upon, hiring practices need to improve. Job descriptions need to be realistic, and employers need to invest and develop in their workforce. Undoubtedly, we need experience in cyber, but we need to develop the next generation too. The key here is supporting and helping people transition into cyber. Some vendors are providing the resources, including the ISC2 One Million in Cybersecurity program , offering the study material needed to attain the Certified in Cybersecurity certification . There are others as well: Juniper offered five free certification learning pathways, providing study material and 75% exam discount voucher. Cisco University offers free training as does Palo Alto Networks. Sites such as ‘tryhackme’, and ‘hackthebox’ provide some great free resources for those looking towards ‘red teaming’, and Portswigger offer up their Academy which also provides a fantastic resource for those looking to learn about application security. For military vets, the resources at TechVets are outstanding.

The common theme for those looking to start out in cybersecurity is knowing where and what is out there to help them along the way. This takes us back to ourselves, as security professionals. We can provide critical guidance, mentor or advise. Just as we were given an opportunity to develop, we should pay that forward and help the next generation on their journey. If we do this and help close the skills gap, it's not luck, but good judgment and a safer, more secure cyber world for all.

Andy is a Managing Consultant - Cyber Security Architecture at Consulting in the public sector including the UK Government. Since leaving the military, he has developed a career in IT over the past 20 years. He started in support and moved into network infrastructure. For the last ten years has focussed on Information Security, Cyber Security Architecture and Cloud Security.