Cybersecurity hiring managers can learn from the experiences of many football (soccer) clubs, which discovered to their competitive cost that overlooking homegrown next generation talent in favor of only hiring star players can undermine skills development and success.

The first look at the 2024 ISC2 Cybersecurity Workforce Study was stark in its findings. Jobs growth has currently stalled with the workforce flat at 5.5 million globally. Signs of growth in some markets have been offset by significant workforce reductions in others. It also highlighted an important aspect of the composition of the cybersecurity workforce, the lack of entry- and junior-level professionals currently in roles or being recruited into new roles.

Across all organizations that participated in the survey, almost a third (31%) have no entry-level cybersecurity professionals and 15% have no junior-level people. The situation improves slightly the larger the organization size, but between a quarter and a third of all businesses surveyed have no entry-level cybersecurity personnel, creating an immediate problem in terms of career progression and knowledge transfer within cybersecurity teams.

Building a cybersecurity team with only highly experienced and highly qualified cybersecurity leaders may seem like a good strategic move. Assembling proven capability and a huge repository of knowledge to draw on in the event of any number of situations. But where does that knowledge go when those “all-star” recruits move on to another organization or retire? Without a hierarchy of skills and capability in the team, from entry-level to cybersecurity leader, there is no natural pipeline to transfer knowledge and experience down to the next generation, with no clear way of them evolving into the future cybersecurity leaders.

Football’s Homegrown Talent Problem

The professional game of football, or soccer as its also known, has long been sustained by a developmental system, with talent signed and developed at a variety of ages and skill levels. The best eventually making it as first team professional players and the elite professionals of the future. The rest of the team is then comprised of a mixture of players hired (or signed) from other teams. Top talent is at a premium, so clubs offset the cost and availability of star players with homegrown professionals they can develop and invest in to eventually become star players. It is also a resilient approach, ensuring there are people progressing who can step up if a star play is injured or otherwise out of action.

As a structure, the football development pipeline it’s not too different to any other non-sporting workplace environment. An organization molds talent from an entry-level, building them up with training and skills development opportunities to allow them to eventually take on more senior roles. Some might leave and carry on elsewhere. Like any personnel investment, not everyone becomes a long-term fixture in a team. The rest of the workforce is made up of pre-skilled people of different levels, who have been hired away from other organizations. When the most skilled are not present, be they on vacation, have moved on or retired, business resilience is maintained as there are people coming up through the ranks to step up into those positions. Previous ISC2 research supports this, showing that hiring managers are looking to entry- and junior-level staff to take on everyday duties, alongside adding ideas and perspectives that help strengthen security operations. 37% of hiring managers in that study said entry- and junior-level hires are ready to step-up independently within six months or less on the job, much like a talented football player.

Where Football Made a Mistake

The tried-and-tested talent pipeline began to experience some issues in the 1990s when a significant change occurred across the professional football world – an influx of new money. Pay TV operators in the UK, Germany, Italy, France, Spain and elsewhere were successful in wrestling away football broadcast rights, usually from state broadcasters. The Pay TV operators signed deals to show many more games per season – thanks to having dedicated sports channels – while paying far higher sums for broadcast rights than had ever happened before.

For topflight clubs in these countries, they now had access to funds never before imagined. It allowed them to sign many more star players from other clubs, pay higher wages and effectively buy a team rather than build one. It was faster, with proven results based on past performance. It didn’t involve investing time in a youth development prospect who may or may not make it to the first team. And that’s where it became a problem.

With clubs now able to attract and sign the best of the best, the in-house talent development systems began to struggle. There was less need, less desire to invest in them, with those who did make it then finding there was no opportunity for them to advance to a first team squad already full of international-level stars from around the world. For clubs, it eventually became unsustainable. The explosion in transfer fees and wages meant that even with TV money, many clubs could not compete with larger competitors to attract and sign established talent. This not only impacted their own fortunes, but also impacted the wider game. With fewer homegrown professionals coming through, national teams suffered, with a far smaller pool of players to draw from.

Clubs began to realize this and some began to reverse the trend, investing in homegrown talent development again realizing it could be more cost effective in the long run and provide them with the competitive advantage they had lost or were in danger of losing. Other clubs were not as proactive, with the decision eventually being taken out of their hands.

Regulation

In many footballing nations, eventually regulators had to step in to force the issue. In the UK, the Football Association imposed quotas back in 2010 for homegrown first team players, preventing clubs from entirely relying on international signings. National football associations across Europe, as well as the European body UEFA eventually imposed Financial Fair Play (FFP) rules as a means to protect and force a talent development system and level the playing field. These FFP rules limited what could be spent on signing and wages as a percentage of total expenditure, effectively limiting how much a team could spend on outside talent acquisition. Homegrown talent became fare cheaper and more desirable, as well as a means to comply with spending limits.

Learning from the Football Experience

While it’s unlikely that a government or industry regulator is going to bring salary caps into play when building a cybersecurity team, ensuring the sustainability of the workforce is a very real consideration and concern for governments and industry regulators around the world.

Over two thirds of Cybersecurity Workforce Study respondents (67%) reported some form of shortage of cybersecurity professionals in their organization. In line with the flat growth of the active workforce, this figure has also not improved year-on-year. It is illustrative of the lack of new jobs growth and how this impacts day-to-day capabilities and team functionality. More than half of those surveyed (58%) stated that a shortage of skilled staff is creating increased risk.

This is illustrative of why organizations need to make urgent job creation investments to deal with looming cybersecurity challenges and to protect their users, data, systems and supply chains.

If hiring managers are unable to proactively maintain viable recruitment processes that create opportunities for all experience and skill levels to enter and advance, there is always a possibility that tools such as quotas may become more prevalent in hiring processes to ensure the next generation of cybersecurity professionals get an opportunity and so that workforce shortages are now allowed to grow further. According to the 2024 study, 62% of hiring managers that currently had open roles on their teams were focusing only on hiring mid- to advanced-level roles rather than a broad mix of experience and abilities.

Moreover, investing in and maintaining a viable pipeline of entry-level cybersecurity personnel within the team ensures a means to learn and advance, enabling the entry-level professionals of today to become the experienced cybersecurity team leaders of tomorrow. Tools such as ISC2’s Certified in Cybersecurity (CC) certification are a valuable starting point for developing these professionals and establishing a career and qualifications pathway for them.

Developing entry-level and mid-career professionals alongside hiring and retaining experienced leaders makes for a more cost-effective team dynamic, with the investment a company makes being quantifiable by the progression of the individual, alongside ensuring that valuable cybersecurity knowledge and experience has a means of being shared and staying in the organization when someone experienced leaves.