According to the 2019/2020 Official Annual Cybersecurity Jobs Report, an estimated 3.5 million cybersecurity jobs will go unfilled in 2021. While attracting candidates from such a limited talent pool may seem impossible, companies do have other options at their disposal. Here are three steps that companies can implement right away to overcome the talent shortage:
- Hire Creatively
- Create a Strong In-house Security Culture and Train Appropriately
- Appoint a Security Champion(s)
In a piece for VentureBeat, Gusto CISO Frederick “Flee” Lee suggests we aren’t facing a skill shortage problem, but a “culture problem that manifests in the ways we recruit talent.” Companies may think they need candidates of a particular pedigree, but Lee argues that isn’t the case.
“To create the talent supply to fill demand, we need to reach talent that has the aptitude and ability to learn and apply the necessary skills for the job. That means organizations need to get creative and develop their own learning and development initiatives for skill-building, whether it’s a large-scale training initiative aimed at career changers, or something as simple as hosting workshops, meetups, lunch-and-learns, or informational office hours,” he writes.
These tactics can work for both new-hires and employees a company already has, even if those employees won’t move to security positions. In a 2012 Ponemon Institute study on the cybersecurity gap, 71% of developers surveyed felt security was not adequately addressed during the SDLC, and 51% reported their organization had no training programs on app security. So, even those devs who wanted to invest more in security might have felt they lacked the resources to do so. Or worse, that because their company spent no time training them, that their leadership didn’t think they should care.
Create a Strong In-house Security Culture and Train Appropriately
Organizations should not paint security as just one team’s job, but something that’s important for everyone. In the long run, a dev team that thinks and cares about security will be more effective than one that doesn’t, simply because fixing problems upfront is faster and cheaper than waiting until they emerge. Plus, it’s no fun working for the company that’s the victim of a highly publicized data breach.
To further foster an organization that values security, leaders can both empower and incentivize. Give developers the option to learn about security in a way that doesn’t feel like a punishment. It shouldn’t stress them out or make them feel like they have too much work. Rather, it should feel like an opportunity.
Leaders can incentivize through rewards and recognition, like free T-shirts, mugs, stickers, gift cards, or certificates. Those items might seem insignificant, but a 2018 study found that people who receive smaller, immediate rewards experienced increased motivation and greater enjoyment in their work. For those who really choose to dig in, organizations could also pay for advanced degrees or certifications, or create a pathway to security careers.
Learning about security can also be engaging. Companies can choose fun themes or launch friendly competitions, or gamify training. Capture the Flag events are popular coding challenges where players receive “flags” in exchange for points each time they solve a challenge. Microsoft’s Elevation of Privileges card game teaches threat modeling. It’s also popular enough that some people play it recreationally.
Appoint a Security Champion(s)
Companies can also appoint Security Champions, who will act as liaisons between the security and dev teams. Depending on its size, an organization could appoint multiple champions.
Security champions are typically volunteers. While champions don’t have to be within the organization’s leadership, the best candidates are team players with some leadership skills who are already interested in security and who are excited to take on new responsibilities. The Security Champion will share their learnings with their team and further encourage devs to take a personal interest in security, so they should feel comfortable asking and answering questions, then breaking that information down for others.
Organizations can ensure a positive experience for their Security Champion by clearly defining their roles and responsibilities, opening communication channels with the security team, recognizing their contributions, and offering opportunities for additional training. For more guidance on selecting a Security Champion, look at OWASP’s Security Champions Playbook.
Ultimately, organizations do best when they don’t think of security as the responsibility of one team comprised of people who have all the same educational experiences. Make security a part of your company culture and include it in your company’s language. Let everyone in on it. This shift in mindset can help your company overcome hiring challenges, empower your existing employees, and develop a culture that will strengthen your application security, and the reputation of your company.