Bridging the skills gap

Kevin Magee is chief security and compliance officer at Microsoft Canada (www.microsoft.ca).

Everyone in cybersecurity is talking about the skills gap and most agree it is a serious problem.

The thousands of cybersecurity job postings that go unfilled each week appear to confirm this, along with stories of employers fiercely competing for the seemingly handful of qualified candidates out there.

And yet, every day I meet plenty of aspiring cybersecurity professionals of all different ages and backgrounds with incredibly diverse educations, experiences, degrees and self-taught skills who would make excellent additions to our industry. All of them have amazing potential and display considerable passion and aptitude for doing the work.

These are effectively the people that employers say they desperately need, but many of them are struggling to find jobs because they are considered unqualified.

I also regularly meet with colleges and universities across Canada that are seeing record applications and enrolment in deeply technical courses designed for what they believe will best prepare students for lucrative and fulfilling careers in cybersecurity.

These same schools are graduating thousands of students each year with significant academic proficiency and technical competency who are ready and willing to take just about any role in cybersecurity that they can get.

Unfortunately, their qualifications don’t seem to align to the practical skills and depth of experience employers say they are looking for.

So, what exactly does “qualified” mean? Well, for starters, many employers seem to want highly educated and deeply technical prodigies who graduated with honours from prestigious program and school.

In response, educators are designing academic programs to prepare graduates to meet this very narrow profile.

Students who aspire to be cybersecurity professionals are gravitating towards these programs, which is consistently driving up admission acceptance rates.

As a result, many students who have the potential to make excellent cybersecurity professionals and contribute to closing the skills gap either don’t make the cut or self-select out.

This doesn’t, in any way, account for the thousands of candidates who opt not to go to college or university, have backgrounds in other areas such as history, journalism or law enforcement as well as others looking to retrain or change careers.

In addition to top marks from top schools, many employers also believe qualified candidates should come complete with “Jedi” level skills on major vendor solutions as well as the coveted five-plus years of hands- on practical experience. This requirement even leaves many top graduates otherwise unqualified for most positions.

Employers are looking for, and often will accept nothing less than, “unicorns” and no one seems to want to take on the risk and burden of training inexperienced new graduates, forcing many to take whatever work they can find.

Overall, these trends have the effect of continually narrowing the pipeline of potential qualified candidates further and further while raising the bar of entry to the profession ever higher — all while
the number of open positions in the industry exponentially increases. This begs the questions, is the real problem that there are not enough qualified candidates to close the cybersecurity skills gap? Or, is what we perceive to be a skills gap simply a result of fragmented approaches and systemic challenges that persist in how we attract, educate, train, develop and ultimately hire the pipeline of talent for our industry? And, what can we do to fix it?

Employers:

Stop talking about diversity as an aspirational goal and start thinking about it as an absolute business imperative.

If ransomware is a top concern for your organization, then engineering skills alone won’t mitigate this risk,
but perhaps adding someone with a criminology degree to your team might. Employers also need to stop trying to buy their way out of the skills gap and start investing in diverse and entry- level talent as a game changer and competitive advantage.

Educators:

Find more ways to get employers embedded in the development, delivery and ongoing assessment of your curriculum.
Industry advisory boards, engagement in student-led capstone projects, guest lectures and student mentoring can create considerable value and impact for everyone involved. Also, make sure to provide your students hands-on experience with vendor solutions by asking for licence and equipment donations, access to real- world training courses and finding other creative ways vendors can assist.

Candidates:

Hackers always find a way in! Don’t give up when you see “five-plus years experience” but look for the opening the phrase “or equivalent” often offers. How can you find ways to demonstrate you have the equivalent skills leveraging free online training, creating videos,
writing blog posts or presenting at cybersecurity meetups? Find ways to show employers what you are really capable of!

In order to solve the problem of the skills gap, we need to rethink what “qualified” really means.
Employers need to shift left well into the earliest stages of developing talent for our industry, partnering with

educators and supporting aspiring cybersecurity professionals throughout the earliest stages of their careers or risk continuing to perpetually compete with each other for the same narrowly defined profile of candidates who they deem to be “qualified.”