New research shows corporate demand for cybersecurity skills is rising faster than internal supply, with innovative thinking needed to plug the gap – both in the acquisition and retention of key talent.
The report "Cybersecurity Talent: The Big Gap in Cyber Protection" by Capgemini's Digital Transformation Institute demonstrates that, of all the digital skills necessary for organizations with aspirations of digital leadership, cybersecurity represents the biggest gap between demand for those skills and internal supply.
The report surveyed more than 1,200 senior executives and front-line employees and analyzed social media sentiment of more than 8,000 cybersecurity employees. Sixty-eight percent of organizations reported high demand for cybersecurity skills compared to 61% demanding innovation skills and 64% analytics skills.
Demand for these skills was then set against the availability of proficient skills already present in the organization. This identified a 25 percentage point gap for cybersecurity skills (with 43% availability of proficient skills already present in the organization), compared to a 13 percentage point gap for analytics (51% already present) and a 21 percentage point gap for innovation (40% already present).
"The cybersecurity skills gap has a very real effect on organizations in every sector," said Mike Turner, Chief Operating Officer of Capgemini's Cybersecurity Global Service Line. "Spending months rather than weeks looking for suitable candidates is not only inefficient, it also leaves organizations dangerously exposed to rising incidents of cybercrime. Business leaders must urgently rethink how they recruit and retain talent, particularly if they wish to maximize the benefits from investment in digital transformation."
The demand for precious cybersecurity talent is projected to grow over the next 2-3 years with 72% of respondents predicting high demand for cybersecurity in 2020, compared to 68% today. Set against increasing incidents of cyberattacks and the need for organizations to not only protect themselves but also maximize competitive advantage from digitization, the report recommends a series of tactical priorities for business leaders.
The first priority for companies is to assess how well security is integrated across the organization. What is the culture of cybersecurity outside the team with direct responsibility for keeping data protected? How security-savvy are app developers and network managers?
"It's important to make the organization as a whole better at cybersecurity, aligning the enterprise with principles and processes that are secure from the ground up," explains Turner. "Get the basics right, in terms of application development. Develop secure code. Make your network engineers and cloud architects better at securing the cloud. That's a good way to fight the skills gap, because it teaches the organization to be secure by design."
"Another priority is to look at the, as yet, unrecognized cybersecurity skills that lie within," said Turner. "Half of all employees are already investing their own resources to develop digital skills, showing an appetite to upskill. Organizations that struggle to recruit externally may be able to uncover candidates with adaptable skillsets who can be trained. Those functions with complementary and transferable skills include network operations, database administration and application development."
In addition, companies should look at the requirement to embed security into every service and application, and hire business communicators to complement the technical skills in their team. Business analysts and technical marketers could be transferred to cybersecurity roles to enable the company-wide adoption of best practices.
A third priority is for organizations to think beyond the normal recruitment strategies and understand the root skills of cybersecurity. Look at traits and skills present in completely different job roles and interview candidates the organization might not usually consider. Those currently in math roles for example, are often highly skilled at pattern recognition.
"Thinking outside the box is about understanding the transferable skills," adds Turner. "For example, people on the autism spectrum are fantastic at pattern spotting and are often blessed with numerical and problem-solving skills, attention to detail and a methodical approach to work – all useful traits for cybersecurity best practice."
Finally, look at retention of talent. In a highly competitive recruitment market, organizations must also look at engagement of existing employees to ensure talent gaps don't worsen.
Cybersecurity employees value organizations that offer flexible working arrangements, encourage training and prioritize clear and accessible career progression. Within the report, a difficult work-life balance was discussed as one of the five worst aspects of the job by cybersecurity professionals on social media and a main reason why they leave or remain dissatisfied with their company.
The clear majority (81%) of cybersecurity talent agreed with the statement, "I prefer joining organizations where I have a clear career development path," compared to 62% of all respondents in our survey. The number is even higher (84%) for Gen Y and Gen Z employees2, who highlighted a lack of career progression as their number one concern.
Managing these softer but equally important retention issues is a key requirement for building a viable and sustainable cybersecurity offering.
Capgemini Digital Transformation Institute surveyed 753 employees and 501 executives at the director level or above, at large companies with reported revenue of more than $500 million for FY 2016 and more than 1,000 employees. The survey took place from June to July 2017, and covered nine countries – France, Germany, India, Italy, the Netherlands, Spain, Sweden, the United Kingdom and the United States and seven industries – Automotive, Banking, Consumer Products, Insurance, Retail, Telecom and Utilities.
Capgemini also analyzed the sentiments of around 8,400 current and former employees at 53 cybersecurity firms with at least 100 employees on social media. Selected firms operate primarily in the cybersecurity space covering (but not limited to) data security, cloud security, mobile security, enterprise security, email security and application security.