The cybersecurity talent shortage: addressing the skills gap

In recent years, the demand for cybersecurity talent has surged exponentially due to the increasing number of cyberthreats. As companies expand their digital footprints and pursue digital transformations, the need for skilled cybersecurity professionals to secure these technologies is even more critical.

Unfortunately, the world is facing a massive cybersecurity talent shortage. While the global cybersecurity workforce grew to 4.7 million people—its highest level ever—there’s still a need for more than 3.4 million additional security professionals.

There are a multitude of factors that have contributed to the cybersecurity talent shortage, but regardless of the reason, building and fostering a culture of education, growth, and inclusion is key to attracting and retaining cybersecurity talent. Without a team of exceptional cybersecurity professionals, your company cannot adequately service your clients—and mitigate the risks of potential cybersecurity threats.

Why is there a cybersecurity talent shortage?

The cybersecurity talent shortage is rooted in a number of changes—from companies experiencing an increase in cybersecurity threats to consumers valuing their privacy and security much more than in the past few decades.

The following patterns underscore the growing demand for more cybersecurity talent and the perceived shortage.

• The growth of the cybersecurity field. Like the field of medicine, there are now a large number of subsets within the cybersecurity industry—from application and network security professionals, to cloud or Internet of Things (IoT) specialists. If a company is seeking a cybersecurity professional who is essentially a jack-of-all-trades, it will be nearly impossible to find. Instead, companies need to update their expectations and understanding of cybersecurity professionals—and reevaluate their hiring practices accordingly.
• An increase in cybersecurity threats. Cybersecurity attacks are on the rise—and many indicators reflect a fear of further increases. In fact, spending on cybersecurity service providers is projected to reach $101.5 billion by 2025, and costs related to cybercrime are expected to increase by 15 percent, reaching $10.5 trillion. Because more and more organizations are becoming aware of cybersecurity threats, more are on the search for a cybersecurity professional.
• Limited background requirements. One reason for the talent shortage is in what organizations put in their job descriptions. Many security businesses and MSPs seek out professionals with traditional technology credentials, such as college degrees in tech-related fields. To combat the talent shortage, consider opening up your job search to include non-traditional applicants who bring innovative ideas and complex backgrounds to the realm of cybersecurity.

The consequences of the cybersecurity talent gap

MSPs serve as a critical link in the IT service chain for many organizations. If your team experiences staffing shortages and a lack of experienced cybercrime experts, the repercussions can be widespread and damaging.

Potential consequences include:

• Decreased service quality. With fewer hands on deck, the quality of the services provided to your clients can decline. The tangible outcomes of this can range from longer resolution times to frequent downtimes to unaddressed technical issues.
• Delayed response times. When working with an MSP, clients expect timely responses to their queries, issues, and questions. Staffing shortages lead to increased ticket resolution times, which can negatively impact client satisfaction and retention.
• Overworked staff. Staffing shortages lead to increased workload for remaining team members. This increase in workload can lead to alert fatigue, burnout, employee turnover, and an even more strained workforce.
• Inadequate monitoring. Most MSPs manage security and infrastructure monitoring for your clients. A reduction in staff leads to potential security breaches, missed vulnerabilities, or infrastructure failures.
• Decreased revenue. Without an engaged and available workforce, clients might look elsewhere for their IT needs, leading to revenue loss for your organization. In addition, it may be challenging for your organization to take on new clients or expand services for existing ones.

Another element of managing your cybersecurity team is ‌talent-to-value protection. This is a concept where businesses identify and allocate their best talent to roles that hold the most value and strategic importance. By protecting this alignment, your organization guarantees that the most critical business roles are managed by highly skilled and competent individuals.

To leverage talent-to-value protection, start by identifying which roles and tasks are most critical to your service delivery and client satisfaction. Next, determine which team members are best suited for the task and assign top talent. To make sure your assigned talent remains at the top of their game, provide continuous training and certifications. Once your top talent has been identified and assigned, regularly assess the performance of these key roles and determine how to support your team’s long-term growth and success. 

By leveraging this strategy, your organization will mitigate some of the risks associated with staffing shortages. Even with a lean team, the most mission-critical operations will run smoothly and minimize any‌ negative impact on your clients.

What cybersecurity roles do MSPs need to fill?

MSPs play a pivotal role in offering cybersecurity solutions to your clients—and due to the specialized nature of cybersecurity, certain roles are now paramount. So, what common cybersecurity roles do you need to fill as an organization?

Big-picture management

To fill big-picture management roles, you need team members who excel in big-picture thinking beyond the day-to-day operations. This means executive managers need to have high-level technical knowledge—so they can offer helpful guidance and input to technicians—but are best suited for leading the organization toward success. 

Ideally, these managers should be able to foresee where the organization is headed and set a clear and compelling vision for the future. They should also display strategic thinking, decisiveness, adaptability, delegation, and emotional intelligence.

Typical roles and responsibilities include: 

• Playbook creation and updates
• Resource management
• BCDR management
• Operations coordination
• Policy management
• Roadmap planning
• Compliance and governance
• Vendor management

Service delivery and sales

For effective cybersecurity service delivery, team members must be vigilant, reliable, and adept at technical communication. Because cybersecurity requires real-time, rapid problem-solving in crisis situations, all team members must be prepared to prioritize threats and manage them in real-time.

On the other hand, cybersecurity sales team members must be able to effectively communicate with potential clients. This often requires the ability to translate complex cybersecurity concepts into understandable terms—highlighting the importance of investing in cybersecurity solutions.

One specific role here is a vCIO (virtual chief information officer). These professionals can explain to clients what they are agreeing to, any related compliance requirements, as well as explain how the services position them in the changing cybersecurity landscape. Sales team members must also be interested in building long-term relationships, be goal-oriented, and self-motivated to stay updated on the ever-evolving threat landscape.

Typical roles and responsibilities include:

• Manage client service and relationships
• Meet SLAs and SLOs
• Show services value
• Cross- and up-sell

Active monitoring and risk management

Team members focused on monitoring and risk management should possess attention to detail, analytic skills, technical skill, patience, strategic thinking, and effective decision-making.

Typical roles and responsibilities include:

• Monitor systems and dashboards
• Determine threat severity
• Event escalation
• Proactive threat hunting
• Spot-checking tickets

Tech stack management

Tech stack management involves oversight of a combination of software products and programming languages used by your team. Effective team members should have technical skills, strategic vision, adaptability, problem-solving skills, and an analytical mindset.  

• Configure and integrate tools
• Manage and troubleshoot tools
• Report generation
• SIEM log management

Incident management

Effective incident management team members are excellent problem-solvers, quick decision-makers, and calm under pressure. They also possess an analytical mindset and can communicate precisely and quickly.

• Coordinate plan execution
• Threat containment and remediation

Threat investigation

For effective threat investigation, team members must be highly curious, effective communicators, calm under pressure, and capable of dissenting large amounts of data and finding patterns.

• Post-attack research
• Findings and remediation reporting
• Share information with authorities

System testing

System testing, a critical component of the IT lifecycle, requires team members to pay attention to detail, be curious and adaptable, and be able to collaborate creatively with other departments.

• Test for network vulnerabilities
• Test cybersecurity architecture
• Test backup and disaster recovery

Best practices to manage the cybersecurity talent shortage

The cybersecurity talent shortage is a prominent challenge for many organizations across the globe. With the increasing sophistication and volume of cyberthreats, the demand for highly-skilled cybersecurity professionals continues to outstrip supply.

Tap into available talent sources

Building your cybersecurity team roster requires a mix of embracing both traditional and non-traditional pathways to identifying, attracting, and retaining the very best talent in the industry. As an organization, consider the following elements:

• Traditional recruitment: Continue to leverage traditional job boards, recruitment agencies, or industry-specific platforms to post job vacancies and attract candidates.
• Academic partnerships: Collaboration with local or regional universities, technical colleges, or training institutions can open new doors to reaching potential talent.
• Industry organizations: Organizations like CompTIA provide resources, training, and networking opportunities to help connect IT professionals and businesses.
• Reskilling and up-skilling: What team members do you currently have who would be a good fit for a cybersecurity role? Identifying employees from other departments and offering training to transition into cybersecurity roles is a strategic option for organizational growth. Our webinar, Solve for the Cybersecurity Skills Gap, provides insight into developing cybersecurity talent within your own company and how to evaluate your tech stack and find opportunities to streamline.
• Hackathons and competitions: Hosting or participating in local or regional cybersecurity challenges is an effective way to identify emerging talent and connect with cybersecurity professionals.
• Veteran programs: Many military veterans have skills that are transferable to cybersecurity—but may not have the necessary degrees for certain job descriptions. Build specialized programs to help bridge the gap and bring veterans into the cybersecurity workforce.
• Remote work and global recruitment: In today’s landscape of distributed and hybrid workforces, consider recruiting talent from across the world.
• Employee referral programs: Encouraging your employees to refer qualified candidates often leads to new hires that are an excellent cultural fit for your organization.

Practice strategic outsourcing

As cybersecurity threats become more sophisticated and prevalent, many companies turn to outsourced staffing solutions to complement internal skills and resources. Strategic outsourcing can offer your organization untapped access to IT expertise without the commitment of full-time hiring. This can be particularly advantageous for SMBs and mid-size MSPs who may lack the resources to hire and maintain a full-scale, in-house cybersecurity team.

For example, an MSP may partner with a managed SOC, or security operations center, to help increase tech bandwidth and scale client capacity. Providing 24/7 security support and threat monitoring for a client internally would require roughly 10-12 technicians at a salary starting of $75,000 per person—a figure that will likely be higher due current market competition.

Outsourced SOC services allow MSPs to scale support capacity and improve customer service at a fraction of the cost, and without additional headcount. Learn how a SOC can help you navigate other common cybersecurity challenges with our eBook, Cybersecurity Challenges Facing Today's TSP/MSP.

Build an appealing employer brand

In today’s competitive cybersecurity job market, building an appealing employer brand is essential for attracting and retaining employees. The best brands reflect ‌organizational values, culture, and benefits with compelling and approachable content.

• Showcase your company culture. Leverage LinkedIn or other forms of social media, company blogs, or videos to highlight your company’s culture. Offer a behind-the-scenes peek into daily life at your organization, share employee testimonials, and take photos of company events. By posting and sharing this type of content, potential candidates will see an authentic view into daily life at your company.
• Highlight your unique value. What makes your company unique? What do you offer that others might not? Understanding what precisely makes your company unique—and a good place to work—will help you communicate your value to potential employees.
• Connect with current employees. Happy employees are the best brand ambassadors. Conduct surveys or focus groups to gather insights about what your employees like or dislike about working at your company. Then, use their feedback to make necessary improvements.
• Invest in professional development. Because cybersecurity is a rapidly evolving field, offering employees insightful and in-depth professional development opportunities is a key benefit.
• Participate in professional communities. Whether in person or online, getting involved with industry communities is a great way to position your company as a thought leader and build potential connections. Communities like IT Nation allow you to showcase what you have to offer to many of the industry’s top professionals. You can also contribute to the greater community through content creation opportunities, like a webinar or podcast.

For more insights on how to build your cybersecurity team, check out our eBook, How to Find and Retain Top Performers in a Tight Talent Market.

Weigh certifications and experience in the hiring process 

When going through the hiring process for cybersecurity talent, balancing certifications and experience is critical. Here are some insights on how organizations can give fair consideration during the hiring process:

• Define role-specific needs. For some cybersecurity roles, certifications might be absolutely crucial—such as denoting a standardized level of expertise, such as CISSP for security management or CEH for ethical hacking. However, other roles might benefit more from hands-on experience.
• Assess the depth of experience. Evaluate the depth and relevance of a candidate’s experience. Ask them if they’ve dealt with any incidents or situations that are highly relevant to your organization’s security needs.
• Recognize non-traditional paths. Many candidates today come from non-traditional backgrounds—which means they may lack certain certifications. Stay open to such pathways, because these candidates often demonstrate high adaptability and diverse problem-solving skills.
• Provide growth opportunities. Once a candidate has been hired, make sure you continue to offer opportunities for employees to gain further certifications or hands-on experience.

Build a talent pipeline

Building a talent pipeline is a strategic move for many MSPs to provide a steady flow of skilled cybersecurity professionals for your organization’s future needs.

One of the most effective ways to build a talent pipeline is to connect with local universities and colleges. Offer internships, workshops, or guest lectures to build awareness of careers in cybersecurity and establish relationships with prospective employees.

Additionally, holding regular networking or industry events can be a helpful tool. Cybersecurity events and conferences like IT Nation Secure serve as a magnet for professionals of all skill levels. Attending, sponsoring, or hosting events will drive more brand awareness for your company.

Refine your onboarding process for new hires

Refining the onboarding process for new hires is supportive, both for successful integration and long-term retention. Refine your onboarding process with these core elements:

• Tailored orientations. Make sure each orientation is customized to your new hire’s specific role. Provide a deep dive into their responsibilities and how these align with the larger organizational goals.
• Mentorship programs. Assign every new hire a mentor or buddy to provide guidance, answer questions, and help the newcomer navigate the company culture.
• Hands-on training. Offer practical sessions for new hires to familiarize themselves with the tools and platforms they’ll use daily.
• Continuous feedback. In the first 3–6 months of your new hire’s job, conduct regular check-ins to gather feedback on their experiences and make improvements.
• Clear roadmaps. Discuss future career paths, training opportunities, and certifications within the organization. Employees who can visualize a future with your organization are more likely to stay engaged.
• Provide helpful resources. Equip your new hires with resources and information to assist them in understanding complex processes and systems.

Embrace diversity, equity, and inclusion

Embracing diversity, equity, and inclusion in the hiring process for cybersecurity is essential. A diverse workforce leads to varied perspectives, which foster creativity and innovation. If you’re wondering how to embrace DEI with cybersecurity talent initiatives, consider the following recommendations:

• Broaden your recruitment channels. Engage with DEI-focused organizations and groups that cater to women or BIPOC and underrepresented cybersecurity experts. Women, in particular, are statistically underrepresented in cybersecurity organizations.
• Use gender-neutral language. When writing job postings, use gender-neutral language and avoid jargon that might deter diverse candidates.
• Blind recruitment. Use HR tools to anonymize applications and remove details, such as names, gender, age, and other personal identifiers, to reduce unconscious biases.
• Diverse interview panels. Every interview panel must include diverse members to reduce individual biases and offer a more balanced evaluation of candidates.
• Include skill-based assessments. Implement hands-on tasks or tests to evaluate the skills and abilities of the candidate’s instead of focusing solely on their resumes.
• Schedule flexibility. Recognize different cultural and individual differences by offering flexible working hours, religious holidays, and special accommodations.
• Launch Employee Resource Groups (ERGs). Encourage and create ERGs for different demographics within your organization to offer support, mentorship, and growth opportunities.

Set your team for success with top cybersecurity solutions

Your organization is only as strong as its people—and talent shortage aside, that strength determines the integrity of your clients’ success.

While there are many pillars of a thriving cybersecurity business, employee retention is one success metric not to overlook. With cyber professionals in such high demand, failing to create a strong and supportive workforce environment can impact your business’s bottom line.

ConnectWise is here to help, with purpose-built cybersecurity management solutions and managed SOC services to help MSPs deliver best-in-class customer support and security protection. Don’t let the cybersecurity talent shortage hinder the growth of your business—sign up for a cybersecurity demo or trial or visit our cybersecurity center for more information and resources to support the growth of your cybersecurity practice.