Organizations such as the International Information System Security Certification Consortium, or ISC2, say the demand for cybersecurity workers is far outstripping the available workforce.
The nonprofit training organization estimates in its latest annual workforce study that around 2.72 million more cybersecurity workers are needed globally.
While that figure is down from 3.12 million in the previous year’s study, hiring remains a slog, especially for companies looking to expand their cyber teams during a period of heightened threats from hackers.
Shaun Marion, chief information security officer at fast-food chain McDonald’s Corp. , is in the midst of bringing many contracted cybersecurity roles in-house, especially those at the entry level, he said. Mr. Marion also plans to hire another 30 to 40 cyber professionals this year.
The shift will help improve prospects for people who want to build cyber careers at McDonald’s, Mr. Marion said. “Once I get people here, I can expose them to all the opportunities they have,” he said. “It’s not hard to retain. But getting them in is hard.”
At payments provider Visa Inc., which has around 1,150 staff working on cyber-related roles globally, Chief Risk Officer Paul Fabara said he is keenly aware that losing employees without the ability to replace them can be just as disruptive as not being able to fill the roles in the first place.
“You have to start planning way in advance,” he said. “If you start by the time attrition hits you, if you don’t have three or four people in the pipeline for a single role, you’re going to fall short of meeting the demands of that job.”
That can have real consequences for companies, and for the remaining employees who still have to run security operations centers, fusion centers and other cyber operations at peak performance levels.
“The worst thing you can do in this type of environment, because you’re operating on a 24x7 basis, is to burn people out,” Mr. Fabara said.
Thinking broadly about candidates is key for Steven Babb, CISO at Mitsubishi UFJ Financial Group’s investor services business. Mr. Babb said he supports initiatives that aim to increase gender representation in the workplace, and he’s also interested in candidates who aren’t necessarily from straight cybersecurity backgrounds but may have relevant experience in other departments.
“We give people the opportunity to come in to learn about the business, to learn about our technology and to apply what they know, such as transferring skills from other areas into security as well,” Mr. Babb said.
At McDonald’s, Mr. Marion says the help desk can feed the general roles in the cybersecurity group because technicians there know how to handle ambiguity and solve problems in real time. Serious online gamers make good staff for the security operations center, he said, where the ability to work odd hours, cooperate and think quickly are required.
“I search for attitude and aptitude and lay security training on top of that,” he said.
The idea of considering candidates with nontraditional backgrounds is gaining traction for external hires, as well as existing employees. For Mr. Marion, looking only for college graduates is “myopic.” Not only don’t the numbers support that route, but requiring a degree eliminates good candidates, he said.
The cybersecurity industry has come under criticism in the past for its unrealistic requirements for entry-level positions, with some banks and other organizations asking for advanced degrees and professional certifications that require years of experience to achieve.
“College is not for everybody, and not everyone has access to college because they lack the financial wherewithal or community support,” Mr. Marion said, which often excludes people who could help round out the gender and ethnic diversity he seeks in his staff.
Some senior roles need a degree, such as in cyber and privacy risk assessment. But many positions don’t, he said. Stripping mentions of degrees and professional certifications from many cyber job descriptions took some convincing of the human-resources group, he said.
And the numbers favor his approach. According to the most recent figures from the National Center for Education Statistics, just about 2 million bachelor’s degrees were conferred in 2021.
“The point is, you won’t get all your talent from college,” he said. “Even if you could, I don’t know that I’d want to.”
Write to James Rundle at email@example.com and Kim S. Nash at firstname.lastname@example.org
James Rundle and Kim S. Nash