The search for security talent

The search for the next generation of cybersecurity professionals can be tough, say Lopa Ghosh, cybersecurity culture leader, and Victoria Brahm, senior consultant, people advisory services, at EY

EY’s Lopa Ghosh


A new year, a new start and often the search for new talent begins. For the majority of businesses, new budgets mean that the early months of the year are prime time for recruiting. However, four out of five organisations are experiencing an IT security skills gap according to a report by CyberEdge, which means that the security of businesses is being threatened while they recruit the right cyber professionals. The education sector (87%) is the most impacted, followed by telecommunications and technology (85%) and manufacturing and finance (81%).

In their search for security talent, why are businesses struggling to keep up?

  1. Businesses are looking for traditional people to solve a non-traditional problem

Most businesses aim their cyber recruiting strategies at traditional professionals: individuals with standard credentials like degrees in IT, computer science or engineering. The problem is that hackers are not bound by the parameters that traditional education teaches. Businesses need to have people on their side who think in the same way as hackers. This breed of pre-emptive hacking – referred to as white hat or ethical hacking – doesn’t always follow a set career path, with specialists often being self-taught. By embracing non-traditional education and career paths, businesses can tap into potential employees whose capabilities can match that of hackers and help them stay ahead of malicious attacks.

  1. Businesses are struggling to engage an increasingly multigenerational workforce

Businesses are facing a new future in terms of demographics at work. People are living and working longer, which means there are now as many as five generations in the workplace, compared to three or four in previous years. To motivate and engage each generation can be a complex undertaking. Millennials are the fastest growing segment in the workforce, and centennials are now starting to enter the workplace. Both have grown up in a tech-savvy environment where they can choose to sell their skills to the highest bidder and jump from one job to another. They are driven by different priorities of flexible schedules, purpose and transparency. A survey by Cone Communications found that 75% of millennials would take a pay cut to work for a responsible company, compared with a 55% average across all ages. To manage effectively across generations, businesses may need to create a vision that provides purpose and meaning behind each individual’s work. Those business that take into account what motivates the upcoming generation of workers are more likely to succeed in the recruitment race.

  1. Businesses are no longer doing the choosing: they are chosen

As new generations enter the workplace, talent is increasingly setting the standards for where and how they wish to work. The cybersecurity talent shortage is so immense that people with specialist skills have more bargaining power than the average employee. Although the UK has one of the most vibrant digital economies in the world, it does not currently have the cybersecurity skills base to match. Due to this shortage, cybersecurity personnel can command pay rates of up to 15% above other technology roles. Before they choose who to work for, security professionals can afford to wait and see how many offers they get and who provides the better deal. By being prepared for this new reality, businesses can pre-empt employee demands creating the right culture, environment and rewards in their talent bidding wars.

Solving the skills shortage

So how can this be solved?

  1. Thinking differently about different thinking

Tapping into a more diverse talent pool can lead to the possibility of generating much needed skills and creative solutions. For example, The NeuroCyber event serves to grow engagement, inclusion and understanding of neurodivergent individuals whose skills are suited to cyber. It is about thinking differently about different thinking as described in The Rise of Chief Neurodiversity Officer. In the UK, around 15% of people are affected by some form of neurodiverse condition such as dyslexia, ADHD, Autism and Dyspraxia. Successful organisations like Google, Microsoft, Apple, Tesla and many others were founded or built by neurodiverse individuals who possess unique capabilities such as high levels of motivation and lateral thinking ideal for cyber and technology careers.

  1. Supporting non-traditional ways of working

Why confine employees to traditional 9 to 5 jobs when the threat of a cyber-attack is 24 hours? Redesigning roles and functions could lead to more compressed hours or shift work around employees’ chosen hours. This can help attract more parents and younger generations who have the right skills but require or prefer more flexible hours. By establishing a culture that suits the conditions in which cybersecurity professionals prefer to work, they are more likely to be attracted and retained in roles.

  1. Recruiting the right personas

Finally, businesses need to understand the various archetypes or personas required for a robust and balanced cybersecurity team. Each persona, whether be a hacker, a visualiser, or coder, has separate interests, needs, and abilities to deal with technical details. By identifying their various strengths and traits, and designing roles around them, this will help recruit the right people into the right roles.

In a world where career landscapes are constantly changing, businesses need to adapt alongside them. This is especially true in cybersecurity, where candidates no longer fit the traditional stereotype. By making some adjustments to who and how talent is recruited, organisations can set themselves up for greater success in the future.