Phase2 Advantage Cybersecurity and Certifications

The cybersecurity talent shortage is REAL. The causes for it are NOT.

Cybersecurity Talent Shortage

When I first came across the CyberSeek Supply and Demand Heat Map, there were almost 200,000 unfilled cybersecurity positions in the US.

Since that time, almost every college and university have launched cybersecurity degree programs, turning out graduates at a rapid pace. Certification agencies are springing up everywhere and churning out credentials faster than rabbits reproduce. Nonprofit organizations are created daily with the goal of providing disadvantaged populations with access to cybersecurity careers.

Flash forward to 2022 and the CyberSeek Supply and Demand Heat Map now claims almost 600,000 unfilled cybersecurity positions exist in the US alone due to a lack of qualified applicants. The math of the shortage and job placement trend doesn’t add up.

Despite the continued efforts of higher education, the persistence of certification agencies, and the noble intentions of nonprofit organizations, the goal of filling these positions is not being met. In the past year we have produced more people trained in cybersecurity than we have in the last decade, yet the talent deficit continues to rise exponentially.

The unfortunate truth is despite the marginal gains these groups have realized over the years their combined efforts are destined to fail. Here’s why: THE SYSTEM WE CALL “ENTRY-LEVEL CYBERSECURITY” IS BROKEN.

A Notice to Readers

I am not a disgruntled novice that can’t get a job in the industry. I have been working in my position for eight years and I am highly satisfied. I have the highest respect for the men and women in the cybersecurity industry, and for all those who aspire to become a part of it in the future. My focus in this article is the system itself, not individuals, and the authorities in the system who intentionally ignore the real reasons for this talent shortage.

Although there are too many reasons to discuss in one article, I will focus on three I believe to be the most egregious and, as it happens, the easiest to fix. They are:

1. Hiring Authorities with Unrealistic Expectations
2. Outsourced Recruiters with Protectionist Mindsets
3. A Contracting Culture that Disincentivizes Loyalty

Hiring Authorities with Unrealistic Expectations

I am using the vague term authorities and not managers because I realize that in many situations, managers do not make policy decisions and are not always responsible for direct hiring. In some cases, they only receive personnel hired for their units. I am drawing attention to the process, not the individuals who operate within it. With that in mind, I suggest the authorities consider the following realities.

1. Don’t expect entry-level employees to have experience. An entry-level candidate is just that: entering the workforce for the first time. Requiring experience makes as much sense as requiring a student to graduate fourth grade to be qualified to enter third grade.

2. Don’t expect entry-level employees to have certifications. Most university students live off difference checks from Pell Grants, and recent graduates are saddled with a significant debt they will be paying off for the next 30 years. Those who pay their own way frequently sacrifice creature comforts you take for granted just to pay their tuition. If you believe either of these groups have the discretionary income to pursue expensive certifications – sometimes $3,000 to $10,000 – you are probably so removed from the working class that you pay others to buy your groceries.

3. Don’t require a bachelor’s degree when an associates degree will suffice. The candidate doesn’t need a BS in Computer Science to answer phones or work a help desk. There will be plenty of time for entry-level employees to pursue higher education once they get established and stable. Requiring advanced degrees for tasks currently being performed by unpaid interns (with no degree) is unfair to the candidate and demonstrates a lack of understanding by the authorities of the skills truly required for the position.

4. It’s YOUR job to train entry-level employees. As a hiring authority, realize that you are the first experience the candidate is receiving in a professional environment. Also realize that your company is the first impression the employee is receiving of the cybersecurity industry. A “sink or swim” mentality with no training or support cause great candidates to fail and may also lead to them leaving the profession altogether.

Outsourced Recruiters with Protectionist Mindsets

We live in a global society in which outsourcing is the new normal. Outsourcing organizational functions is fine and makes sense financially. The issue is not recruiting agencies, nor is it outsourcing. It is the protectionist mindset demonstrated by many of these organizations that I have personally witnessed that is the issue at hand. With that in mind, I suggest the authorities consider the following realities.

1. Work with a trusted recruiting partner. The reason many recruiters have protectionist mindsets is to prevent the client (hiring authority) from circumventing their company to acquire candidates. While the hiring authority is trying to minimize costs and the recruiting company is trying to maximize profits, the candidate is caught in the crossfire and tends to be the only casualty in the battle.

2. Stop anonymizing candidate employment packets. To prevent hiring authorities from poaching potential candidates, many recruiting companies “anonymize” the candidate’s packet. Nothing that could potentially reveal the candidate’s identity is put forward to the hiring authority. Think about that for a moment. In many cases, a candidate’s greatest accomplishments – such as books, white papers, and peer review journal articles – are omitted. What is left is education, experience, and peripheral information.

TRUE STORY: About a decade ago I worked with a recruiter that approached me about a CISO position in Delaware. When I saw the finished packet he was submitting to the company, and despite everything I had provided to demonstrate my competencies, it had been so redacted it resembled a declassified CIA memo on the Roswell UFO files. That is absurd on every level.

A Contracting Culture that Disincentivizes Loyalty

Contractors serve a viable need for many organizations, and they make sense. However, the shift from hiring employees to contractors exclusively is doing more damage than good. I realize there are seasoned professionals in cybersecurity that prefer to stay on the move with contracted assignments, but entry-level candidates do not fall into that exception. If your organization relies prominently on contractors for its cybersecurity needs, I suggest you consider the following realities.

1. Don’t use contractors to mask poor hiring decisions. Hiring authorities would not have to rely on a “try before you buy” mentality if they vetted their candidates properly and didn’t relegate contact with the entry-level candidate to recruiting agencies. If a candidate is qualified to work as a contractor they are most likely qualified to be an employee.

2. Exempt entry-level personnel from contracting policies. Do you really expect an entry-level candidate to accept a 6-month contract in another state, incur the costs to relocate, manage the expenses of two households, all while waiting for the first paycheck to be delivered? Do you expect these candidates to possess the financial resources to relocate on their own to take a position? Were you, the hiring authority, able to do that the first time YOU were offered your first real job? I doubt it.

3. Make the Eighth Amendment required reading for hiring staff. The VIII Amendment to the US Constitution prohibits, among other things, “cruel and unusual punishment.” Subjecting an entry-level employee to the offer of a great position that pays well – knowing full well they don’t have the resources to accept the position – is demoralizing, emotionally painful, and psychologically damaging.

In legal parlance, “cruel and unusual punishment is a phrase in common law describing punishment that is considered unacceptable due to the suffering, pain, or humiliation it inflicts on the person subjected to the sanction.” If you don’t believe that definition fits the circumstances described above, add books on the topic of Emotional Intelligence to your Amazon Wish List for the holidays. You need them.

These Issues can be Fixed

I tell my employees that if they come to me with a gripe followed by no constructive suggestion, they are part of the problem and not the solution. I cannot lay out a case against entry-level hiring practices in the cybersecurity industry without suggesting a few easy fixes. The two that come to mind immediately are communication and trust.

1. Accurately communicate hiring needs and expectations. Hiring authorities must receive accurate information from their unit managers, and then pass that to the recruiting agencies using effective communication methods. The recruiting agencies can then – without using canned bullet points they themselves do not understand – communicate effectively with the candidates. Effective communication is that simple, and it is also that complex. Regardless, it needs to start somewhere, and it needs to start now.

2. Authorities must trust their hiring decisions. If an appropriate vetting system is in place, all the required due diligence can be performed to make outstanding hiring decisions. Good decisions then lead to good employees who, when provided with a nurturing and supportive environment, can evolve to realize their fullest potential. Your next entry-level employee can rise through the ranks to become a future CIO. For this to happen, hiring authorities must trust their process and their employees. At the end of the day, it’s people who become long-term employees, not numbers on a profit and loss spreadsheet.

In Closing

I don’t throw rocks then hide behind trees. I don’t attack individuals when systems create the problems. I am not a laser beam “zapping targets” at will. I am a mirror simply reflecting the realities I see cast into my existence. If you don’t like the reflection in the mirror, don’t break the mirror – fix the source of the reflection.

Although comments are disabled in this blog for security purposes, I would like to hear your thoughts wherever this blog appeared in LinkedIn. I will respond to every comment and defend every word I write. We are professionals in the cybersecurity space and our entry-level hiring system has a problem.

I’m looking forward to hearing how it can be addressed to solve this “talent shortage” issue.

Michael I. Kaplan is the Director of Phase2 Advantage, a cybersecurity training and instructional design company based in Savannah, Georgia. He is also the Chairman of the Cyber Security Advisory Committee at Savannah Technical College. The publishing division of Phase2 Advantage creates cybersecurity textbooks and workbooks listed on Amazon, Ingram's VitalSource platform, and all major booksellers.

Michael's technical areas of specialization are Incident Response, Business Continuity / Disaster Response Planning, Information Security Management, and Digital / Network Forensics.

Feel free to contact Michael at michael.kaplan@phase2advantage.com.