More cybersecurity training and better hiring practices could help narrow the talent gap, CISO says

BY Sydney LakeJanuary 06, 2023, 1:29 PM
Photo courtesy Olivia Rose
Olivia Rose, virtual chief information security officer and owner of Rose CISO Group (Courtesy Olivia Rose)

The rising number of cybersecurity attacks and growing fissure in cybersecurity hiring continue to be focal points in the industry. While some cybersecurity experts and hiring managers argue that there are many ways to break into the growing industry, a host of challenges remain for entry-level workers.

Even with more than 700,000 unfilled cybersecurity positions in the U.S., and 3.5 million in the world, according to Cybersecurity Ventures, many workers fighting to get a job in the industry aren’t landing the entry-level positions that so desperately need to be filled. 

“Mostly, hiring managers are not willing to take on training these young people because there’s not enough time” to train them, Olivia Rose, virtual chief information security officer and owner of Rose CISO Group, tells Fortune. “They go for the ones with more experience.” A virtual CISO is an outsourced C-suite level resource for companies that need oversight for its cybersecurity practices. 

In late 2022, Rose wrote about how the training shortage in cybersecurity and lack of opportunities for entry-level workers is causing issues in the industry.

Rose also works with Cyversity, an organization that works to achieve minority representation in the cybersecurity industry through programming, education, and mentorship. She’s been in the industry for more than 20 years and, at Cyversity, developed a cybersecurity mentorship program that includes sessions with Fortune 500 CISOs, career programming about resume writing, interviewing, and networking, as well as affinity groups for cybersecurity workers identifying with minority groups. 

Fortune sat down with Rose to find out why the cybersecurity talent gap is a persistent issue and what companies can do to develop stronger hiring practices.

The cybersecurity talent gap

Fortune: Is the talent gap cybersecurity’s biggest problem?

Rose: It’s this interesting conundrum we’re in right now, and it’s going to be devastating to our nation’s infrastructure. Hiring budgets tend to be very tight for security groups in general, and skills are needed right away. The biggest hiring need, and what most hiring the vast majority of hiring managers go for are the people who have had three-to-five years experience already. These would be senior-engineer level. However, there’s not that many of that bracket, so what’s happening is that any hiring managers will tell you—we all steal from each other.

We all offer more money, more benefits, better working conditions to this elite group to bring them over to our place. Leadership is fairly well staffed because people have just gone up the ladder or they’ve moved from other industries into cybersecurity management. 

However, we have this lower tier of zero-to-three years experience where we have uncountable numbers of young people and people changing careers who are trying to get their first job and their foot in the door. The issue is that nobody is hiring them. Everybody wants people with experience because of the budget issues and needing someone with the skills to jump right in. Mostly, hiring managers are not willing to take on training these young people because there’s not enough time. They go for the ones with more experience. 

How does this affect workers trying to break into the cybersecurity industry?

The group that has been impacted the most out of all of these young people are the diverse and underrepresented communities. They often are starting behind the rest of these newbies because they lack the network or they lack the support, or they didn’t go to a four-year, formal college. The other thing is that HR teams have this very old-fashioned view of security where they ask for a four-year, formal degree in computer science or cybersecurity, which not everyone gets to do. 

These hiring managers are requiring a four-year degree when literally just a certificate in cybersecurity would be fine—more than enough. A one-year cybersecurity certificate could even be online if they do labs, tests, and so on. Equal year’s experience would be just as fine. 

What’s happened here is that we have a whole tier of hundreds of thousands of people, possibly millions of people, who are trying to get into the industry, but only a small percentage of that are actually getting into the industry. 

How to get hired as an entry-level cybersecurity worker

If cybersecurity candidates don’t have formal education or work experience, then what can employers evaluate when hiring?

They can look for tenacity and drive. I see this especially with underrepresented minorities with my mentoring program. They are dedicated to succeed, and many of them are going to get their first degree or first certification, which is typically the Security+ that’s kind of the entry-level cert. They’re studying. They’re working on weekends on it. They’re going to do it themselves. 

There are also people that go the extra step by reaching out and volunteering and going to staffing events. Anybody can learn security. You have to have that tenacity and that drive and that excitement, which a lot of these young people do, but nobody’s giving them a chance.

What’s your message to hiring managers about cybersecurity talent?

I understand the budget constraints. I understand the time constraints. I’ve been there many times. Something I did at my last company was to bring on three interns for six months. You pay them a little bit and you assign someone to be their buddy, so they’re not completely lost. You try the best you can to support them. That is a great way of then being able to hire somebody that may not necessarily have more than that six-month experience, but you know them. They’re tenacious and dedicated and smart, and they’re willing to do anything

You can bring that person on full-time. And that’s actually what I did. I hired one of them. I connected to another CISO, and she got hired by him. And then the third one I acted as a reference for, and she found a job somewhere else. It just takes time. It doesn’t cost a lot; it’s just time. Everyone can find 30 minutes in their day to help out these young people who need a little help.

It goes a long way. These three women, for example, I hear from them all the time. It’s just the right thing to do to change people’s lives like that. 

Check out all of Fortune’rankings of degree programs, and learn more about specific career paths.