Bridging the skill gap in cybersecurity — Hire Generalists, Create Specialists!
I have seen a lot of posts about the skill gap, unrealistic hiring expectations and the number of job openings in the cybersecurity industry on various social media platforms. Some folks have been actively taking about against the gatekeeping in this industry. I appreciate their efforts and urge them to keep up the work they have been doing. These campaigns have been going on for years. It is difficult to call out every unrealistic job posting. But we, collectively as cybersecurity professionals, can improve the way we hire and train our teams.
The Problem: Not enough skilled workers
Let’s breakdown the problem into two simple categories:
- Not enough skilled professionals at the entry-level
- Not enough skilled professionals with experience
For-entry level, we have to set our expectations with this thought in mind — “They are just starting.” If they are just starting, they will not know everything, and they will not have specialised skills. Expect them to have a breadth-wide and inch-deep knowledge of security, i.e. the foundation of cybersecurity, rather than having specialized skills.
If you are not able to find skilled people with experience, it means the foundation is weak. They were not properly trained or did not keep themselves up with the security trends.
Either way, having a strong foundation is critical.
Solution: Strengthen the Foundation
The simple rule is “Hire Generalist, Create Specialist.”
Don’t seek specialists at the entry level. Hire Generalist. Give them the time to work and dig their niche and train them for the skills you want to build in that niche.
How would it solve the problem?
The question is all about supply and demand. The industry demands professionals from various domains of security, but at the entry level, the professionals are just more inclined towards offensive or defensive security, especially more inclined towards ethical hacking/ pen-testing. This is generally because of the lack of awareness. And also, ethical hacking sounds a bit fancy. But having expertise in just one domain can not bridge the skill gap for all the domains.
Another aspect of hiring generalists is we will always have shoes to fill in various roles whenever an employee moves on. For example, if we hire two generalists, one works in the pen-testing and another one in governance, and for some reason, the one working in governance has to move on, we can ask the pen-tester to take the added responsibility until we find the replacement. It will not only help them to work in a different domain but we would also be assured as they already have the fundamental knowledge required to do the job.
PS: It is still a developing idea, and it might seem that the arguments are not convincing enough about the proposed solution. But my thought process was to let it out in the world and let discussions happen. Hopefully, someday, we will be able to bridge the skill gap. Please feel free to let me know your opinions in the response section.
