For over twenty years, there hasn’t been a moment where cybersecurity talent supply has met the demand. In 2019, the International Information System Security Certification Consortium (ISC2) published a study showing that US organizations had over 800,000 open positions in cybersecurity, while applicants in the market were less than a third of that. By 2023, that gap ballooned to over five million, breaking yet another yearly record.

But this gap trend is only part of the story. Almost every organization is facing more cybersecurity requirements and threats. Those new threats and requirements necessitate additional funding, new tools, and, of course, additional resources. Cybersecurity researchers show billions of dollars in spending increase; some projected 2025 spending to be over four hundred billion dollars. This means cybersecurity leaders must find more resources to recruit in a low-supply market.

To Grow or to Buy           

In the talent acquisition landscape, the dichotomy is whether to “buy” talent by paying top dollar or “grow” cybersecurity skills from a pool of aspiring entry-level candidates or from mobilizing talent in other areas into cybersecurity. Growing talent takes a lot of time and effort. The learning curve is steep and long, with a chance of failure; the breakeven period can be a year-long, and there is more time until the resources are at their full potential. However, growing usually provides resources from different disciplines and IT backgrounds. Those can be of extreme value to the team, especially regarding cybersecurity engineering and configuration management. In contrast, “buying” resources is easy and fast, but they do come with a high cost, and they may lead to cohesive thinking with less diversity of ideas within the team.

Selecting your Seeds

The common candidate selection and interview process is tedious and usually ineffective. A typical candidate selection process in the U.S. starts with a human resources analyst fishing for keywords in a pool of filtered candidates and selecting the candidate with the highest word match. This already inadvertently filters out better candidates who could have used different synonyms. This pool is then promoted to the hiring manager’s attention. On average, hiring managers spend seven to fifteen seconds scanning a resume. Years of experience are summarized in those seconds, and the result is filtering out more candidates.

Regarding growing talent, a hiring manager’s candidate requirements must change drastically from experience and knowledge to aptitude and work ethic. The criteria should be open to people with less or no direct experience and generalized to look for accomplishments instead. Instead of four years of experience, managers should settle for a preference of two years. Instead of a bachelor’s degree in cybersecurity or a cybersecurity certificate, managers can look for a degree in Information Technology or Software Engineering.

Instead of experience, the interview process must assess aptitude and work ethics. Interviews should delve into problem-solving abilities and critical thinking skills tailored to each candidate's unique background and potential. I recall spending time on candidates' resumes only to figure out how I could challenge them in the areas they worked in. It is not an easy task if the manager doesn’t have experience in the candidate’s areas, but a colleague with similar experience can be a great help in gauging a candidate’s aptitude. When there is not enough material to cover, I do include critical thinking questions that are mostly scenario-based to see what the candidate would do in situations we have experienced in real life. I often say, “There is no right or wrong here; I just want to know how you would approach this problem.”

  ​Cultivating resources from seeds demands significant time, effort, and the establishment of a conducive environment. However, the long-term benefits are substantial—it fosters cohesive and resilient teams with reduced turnover   

Growing your Seeds

After the hiring process, training becomes paramount. First, basic cybersecurity training should occur immediately if the candidate has no cybersecurity experience. At this stage, simple video streaming training providers can provide much value. In parallel, team training must take place. These need to be ongoing every week, tapering from 8 hours a week in the beginning down to 2 hours after a few months. If the existing team is already large, this would spread the load among team members. The candidate’s workload must be valued weekly to ensure that the knowledge acquired is solidified by practice and confidence is steadily gained and stacked.

Growing Environment

Creating an environment conducive to talent growth requires organizational readiness. First, standardized processes and comprehensive documentation streamline operations, striking a delicate balance between clarity and practicality.

Second, a balance between individual and collective experience must be achieved. Each team member should be able to use all of the team’s tools, but each member should be a custodian or a subject matter expert in at least one of them. This balance ensures that team members are generally uniformly effective but remain uniquely valuable. This approach fosters a culture of knowledge-sharing and accountability and empowers team members to contribute meaningfully to cybersecurity initiatives.

Training the team by the team itself sounds like a taxing mission, but other team members pass on what they have experienced firsthand after the first generation of core members is established.

Finally, automation can significantly shorten the time it takes for a new resource to be effective. A drop-down response list in a Security Information and Event Management SIEM system for a specific threat is much easier to remember than a list of steps to take and conditions to assess when that threat occurs.

In summary, cultivating resources from seeds demands significant time, effort, and the establishment of a conducive environment. However, the long-term benefits are substantial— it fosters cohesive and resilient teams with reduced turnover. Moreover, this approach ensures a sustainable budget for CISOs and security leaders, enabling them to strategically expand cybersecurity operations and engineering where it matters most in this ever-changing landscape.