Cyber Talent: Exploring the Ongoing Shortage & Great Resignation

Businesses continue to grapple with shortages of available cybersecurity talent to fill much-needed positions on their teams, and now, a wave of departures resulting from ‘The Great Resignation’ is hitting organizations even harder. While the overall cybersecurity workforce has increased to 4.19 million, it still needs to grow globally by 65% to meet demands.

The impacts of sustained talent shortages have placed short-staffed security teams under heightened pressure, not to mention other compounding challenges such as:

• Expanded attack surfaces and broadened threat landscapes as a result of the increased remote work force
• Abundant ransomware campaigns in 2021, creating a heightened sense of urgency for cybersecurity defenders.

Many experts are shouting for change to address the talent shortage gap. As a result, organizations are pivoting from old hiring habits, broadening investments beyond technology alone, and embracing remote work as an opportunity versus a threat.

Talent Shortages in a High-Demand Industry

Robust cybersecurity programs, encompassing both technology and highly trained staff, have long been a necessity in the global economy, but the demand for talent is on the rise as businesses of all sizes, industries, and across geographies find themselves defending against ubiquitous cyber threats and attackers. In a competitive market, acquiring and retaining experienced talent with the right types of security expertise is increasingly challenging.

A recent SANS survey found that 62% of organizations have trouble staffing cybersecurity positions and 57% struggle with cybersecurity complexity to fill roles. For organizations looking to build internal cybersecurity programs, this can be particularly troublesome. Shortages of talent can lead to systems misconfigurations, improper risk assessment and management, slow patching processes, and ultimately business-impacting data breaches.

We believe there are three common factors contributing to this situation, plus there’s a new curve ball that further complicates matters:

• Organizations of all sizes are battling for the same cyber skillsets. High demand and short supply mean that larger enterprises and well-known brands often have the upper hand in attracting the best talent, while midmarket and SMB organizations fall short.
• Limited supply of security personnel with expertise in attack surface protection. Attack surface identification, interpretation and validation of findings, and remediation of high-risk issues are specialized skills that are developed over time.
• Midmarket organizations often face the same regulatory compliance mandates as enterprises but with limited budget to support them.
• ‘The Great Resignation’ is forcing both security leaders and executive leadership to rethink how they can attract and retain talent by offering compelling career paths and professional development opportunities — in addition to competitive pay.

The last item represents a challenge to some organizations, but a huge opportunity for others who are forward thinking and agile – opening the door for them to finally attract the talent they need and to overcome some of the traditional obstacles they’ve faced for many years.

The Great Resignation

Skilled security practitioners are already highly desired, and ‘The Great Resignation’ movement is becoming a significant concern for companies trying to retain specialized security skills and talent. Burnout is real for the front-line practitioners who oftentimes face unabating workloads on understaffed teams – feeling like there’s no end in sight to protecting against the onslaught of attacks.

While stress has impacted retention rates, so has today’s competitive job market, especially as enterprise organizations continually increase base salaries and benefits to entice experienced candidates to consider new opportunities. Retention may also be challenging for companies who don’t offer remote or hybrid work situations, particularly after the major shift to remote work during the COVID-19 pandemic. (ISC) ² recently found that only 15% of the global cybersecurity workforce was interested in a return to the office.

Staffing shortages are compounded by very high barriers of entry into the industry, as well. As cybersecurity professionals resign from their jobs or decide to make a career shift, there is a limited number of people who qualify to fill their positions. Cybersecurity is notorious for being a difficult industry to break into with truly ‘entry-level’ positions being few and far between. Often, they require certain levels of education and/or experience that are hard to come by.

Adding to the dilemma, the Great Resignation represents not only a loss of people, but also a potential loss of data – as insider threats remain the No. 1 cause of data breaches. As employees resign, they may, intentionally or accidentally, take internal data, sensitive information, or intellectual property with them to new jobs, causing damage to businesses. Employees may also inadvertently expose vulnerabilities during the resignation process due to decreased security vigilance while exiting, coupled with a de-centralized workforce and increased use of personal devices.

Despite all the downsides, there is a silver lining… the Great Resignation presents an interesting opportunity for cybersecurity at large. It offers a chance to recruit talented people who are leaving other industries to join the cybersecurity mission.

We agree with other security leaders who’ve noted the Great Resignation has the potential to be a "net importer" with the opportunity to “steal” great technology talent from other markets.

Recruiting & Retention at Bishop Fox

Here at Bishop Fox, recruitment and retention efforts are centered around delivering on our values, investing in people, and providing our Foxes the opportunity to have an impactful career. We see retention through the lens of doing rewarding work, embracing innovation, mentoring by senior leadership, and working with diverse clientele that is unmatched. While it is unusual for security employees to stay at one company for a full career, we aim to give Foxes opportunities to make them the best practitioners and leaders for wherever their career path takes them – and we are delighted that many decide to continue to grow with us and to pursue long-term careers at Bishop Fox.

The Changing of Tides

When the COVID-19 pandemic abruptly changed life as we knew it, our leadership quickly pivoted to reimagine how our culture could thrive in this unforeseen time to keep Foxes connected and ensure they felt valued.

At the onset of the pandemic in early 2020, we hosted a successful Virtual Olympics for Foxes, in which 80% of the company competed in video games, trivia, bingo, virtual poker, and Pictionary to name a few, and several winners were awarded medals! It was a great way to welcome new Foxes and stay entertained during lockdowns.

As the pandemic dragged into 2021, our leadership continued adjusting to the circumstances we all found ourselves in, focusing on wellness challenges to take care of our mental and physical health. Experts participated in virtual visits, and we had light-hearted, weekly competitions that focused on various aspects of personal wellness.

We also established employee-led groups, which are centered around interests and hobbies that we enjoy, when we are not working to outfox attackers and focusing on all-things offensive cybersecurity. This was a fantastic way to stay connected during the pandemic and meet Foxes who we might not otherwise cross paths with due to job function or geography. These groups continue to thrive and connect us all globally, even as the world starts to reopen.

All these initiatives are intended to create an environment where all Foxes feel valued as team members, no matter their role in the company, with the flexibility to lead a balanced life in a high demand and sometimes stressful industry. We’ve found this is a winning recipe for not only retention, but also job satisfaction – and it helps downstream with recruiting and internal referrals!

Investing in Our Foxes & Beyond

As an offensive security leader, we believe it is imperative that we never stop learning and that we share our knowledge with the broader cybersecurity community, when possible, to make the world a safer place. We strive to empower and educate our Foxes to ensure we are not only furthering our expertise on behalf of our clients, but also for their own career advancement. And, by sharing freely, we can also be a watering hole for other security practitioners globally – and hopefully encourage some new people to join their ranks as we collectively fight the talent gap.

We encourage Foxes to contribute to our shared mission in a variety of ways:

• Development of responsible disclosures via public bulletins and advisories that highlight vulnerabilities with assessed risk ratings and a breakdown of our team’s exploitation process
• Uncovering real-time insights to aid in response to threats like Log4j, LEXSS, and JSON interoperability vulnerabilities
• Dedicated work hours to create hacking tools and techniques via Bishop Fox Labs that are made available to the public via our GitHub
• Career development in action through our newly launched Bishop Fox Academy, an internal program (with +150 courses in an online, training platform) to build, strengthen, and expand the skillsets of our security consultants, while also providing long-term, career-path planning
• Participating in continuing education with monthly Tool Talk webcasts and technical blogs designed to help security practitioners learn new hacking techniques and expand their skillset
• Cultivating a community via dedicated internal Microsoft Teams channels, as well as publicly facing Discord and Reddit platforms where security practitioners can connect

Training the Next Generation of Cyber Talent

In 2021, we doubled down on our commitment to closing the global cybersecurity talent shortage by establishing a university partnership program that is focused on training the next generation of security practitioners. Thus far, we have a university partnership with CUCEI at the University of Guadalajara, to establish an offensive security diploma program.

Additionally, we established agreements with ITESO and UANL to open internship programs. In January 2022, we recruited 8 interns, some from ITESO and UANL, as well as other universities in Mexico, that serve on our Cosmos and consulting teams. In 2022, we plan to continue expanding in Mexico by participating in several conferences to recruit and educate talent.

The Way Forward

Staffing challenges coupled with impacts of ‘The Great Resignation’ movement have created an unprecedented time in cybersecurity. Investing in technology innovation, as well as the development of people’s careers, is a huge step in the right direction for the future of cybersecurity and protecting businesses and data worldwide.

For information on how you can join the Fox Den or learn more about cybersecurity programs and certifications, we recommend checking out these resources:

• Career Opportunities
• Internships at Bishop Fox
• Security & Tech Books We Recommend
• How to Become a Pen Tester Resource Guide
• Security Certifications: Choose Your Own Adventure