ARGUMENT: Cyber-talent retentionDid the Cybersecurity Workforce Gap Distract Us from the Leak?

Published 15 July 2021

There are 500,000 unfilled cybersecurity positions in the United States, and the number is growing. The government and private companies have been investing a lot of money and effort in training and recruiting young cybertalent through college programs, school partnerships, and by adjusting pay and benefit packages, but many have missed a significant leak in cyber workforce funnel: the rapid burnout and churn. In fact, the cyber workforce gap is in experienced roles, not junior levels. To fill the cyber workforce gap, we need to find ways to retain experienced cybersecurity talent.

U.S. organizations have invested a lot of money and effort to recruit new cybertalent, pursuing early-career cyber professional through college programs, school partnerships, or by adjusting salary and benefits packages.

Jessica Gulick, Commissioner of the U.S. Cyber and CEO of Katzcy, writes in Dark Reading that, still, “we must address the 500,000 unfilled positions as nearly two-thirds of cyber pros report staff shortages at their own organizations.”

But, she asks, while investing in filling the gap, “have we missed a significant leak in our current workforce funnel?”

Our cyber community has fixated on the workforce gap at the top of the funnel for over a decade — and clearly the deficit is apt to continue as our digital lives expand. But there is another story lost in the shadow of this looming problem: There are several leaks and missing development paths in our workforce funnel.

Gulick writes that the large workforce gap is hiding cybersecurity’s industry-wide problem of employee retention, development, and engagement. “The sizable workforce gap is hiding cybersecurity’s industrywide problem of employee retention, development, and engagement.”

The fact is, “The constant need for fresh talent isn’t just due to the growing space we’re in; in fact, the gap is in experienced roles, not junior levels. Our colleagues are leaving their jobs in droves.”

Cybersecurity jobs are inherently stressful, and Gulick writes that the high-pressure environment in SOCs and the unrelenting workload have caused burn-out and fatigue – leading to an average tenure of a cybersecurity analyst in an organization to be about two years only.

Another reason for the short tenure is the fact that there are limited promotion and development opportunities.

And the young professionals feel under-developed because “continuous cyber-training is lacking, in part, because there seems to be no time to learn while chronically fighting the next conflagration.”

NIST researchers noticed that fact, too, writing in a recent whitepaper:”The current and projected workforce needs must be met not only by training more cybersecurity personnel, but also by raising the bar on their skills, aptitude and ability to collaborate. Cybersecurity competitions can play a critical role in this mandate.”

Gulick concludes:

Cyber games as a development tool are even more critical than ever before….

Cyber competitions are a game in which we all win. By addressing our industrywide problem of employee retention and engagement through training games that develop our employees, minimizing burnout and churn, we can start to make inroads on the all-too-real cybersecurity workforce gap.