There’s a lot of concern in our industry about the grave talent shortage. We need a lot of new people coming into the profession, and we also need to diversify the pool.

Yet while there are many initiatives to attract people who are eager to get into the business, there’s a missing piece: Translating the enthusiasm and willingness of would-be new hires into tangible jobs.

The problem starts on the ground floor, with the canned job descriptions that companies continue to use. Everyone is looking for three to four years of experience, but an entry-level person will never have that. At best, maybe an internship or something along those lines. And people who are looking to retrain and retool into cybersecurity will have little to nothing. 

So what happens is that these enthusiastic, talented people get sucked into a vacuum.

We have to break that cycle and devise programs that truly get them into the door and stop being part of the problem. We can’t expect to solve the problem by setting unreasonable or impractical bars for entry.

If we don’t do something about this on a macro level soon, we’re going to have a compound issue on our hands, because attrition and burnout are only going to exacerbate the current talent shortage.

I propose that we start putting companies’ feet to the fire by challenging them to make good on their promises to create a pipeline for new talent.

Such companies should be asked to produce figures to show how many people they actually bring in with little to no experience. Not necessarily to name and shame them – though that approach sometimes works, I regret to say.

But perhaps more important, we need that data to know whether the training they’re receiving before candidates apply for jobs is adequate. We need feedback to know whether programs like Cyversity, which I am proudly part of it, are hitting all the marks or whether they need to recalibrate. We want to ensure that our training is offering the skillsets that the market needs.

This drive can’t end, though, with getting people through the door. Once they’re in, companies need to offer a path to success, by nurturing and training entry-level talent.

You can’t hire someone out of college and expect them to run with the ball with no training – or to pay for outside courses themselves. Some of these courses cost thousands of dollars. If you’re expecting someone of modest means to fork out that kind of money for continuing education, it’s not going to happen.

We need buy-in from the organizations who are looking for this talent, and to get them to understand that they are investing in themselves by taking on this talent.  When you bring in people from diverse backgrounds, you gain a broader vision of how to protect and understand your adversary. You start building a more resilient workforce that isn’t following a herd mentality.

We also have to help new entrants network, because developing relationships is very important in our industry.

Offering a way forward will also help to ensure that young professionals don’t abandon the field because they don’t get the support they need to grow.

And this brings us full circle: In order for young talent to grow, you need to bring in more entry-level applicants to replace them so they won’t be marooned in jobs that offer them no future. They’ll either jump to another company, or quit the field entirely, so we need to build a sustainable pipeline.

Some companies have opened up summer internships at the college level, with the promise of a job after college if all goes well. But only a minute percentage of people get jobs that way.

Cybersecurity associations need to create pressure, some kind of movement to make this happen and hold companies to their pledges to nurture new talent. Groups need to share information on placement. This needs to be something that we do as a group. We need a clear mission statement on how it benefits companies to take on this challenge. Otherwise we’re going to be here next year talking about the same thing.

We need to break the cycle.