The cyber threats in our world are constantly evolving. As a re­sult, it is only anticipated that the skill requirements of cyber­security specialists evolve accordingly. According to a survey, in 2017, 55% of enterprises surveyed required three months or more to fill vacancies in cybersecurity positions and 37% reported that less than 1 in 4 candidates possessed the quali­fications required. It is moot to say that building and maintaining a capable cybersecurity team today is a tremendous challenge.

A report from Frost & Sullivan and (ISC)2discovered that the global cy­bersecurity workforce will have more than 1.5 million vacancies by the year 2020. At the same time, the cybersecurity industry is a fast-growing market, with IDC forecasting it growing to a $101 billion opportunity by 2020. So, we must ask ourselves, how do we reconcile this talent shortage? The answer may lie in upskilling.

The foremost advantage of upskilling is that it can be adjusted to suit the most relevant skills an organization requires or prefers. Added to that is the sense of gratitude or loyalty that the trained individuals harbor towards the organization. The organization is thus seen to be earnestly thinking and working towards the employees’ career growth. The intuitive conclusion that follows is that employees see them­selves as a true asset to the organiza­tion. However, there is a flipside to upskilling employees as perceived by an organization.

Upskilling as a Prisoner’s Dilemma

The challenge in upskilling existing employees is that organizations risk sinking investment into a resource that can soon leave or be lured away to a more lucrative opportu­nity. As a result, organizations are hopeful that individual employees will nurture their skills without ac­tually making investments directly towards their development. A solu­tion that some organizations have found to this dilemma is the golden handcuff method. For instance, a law firm may pay the university fees for an employee to get a law degree with the stipulation that the clerk remains with the law firm for speci­fied number of years after gradua­tion. This can be a potential route to maintain technical staff and close the skills gap we see in digital and security disciplines.

The impending deficit of cy­bersecurity professionals combined with high attrition rates can render organizations unable to acquire and retain the requisite expertise to re­spond to a constantly evolving threat environment. The growing risks presented by cyber-attacks translate into the fact that organizations must find a solution to the cyber se­curity skills gap. Upskilling is a viable option, but an option that has to be weighed against the po­tential loss of the most developed employees.

Considerations surrounding Cy­ber-security upskilling

The inclination of IT profession­als to move into IT security pre­sents a great opportunity for or­ganizations to upskill existing IT staff. This would help lessen the burden on organizations in terms of the number of new IT secu­rity experts they need to recruit. If organizations are amenable to putting employees with an inter­est in IT security through certifi­cations such as CISSP (Certified Information Systems Security Professional) and CISM (Certi­fied Information Security Man­ager), both the organizations and the employees will be better equipped for the future.

So, how does an organization optimize the practice of upskill­ing for its IT security employees?

Firstly, an organization ought to re-examine its workforce strat­egy. Does it know what skills it requires in the foreseeable future to operate a successful security program? Organizations must realize that skills and experience can come from a variety of sourc­es, and adjust their hiring strat­egy accordingly.

Secondly, organizations need to improve their outreach and engagement. Organizations must think beyond the usual career fairs and recruitment plans of the past. There is a pressing need to develop other educational pro­grams and to start building a firm recruiting base. It is impera­tive to build a local cybersecurity ecosystem by connecting with government organizations, edu­cational institutions, and other concerned groups.

Thirdly, it is important for organizations to have a robust support program for employees. Mentorships, rotational assign­ments and other such opportuni­ties help cybersecurity employees gain experience and learn. Or­ganizations now need to keep employees involved by granting them the creative freedom to work on different projects and discover new technologies and services.

Finally, there needs to be an emphasis on continuous learning and upskilling. Numerous on­line courses on cybersecurity are available today and organizations should leverage them to upskill employees in a flexible and cost-efficient manner. A field as dynamic as cyberse­curity requires constant education and exploration. Organizations ought to also be open to employees from other areas of their business who express interest in cy­bersecurity career paths.

There is an indication these days that the industry is responding to the shortage of skilled cyber security professionals by upskilling existing staff. It is also encour­aging to see the number of IT profession­als who wish to transfer into cybersecuri­ty, which could help bridge the skills gap. In order to be prepared for the anticipated increase in security breaches, organiza­tions need to vigorously upskill existing employees, and also educate all other staff in the organization as to the importance of security.