Three critical steps to close the cybersecurity talent gap, once and for all

The cybersecurity talent gap is one of the most pressing challenges we face, not only as technology leaders, but as leaders in business and our communities. There’s a shortage of 4 million professionals as we speak — a gap that’s only growing larger year-on-year as the threat environment grows more complex.

Cybersecurity has become the backbone for modern businesses, and a failure to confront the talent gap will have long-term consequences. Moreover, we must act across industries and sectors to achieve the necessary gains. Implementing strategic AI to expand technical capacity and capabilities, automate and optimize workflows and gather and distribute information will be absolutely essential to this process. There are three key, universally applicable areas organizations can focus on to develop and nurture talent in any sector:

1. Rethink attracting and recruiting talent;
2. Enhance cyber security education;
3. Improve cyber security retention practices.

Rethinking recruitment

Cybersecurity pays well and offers meaningful opportunities for development. While we should continue to highlight this fact, pay and career trajectory are not the primary obstacles to recruitment. A lack of awareness about the actual job functions of cyber professionals, as well as how to break into the field altogether, discourage bright people from pursuing these opportunities. Removing these obstacles should be priority number one.

A key group to focus on will be women — the largest untapped pool of potential cyber talent in the industry. Despite recent progress, cybersecurity roles lag behind the broader technology industry when it comes to gender parity. Much of this can be attributed to our existing pipelines, which are overwhelmingly male. While these routes generate wonderfully talented individuals, we can also, in effect, double our recruitment pool with some economical investments in organizations that make cybersecurity accessible to people from non-traditional backgrounds.

This approach must, of course, be combined with broader improvements to attract cyber talent in a role that will continue to be competitive. Organizations must be flexible with technology and skill requirements in a way that reflects the changing threat landscape. There should be robust internal development available to employees. Last but not least, the corporate brand and reputation should reflect organizational values and commitment to cybersecurity excellence.

Education overhaul

At the end of the day, the talent gap is a pipeline problem, and the pipeline starts before professional recruitment or even secondary education. Regardless of when students encounter cyber education — whether that’s at the primary or secondary level, or in the course of a professional career — there is a lack of cohesive and up-to-date curricula.

Industry should partner with the public sector to integrate practical cybersecurity education into primary education. This is also simply good practice: Students must learn things like proper email and password security, how to identify phishing attempts, and how to escalate attempted breaches to navigate the world they’ll graduate into. In the office today, organizations should leverage security tools that have AI built in to be more conversational and enable security activation and operation by users who aren’t security experts. A baseline of cybersecurity knowledge goes a long way.

We should also build in practical learning opportunities for students who want to take their development further. At the secondary level, cybersecurity should be practiced across disciplines like healthcare, law and so on. Investment vis-a-vis direct partnerships with schools and other public sector organizations is one key vector for this. Another important avenue is through NGOs that make technical education available to traditionally underrepresented groups.

Another essential area of collaboration will be the content of the curricula itself. Whether it should be standardized is an important question. AI can help in the process of on-the-job education and knowledge sharing, tuning AI agents to bring internal information to the relevant people with little to no friction. However, it’s clear now that the threat environment changes quickly enough — and substantively enough — to require close collaboration between schools, NGOs and industry to ensure that the skills students are learning remain relevant and effective.

Prioritizing retention

To address the skills gap, we need to retain the talent we already have. And, right now, there are some notable headwinds for cybersecurity roles. Many professionals feel underappreciated and overworked. Work culture can be punishing and replete with unrealistic expectations. Disconnects between management and security teams lead to limited budgets. These factors combined with an always-expanding threatscape produce an intensely stressful environment that negatively affects individual performance and broader workplace cohesion that leads talented people to seek alternative roles.

Reducing attrition has a number of benefits. Of course, it’s easier to confront the talent gap if we’re not leaking talented people at a high rate. Beyond that, by building contiguous experience within organizations and the industry broadly, we also build a base of mentors and leaders with institutional and historical knowledge. To do this, there are steps organizations can take to put themselves and their employees in a position of strength.

First, invest in the technical tools security teams need to do their jobs effectively. We have to acknowledge that the threat environment is too large and too complex for humans to secure without a force-multiplier. Technical tools should be consolidated as much as possible so teams can work from a centralized platform. AI can help focus the security teams on the more challenging and less tedious parts of the job by deploying AI “builders” that automate these tedious, repetitive tasks. AI-based enrichment reduces the need for manual expensive work while enhancing event triage capabilities to refine criticality and leverage human in places they will add more value. 

Next, offer flexible plans for individual development. Traditional, predefined career paths don’t fit well with the always-changing nature of cybersecurity. Developing individualized plans that address specific needs and aspirations will empower employees to feel more ownership over their roles. This goes hand-in-hand with making the roles themselves more compelling and challenging, rather than rote and repetitive. Employees are more satisfied when they feel like they’re making meaningful contributions to the company.

This combines with a third key element: be transparent about corporate strategy. Cybersecurity is no longer an afterthought, but an operational foundation for doing business. Security needs to be a top priority at the strategic level, and security teams should be looped in to organizational priorities in a way that reflects that. Instead of making decisions in the dark, it will enable teams to act in the proactive manner the modern threat environment requires.

Conclusion

The cybersecurity talent gap is one of the most pressing issues we face today across industries and sectors. Consequently, it’s something we have to work together to solve. However, there are clear and impactful steps we can take to make progress now. Cybersecurity is already a differentiator, and organizations that prioritize developing and nurturing talent at all stages of the pipeline will emerge as leaders in their segments.

Dorit Dor is CTO of Check Point Software Technologies.