By Jamal Elmellas, Chief Operating Officer, Focus-on-Security
Faced with an unprecedented and worsening skills crisis, IT and cybersecurity teams are finding it increasingly difficult to attract and recruit candidates to fill their vacancies. In the UK alone, 50% of businesses report having a basic cybersecurity skills gap and in terms of specialist skills, there is an annual shortfall of 11,200 professionals, according to the Cyber security skills in the UK labour market 2023 government report. A cumulative deficit means it will become only harder to find personnel so organisations need to get ahead of this crisis to futureproof the team against these shortages.
One of the chief ways of doing this is to formally carry out workforce planning. It’s an HR practice that allows the business to assess the current state of the workforce, perform gap analysis to identify missing skillsets, and to look at future needs and to plan accordingly, laying out a strategy to meet these future shortfalls. It needs to be a part of the business planning as a whole and should therefore also be addressed at a senior level to fit in with business goals.
Workforce planning can confer numerous advantages. It ensures that the business turns to the market for the skills it needs while preventing overlap or skills being mismatched to the role, helps focus personnel career development, improves productivity and employee retention. Ultimately, it prevents the business from being forced into reactive stance, where its workforce is dictated by circumstance or market dynamics rather than its own needs and from a cybersecurity perspective, can prevent the resilience of the business from being eroded.
Getting buy-in
Communication is key to effective workforce planning so the HR team will look to the security team for insight into the roles required. The problem here is that there is often a disconnect between the two, with job roles and descriptions written and placed by HR that are out of step with the market. The (ISC)2 Cybersecurity Workforce Study found that only 52% of hirers thought they had a strong working relationship with HR and 40% didn’t think HR added value to the recruiting process. Where that disconnect existed, the organisation was 2.5x more likely to experience skills shortages.
It’s an issue further exacerbated by the fact cybersecurity roles can be difficult to determine. Up until recently, disciplines have evolved organically over time so it’s not uncommon for the same role to be advertised for by different companies with different skillsets listed under the requirements. That can make formulating a job description very difficult and also makes workforce planning more challenging.
Thankfully a great deal of progress is being made in this space due to the development of the Cyber Career Framework by the UK Cyber Security Council. This covers 16 specialisms and aims to map the skills, experience, responsibilities (including salary expectations), and qualifications particular to each. It’s such an ambitious undertaking that it is still only partially complete and won’t be finished until 2025 but it promises to make it much easier for everybody involved, from educators to security teams, and recruiters, HR and candidates to identify the skills particular to a given role and how careers should progress.
That said, a workforce plan is not simply a matter of numbers. As the CIPD states, in addition to these skills, HR should assess potential and how talent is deployed and organised. It describes workforce planning as much art as science because it brings together the operational and strategic. It requires a wealth of data and requires input and buy-in from the whole organisation to be effective and is also a dynamic iterative process that will need to be revised following disruption such as digital transformation projects or M&A activity and subjected to regular review.
Dealing with shortages
But what happens if, despite these efforts, the business still finds itself short staffed? How do you go about prioritising those shortages? One solution suggested by McKinsey is based hiring on risk. Rather than using a top-down approach the organisation should seek to identify the roles that could potentially expose the business to risk such as through lack of compliance or incident response. It’s then necessary to evaluate what McKinsey calls ‘Talent-to-Value’ (TtV) or those posts that expose the business to the most risk. Again, there is no one size fits all formula here, as risk tolerance will vary from business to business but it does provide another means of prioritising hiring and spend. McKinsey estimates this approach can result in up to 50% less hires being made.
It’s becoming increasingly clear that more targeted recruiting requires better planning. Identifying gaps and weak spots, using the business strategy to forecast where future demand will be, and working more closely with teams and departments will be essential if businesses are to weather the drought of talent we can expect over the next few years. Plus those businesses that can show they have a systematic approach and an understanding and appreciation of career advancement are much more likely to be able to retain the talent they do hire.
