5 Ways SMBs Can Bridge the Cybersecurity Skills Gap

The number of global cybersecurity workers hit a record 4.7 million last year, as hundreds of thousands more people entered this expanding field, according to a report by the International Information System Security Certification Consortium [(ISC)²].[1] But even with 464,000 cybersecurity workers added, the shortfall in the supply of cybersecurity talent keeps growing. (ISC)² put the number of unfilled cybersecurity jobs in 2022 at 3.4 million, with the greatest number of unfilled positions in China, India, the U.S., and Brazil.

This is good for workers with cybersecurity training, who can use demand for their services to negotiate higher pay and faster promotions. But it’s less of a positive for those on the hiring end. And it’s particularly hard for small and medium-sized businesses (SMBs), which lack the financial resources or brand recognition to compete for these critical workers.

Smaller organizations can’t simply throw their hands up in frustration, however. With cybercrime increasingly affecting smaller organizations, SMBs must find ways to address the gaps in their cybersecurity expertise. SMB leaders may need to take a more creative approach to acquiring necessary cyber skills. They can also implement software to automate some aspects of cybersecurity, allowing them to protect themselves despite a more limited allotment of human expertise. Mimecast, for one, has begun developing tools specifically designed to support SMBs in recent years. 

5 Actions SMBs Can Take to Fill Cyber Roles

Like a smaller country’s national team aiming to compete in a global sporting event, SMBs’ first question shouldn’t be whether they can win the championship, but how they can get onto the same playing field. For this, a certain amount of flexibility is helpful.

Flexibility for SMBs in cybersecurity hiring means prioritizing potential over professional achievements. It can also mean using their smaller size to their advantage. Here are five things that SMBs might try to fill cybersecurity roles in a competitive talent market:

1. Let go of unrealistic resume requirements.

When looking for someone to run cybersecurity processes and systems, it’s tempting to seek a candidate with three, four, or five years of experience. Alas, such candidates are rare in the waters where SMBs fish for talent. Often such a candidate’s salary demands are beyond what the SMB can offer. In other cases, the potential hire will prefer the prestige of working for a larger organization with a recognized name — a desire that may only become evident in the final stages of the interviewing or shortly into the individual’s tenure.

One way for SMBs to avoid this costly mistake is to redefine what the ideal candidate looks like. For instance, SMBs located in university towns or cities might look to recruit recent graduates. Such candidates don’t have long resumes, but they may have recent hands-on experience with cybersecurity through work in their schools’ technology labs. Another plus is that new grads may have fewer preconceived notions of what the technology infrastructure should be at their new workplace. This is a good fit for most SMBs, which may not have the most sophisticated technology infrastructure.

2. Tap someone who’s already at your company to manage cybersecurity.

If you were a sheriff responsible for protecting a small town under threat from intruders, you wouldn’t close your eyes to the risk; you’d get ahead of it, likely appointing someone to be your deputy. The same idea applies for SMB CEOs staring down cyber risk, whether the cyber threats come in the form of phishing, ransomware, or impersonation attacks. Often, there is an opportunity to deputize an existing employee to oversee cybersecurity.

It’s possible that none of your employees has a technology title. However, there’s typically at least one person who understands the company’s IT systems better than most, is good at troubleshooting technology, or has been relied on in the past to evaluate new software or hardware. That person can be a good option to oversee cybersecurity, whether on a permanent basis or until the company can bring in someone else full time. 

If you find yourself with absolutely no one you can appoint, or if you want to refrain from relying solely on one person, you can also consider upskilling your existing team members with training courses and apprenticeships.

3. Use your culture to attract and retain cybersecurity workers.

The stakes in cybersecurity are high and the work can be stressful. Indeed, two common reasons why cybersecurity workers leave their jobs are burnout and a poor work-life balance, according to (ISC)2.[2] This presents SMBs with an opportunity to play up their cultural advantages, such as more flexible hours, more spontaneous rewards, and more personalized benefits and perks. To be sure, not every SMB offers a utopian work life. But SMBs which offer unique benefits, strong cultures, and healthier work-life balance can highlight those to better recruit and retain budding cybersecurity stars who might otherwise seek out the higher pay and brighter lights of a big company.

4. Consider consultants.

Some SMBs may not have the funds for a full-time cybersecurity director or may not see a level of threat that warrants the appointment of a full-time CISO. Such companies might look for a freelance technology consultant to handle this work for them on a contract basis. A good place to start is by tapping into social or professional networks for trusted recommendations. Recently retired technology workers offer another potential source of consulting help. And there are other consulting options, too. A larger SMB might want to work with a company that offers part-time CISOs for hire. These “virtual CISOs” do everything from administer cyber awareness training to advise on cybersecurity software selection. Yet another possibility is to contract with a managed cybersecurity services firm. These companies offer strong protection and often fast remediation, though their level of service comes at a higher cost.

5. Use a foundation of security software to automate your cybersecurity.

Technology is a big part of any cyber defense strategy. At a large enterprise, the cybersecurity systems are often extremely sophisticated and managing the full suite of tools can be complex. The anti-spam software might come from one vendor, and the threat detection software from another vendor depending on who is seen as “best-in-breed” in each area. Big companies might also have software developers capable of customizing their cybersecurity systems using the application programming interfaces (APIs) built into their providers’ software.

This is not the approach that most SMBs should take. The limited human resources that SMBs can devote to cybersecurity calls for investing in a system that’s capable of running itself. An integrated, user-friendly cybersecurity solution is an asset, particularly if the SMB’s cybersecurity manager wears multiple hats in the company.

The selection of the right cybersecurity defense technology has such long-term importance to SMBs that it can be helpful to engage an external consultant to help with product evaluation and vendor selection. 

The Bottom Line 

Unfilled cybersecurity roles create a particularly big problem for SMBs. Smaller firms can’t compete with the salaries that big companies pay for CISOs, so they have to be more creative, looking to recent graduates, contracting with cybersecurity consultants and CISO-for-hire firms, and highlighting their unique cultural advantages to potential hires. SMBs also benefit from cybersecurity products that they can install and maintain with a minimal amount of effort. Read how Mimecast’s Cloud Integrated product can help SMBs automate many aspects of cybersecurity.

[1] (ISC)² Cybersecurity Workforce Study, International Information System Security Certification Consortium

[2] Ibid