With more than 3.5 million cybersecurity jobs unfilled this year, the recruiting and retaining of information security pros has become more important than ever. That’s why knowing where to find talent, how to assess it, and how to keep it is invaluable.
Several factors are contributing to the talent gap, including how the industry seeks to fill jobs, and external developments beyond the industry’s control. There are also gaps in the talent pipeline.
The new reality is that every company is now a technology company. With that comes exposure to threats such as ransomware and phishing and the need for security professionals to manage them.
Top experts share what you need to know about recruiting for your modern cybersecurity crew—and tips on how to build a solid team.
Key factors in today’s cybersecurity recruiting
The laws, they are a-changin’
Recent privacy regulations such as the European Union’s GDPR and the California Consumer Privacy Act (CCPA) are driving more focus on the confluence of privacy and information security, explained Chris Niggel, regional CSO for the Americas for Okta, a cloud security company.
“As the regulators begin to provide guidance on technical requirements, security skill sets are becoming required by all organizations that process personal data. Previously, they were only required by organizations subject to more specific industry regulations, such as healthcare.”
Training needs to hit the books
Employers are looking for people with technical skills that are either taught insufficiently in higher education or not at all, said David Brown, executive director of the National Cyber Scholarship Foundation, which provides scholarships to students pursuing cybersecurity careers.
Many high school programs exist to attract young people into the field, but those programs aren’t connected to each other. Then there’s a disconnect between those programs and colleges and universities, Brown said.
And a misunderstanding exists between colleges and universities that are producing students and they employers that are hiring them.
“The educational community teaches what it’s comfortable teaching. It’s rare for a higher education institution to sit down with industry and say, ‘This is what our curriculum looks like, and we want to know how this curriculum aligns with your needs.'”
The new normal with COVID-19
Amir Shaked, senior vice president of research and development at the web security service provider PerimeterX, said that COVID-19 has contributed to widening the supply problem. “Nearly everyone has now ordered food or groceries online, springing up a number of new services that require information security.”
As if those manpower challenges weren’t enough, hiring authorities have had to deal with a pandemic, too. With more employees working at home, the need for greater access to organizational resources from outside the organization has increased awareness across the globe that more cybersecurity pros are needed, said Neha Joshi, strategy and innovation lead at Accenture Security, a professional services company.
“We already had a supply-and-demand issue, and it has only been exacerbated by COVID-19. So it’s even harder now to hire cybersecurity professionals.”
Even if an organization can find a potential hire, not being able to conduct face-to-face interviews can make hiring difficult, said Chloé Messdaghi, co-founder of Women of Security, a community for women with an interest in cybersecurity. “It slows the process to get good hires and makes using capture the flag and other kinds of challenges to prescreen talent invaluable.”
Aggressive digital transformation caused by the pandemic has added complexity to the role of infosec pros and the hiring process. Cybersecurity professionals are now expected to be risk management utility players, said Deloitte Risk and Financial Advisory’s US cyber and strategic risk leader Deborah Golden.
“They’re offering strategic input on strategies ranging from 5G adoption and IoT impacts to supply chain fortification and pre-M&A diligence. They’re also doing talent security management, driving interaction as security ambassadors across nearly all organizational departments.”
Best practices for building your cybersecurity team
1. Look beyond the usual places to find talent
Recruiters need to break away from recruitment patterns that repeatedly target graduates of a finite set of schools with a finite set of majors, said Deloitte Risk and Financial Advisory’s Golden. “We need a bigger presence at historically black colleges and universities and technical schools,” she said.
Andy Roeth, manager of security at the DHI Group, the parent of Dice, an online tech jobs board, recommended looking in-house to fill open slots.
“It’s important to look in-house outside of your security team. There are people who aren’t currently in a cybersecurity role but have specialized skill sets in security.”
Capture the flag, bug bounty, and other skills-based events are also a good place to find high-performing security candidates. “Those are places to find talent with the skills, agile thinking, and persistence that recruiters should be seeking out,” Messdaghi said.
Apprenticeship programs can also be a valuable source of talent. These programs start with an aptitude test,” said Alan Paller, president of the SANS Institute, an accredited specialized cybersecurity college and graduate school.
“That’s a very uncommon thing in education. Most education starts with an application.”
Ben Smith, field chief technology officer at RSA Security, a global security solutions provider, recommended getting to candidates as early as possible.
“Is your company partnered with your local community college? It could be a hiring funnel right into your team. Are you, the hiring manager, attending local professional association meetings to source new candidates?”
Organizations shouldn’t be above poaching talent from bigger competitors, either. For operations roles such as detection engineering and incident handling, Red Canary has had a lot of success in hiring analysts and senior analysts from larger organizations, where they have learned best practices, said Melanie Kruger, vice president of talent at the cloud-based security services provider.
“These candidates yearn to have more impact and a closer connection to a company’s mission. They are ready to take the next step in their career and have more influence over how work is done, and so are attracted to smaller and more rapidly growing organizations.”
2. Don’t require candidates to have niche skills
There’s a perception in the industry that cybersecurity is complex and requires niche skills. Actually, the skills needed for cybersecurity are used in all interaction between humans and technology and between technology and technology, Accenture Security’s Joshi said.
“Perception of that barrier to entry from other parts of a business or other parts of technology make it even harder to shrink the supply-and-demand gap.”
Security teams have looked the same for years due to preconceived notions defining security professionals. “As the threat landscape evolves, we need to also pivot our approach to cyber talent,” Deloitte Risk and Financial Advisory’s Golden said.
Golden said the industry has a long way to go to include more individuals from typically underrepresented groups.
“If we only recruit from the same programs, or from those who have gone through similar curriculum, we will put ourselves at a strategic disadvantage. Our adversaries aren’t one-dimensional, and we shouldn’t be either.”
— Deborah Golden
3. Look for relevant skills beyond formal education
Some of the best cybersecurity professionals don’t have formal cybersecurity education, Joshi said. What they do well, though, is creative problem solving, she continued. “They look at problems through fresh eyes.”
“Problems evolve over time, so we need security team members to solve not just the problems of today, but ones they’ve never seen before.”
Soft skills are also important for a candidate to have, but most are unlikely to have acquired them during their academic training. “If you look at the curriculum of institutions that grant degrees in cybersecurity, there’s virtually nothing offered in soft skills—communications, business writing, leadership, critical thinking,” the National Cyber Scholarship Foundation’s Brown said.
Chris Romeo, CEO of Security Journey, an application security education firm, said core business skills were often overlooked.
“Everyone shakes their head and says that the technical is what is most important, but for me, the technical and the soft skills must go together. Measure whether a candidate can work with other people, ask about conflicts, and measure if this person is going to be a success for your security team 90 days from now, after the new-car smell has worn off.
It also helps if a job candidate has a hacker’s frame of mind. “This is a mindset that perceives that any architecture can be breached. They understand that adversaries have infinite time to try and poke holes in one’s defenses,” said PerimeterX’s Shaked.
Okta’s Niggel added that a good security analyst enjoys taking things apart to understand how they work, or can look at a technology and ask how it could be abused or subverted to do something it was not intended to do.
“These are skills we can find in all fields. Some of the most interesting security professionals I know came from legal, military, and IT backgrounds.”
Team fit is another important consideration when evaluating a candidate. There is a distinction between hiring an individual and building out the strongest team, Smith advised.
“Smart hiring managers realize they aren’t just looking at candidates for roles. They should be constantly aware of strengths and weaknesses in their existing staff. Where can that new hire make the most impact in making your team as a whole stronger?”
4. Be willing to train candidates after they’re hired
Trying to find the perfect candidate for a job can be a fool’s errand. “In my experience, it’s likely that perfect person isn’t looking for a job,” DHI Group’s Roeth said. “In fact, they might not even exist.”
Willingness to train is crucial, either by working with new hires in-house or by sending them to specialized security training externally, he said.
“Security is very broad and includes so many skills, there are plenty of people that might not be the exact right fit, but may become just that after training. Employers and technologists can both pigeonhole themselves by homing in too much on very specific security skills when seeking candidates or seeking work.”
5. Use certifications to give a candidate context
Certifications tell you something about what a candidate has learned and what they’ve taken time to educate themselves on. “That has great value,” Accenture Security’s Joshi acknowledged, “but you want to pair that with the candidate’s whole story. There are times when a certification isn’t as valuable as the candidate’s experience.”
Saryu Nayyar, CEO of Gurucul, a threat intelligence company, added that certifications prove that the candidate was able to study for, and pass, a test of his or her skill and knowledge.
“Those certifications are a helpful guide, but being able to pass the test doesn’t guarantee someone will have the ability to do the job.”
RSA Security’s Smith warned that including certifications in job descriptions sometimes can be a mistake. “Expecting an early-career candidate to have a cert which requires five years of real-world experience is a catch-22,” he said. “Many hiring organizations fail to realize this is an unrealistic expectation on their part.”
It is important to balance certifications and experience, and there can be value to both when weighed appropriately during the candidate-selection process, Red Canary’s Kruger advised.
“My personal bias leans more toward experience and demonstrated expertise and the ability to be coached and the humility that is gained through trial and error and safe-space failures that come with on-the-job learning.”
6. Carefully craft your job descriptions
You should put a lot of time and attention into job descriptions, said Deidre Diamond, founder and CEO of CyberSN, a recruiting firm that focuses on cybersecurity professionals.
“A job description should be about the projects and tasks to be completed and the time expected to be spent on them, not the profile of the person you think you want to hire. Without that, you’re starting off wrong. Job descriptions matter.”
7. Sell your job
In a buyer’s market, selling a job is critical to meeting manpower needs. That means you need to know what appeals to candidates and make sure you can offer it to them.
Cybersecurity professionals want to be offered high-impact work and continuing investment in training. “Once the money is enough, it’s all about challenging work and ‘Are they going to invest in keeping my skills up?'” the SANS Institute’s Paller observed.
“It shouldn’t be a surprise that your cybersecurity hires, like those in other fields, care deeply about career progression and educational opportunities.”
He recommended that hiring managers know the answers to these questions before candidates ask them:
- Does your organization subsidize technical certifications?
- Is there a book and training budget that a new hire can tap?
- What’s your policy on professional association membership fees and attending conferences?
Having a flexible work schedule is also important. “They want to advance without assuming management responsibilities,” Paller said.
And then there’s the “Kevin Garnett” effect, named for the former Boston Celtics power forward.
“Highly skilled professionals want to work with others whose talent and work they respect. They want to join a team with superstars on it so they can learn from them.”
Red Canary’s Kruger added that candidates also want to know what it takes to succeed in an organization. “We have found that it is increasingly important for us to be clear on success criteria for each role,” she explained, “and to take extra steps to align all of our recruiting panel team members so that the candidate experience remains cohesive and positive.”
“One element that has been increasingly important to candidates is learning more about our employee onboarding process, so that they have a sense that we will be able to set them up for success, even if deployed virtually.”
Keeping the kids on the farm
Now that you have your new hires, how do you keep them? One way is to make sure you have a succession plan in place. Without succession planning, staff will burn out and people will get bogged down without an opportunity to advance their careers within organizations, CyberSN’s Diamond said.
“Without succession planning, there’s no training of juniors. Without juniors, people can’t advance because there’s no one to take things off their plate. People are changing jobs every 12 to 18 months. That’s not good for an organization. That’s happening because people want to get out of a situation where they’re not learning and they’re not moving forward.”
Establishing a mentoring program is another way to retain talent. Consider an informal job rotation to show your staff what their next career step might look like, RSA Security’s Smith advised.
“You might take that front-line Level 1 security analyst out of her seat for a half-day every two weeks so that she can shadow a more senior Level 2 or Level 3 colleague. Connecting that employee with a mentor is another great way to add some glue to the relationship.”
Security shouldn’t be treated as an afterthought during product development, Accenture Security’s Joshi said. Invite them to the table, not just for technology discussions, but for the business talk, so they’re aligned with the purpose of the organization that they’re protecting, she said.
“They need to be involved in a project as early as possible, even in the planning stages, to talk about security.”
Organizations also need to be mindful of how hard their security pros are working.
“It’s important that individuals have the necessary time to regroup and refresh. Ensuring that well-being is a priority will not only retain but also attract top talent.”