Image: iStock/iBrave

According to the Cybersecurity Workforce Study, 2020 conducted by (ISC)², the global gap in 2020, for the first time ever, decreased from 4 million to 3.1 million, despite the economic challenges presented by COVID-19. Even though more cybersecurity positions are being filled than in previous years, a large gap still exists.

“Several factors are contributing to the talent gap, including how the industry seeks to fill jobs, and external developments beyond the industry’s control,” mentioned John P. Mello Jr. in the TechBeacon article Build your cybersecurity A-team: 7 recruiting tips. “The new reality is that every company is now a technology company. With that comes exposure to threats such as ransomware and phishing and the need for security professionals to manage them.”

As to why every company is a technology company, Mello cites recent privacy regulations such as the European Union’s GDPR and California’s CCPA with their increased focus on privacy and information security. This, in turn, means skill sets such as securely processing personal data–previously only required by specific industries such as healthcare–are now required by all organizations.

SEE: Hiring Kit: Cybersecurity Engineer (TechRepublic Premium)

A serious disconnect

Hiring managers and those in charge of IT departments have long known about the disconnect between what is taught and what IT personnel need to know, particularly when it comes to cybersecurity. That becomes obvious when employers are looking for individuals with technical skills gained outside the classroom.

David Brown, executive director of the National Cyber Scholarship Foundation, which provides scholarships to students pursuing cybersecurity careers, mentioned to Mello, “The educational community teaches what it’s comfortable teaching. It’s rare for a higher education institution to sit down with industry and say, ‘This is what our curriculum looks like, and we want to know how this curriculum aligns with your needs.'”

Best practices for recruiting cybersecurity pros

In his research, Mello has accrued several best practices for building a cybersecurity A-team.

Look beyond the usual places to find talent

Several experts, including Andy Roeth, manager of security at the DHI Group, and Deborah Golden, U.S. cyber and strategic risk leader at Deloitte Risk and Financial Advisory, suggested to Mello that employers break away from recruitment patterns targeting graduates from a select set of schools having what would be considered appropriate degrees. They also recommended looking at in-house talent. There are employees not currently working in cybersecurity that have applicable skill sets.

If a hiring manager wants to find high-performing cybersecurity candidates, Capture-the-Flag, Bug Bounty and other skills-based events are excellent places to look.

Speaking to in-house training, Mello mentioned that Alan Paller, president of the SANS Institute, told him apprenticeship programs are a valuable source of talent.

Don’t require candidates to have designated skills

Neha Joshi, strategy and innovation lead at Accenture Security, told Mello there’s a perception in the industry that cybersecurity is complex and requires niche skills. In reality, cybersecurity skills are not that different from what is needed to interact with any technology.

Mello quotes Deloitte Risk and Financial Advisory’s Golden, who said, “If we only recruit from the same programs, or from those who have gone through similar curriculum, we will put ourselves at a strategic disadvantage. Our adversaries aren’t one-dimensional, and we shouldn’t be either.”

Look for relevant skills beyond formal education

In the beginning, cybersecurity was learned via the school of hard knocks. Accenture Security’s Joshi suggested to Mello that this is not a bad idea. It allows creative problem solving with fresh eyes. Even more critical, Joshi mentioned, “Problems evolve over time, so we need security team members to solve not just the problems of today, but ones they’ve never seen before.”

Ben Smith, field chief technology officer at RSA Security, opined something not often addressed. “Smart hiring managers realize they aren’t just looking at candidates for roles,” Mello quoted Smith as saying. “They should be constantly aware of strengths and weaknesses in their existing staff. Where can that new hire make the most impact in making your team as a whole stronger?”

Be willing to train candidates after they’re hired

DHI Group’s Roeth told Mello finding a perfect candidate is nearly impossible, so in-house training or sending new hires to specialized cybersecurity training is crucial.

“Security is very broad and includes so many skills, there are plenty of people that might not be the exact right fit, but may become just that after training,” added Roeth. “Employers and technologists can both pigeonhole themselves by homing in too much on very specific security skills when seeking candidates or seeking work.”

Use certifications to give a candidate context

This tip has divided the experts. Half say certifications tell something about what potential hires have learned, and they have taken the time to educate themselves.

Others, such as Saryu Nayyar, CEO of Gurucul, suggest certifications prove the candidate was able to study for and pass a test of his or her skill and knowledge, and that’s about it.

Instead of one or the other, Melanie Kruger of Red Canary believes balance is essential, and both should be weighed when deciding which candidate is the best fit. Kruger added, “My personal bias leans more toward experience and demonstrated expertise and the ability to be coached and the humility that is gained through trial and error and safe-space failures that come with on-the-job learning.”

Craft your job descriptions carefully

Another tip about something not given much attention: “A job description should be about the projects and tasks to be completed and the time expected to be spent on them, not the profile of the person you think you want to hire,” explained Deidre Diamond, founder and CEO of CyberSN, a recruiting firm that focuses on cybersecurity professionals. “Without that, you’re starting off wrong. Job descriptions matter.”

Sell the job and company

Looking at any of the top successful tech companies, one soon realizes that it’s about culture as well as the position. Hiring managers need to know what appeals to candidates, and, if the right ones come along, offer it to them. SANS Institute’s Paller emphasized, “Once the money is enough, it’s all about challenging work and ‘Are they going to invest in keeping my skills up?'”

Final thoughts

Mello and the experts concluded by expressing how important it is to ensure that new hires stay put. To accomplish that, a succession plan must be in place for each new hire. Diamond does not mince words:

“Without succession planning, there’s no training of juniors. Without juniors, people can’t advance because there’s no one to take things off their plate. People are changing jobs every 12 to 18 months. That’s not good for an organization. That’s happening because people want to get out of a situation where they’re not learning and they’re not moving forward.”

Subscribe to the Cybersecurity Insider Newsletter

Strengthen your organization's IT security defenses by keeping abreast of the latest cybersecurity news, solutions, and best practices. Delivered every Monday, Tuesday and Thursday

Subscribe to the Cybersecurity Insider Newsletter

Strengthen your organization's IT security defenses by keeping abreast of the latest cybersecurity news, solutions, and best practices. Delivered every Monday, Tuesday and Thursday