With an acute cybersecurity skills gap that stands at 2.7 million globally and a U.S. gap of more than 400,000, hiring managers are looking to entry- and junior-level candidates to fill vacancies, according to a new report by global cybersecurity professional organization (ISC)².
As another measure, 91% of hiring managers are offering professional development during work hours.
Previous (ISC)² research has recommended organizations look outside the traditional pool of cybersecurity candidates to build resilient teams at all levels. Finding and nurturing newcomers to the field requires a shift in recruiting tactics and investing in training so new hires can learn and grow, the organization said.
But hiring younger and first-time professionals in the cybersecurity industry also comes with various obstacles, said Tara Wisniewski, (ISC)² executive vice president of advocacy, global markets and member engagement.
One of the biggest challenges “lies with hiring managers relying on unrealistic job descriptions and hiring practices – placing far too much emphasis on experience alone, even for entry-level roles where prior experience is impossible to obtain,’’ Wisniewski said. “This ‘chicken and egg’ scenario has dogged the cybersecurity sector for some time, particularly at the entry-level end of the career ladder.”
SEE: Hiring kit: Data scientist (TechRepublic Premium)
This results in an increasingly older and less diverse average workforce in cyber, and it results in fewer new recruits to pass knowledge and best practice onto, she added.
However, the challenges of recruiting younger and first-time professionals are just one part of the problem.
“For example, it is hard to attract experienced people away from other cybersecurity employers due to the high levels of job satisfaction we see in the sector,’’ Wisniewski said. “This often leads to financial rewards and the ability to offer them governing whether companies can successfully meet their experienced staff expectations.”
What hiring managers can do to fill these roles
Working with staffing and recruitment firms was the first step cited by 52% of study participants to hiring promising team members. Looking toward certification organizations is next (46%) along with colleges and universities (46%).
Respondent managers also rely upon standard job postings (45%), apprenticeships and internships within their own organizations (43%), and partnerships with government workforce programs (33%).
Hiring managers also need to be open-minded about entry- and junior-level practitioners, Wisniewski said.
“Hiring at this level needs to be seen as an investment in the future, rather than an immediate quick fix,’’ she said. “New energy, perspectives and a willingness to learn and be molded by the organization are invaluable assets that companies need more of. Hiring managers also need to work closely with HR to rethink and be more realistic about job descriptions and minimum requirements.”
Hiring managers should look beyond the traditional IT and cybersecurity talent pool. Bringing in young professionals for their first job is important, but tapping into the wider skills market to attract career changers is equally valuable, Wisniewski said. The military and those working in a variety of non-technical roles are equally suited to transferring themselves and their skills into cybersecurity.
“Ultimately, hiring managers need to invest in people and create longer-term career paths for those they hire, rather than just relying on the already highly experienced elements of the cybersecurity workforce,” Wisniewski said.
Few managers hire from within
A less-used option (18%) is to hire individuals from within the organization. The study found that 46% of organizations with fewer than 100 people and 34% of those with more than 5,000 people said they recruit entry- and junior-level staff from other internal departments.
Entry- and junior-level cybersecurity talent can be found within IT (89%), technical support/help desk (29%), human resources (29%), customer service (22%) and communications (20%).
Building an entry-level job description requires a team effort, the study noted, saying that “more collaboration between hiring managers and HR is the solution.”
Top tasks for entry-level and junior staff
The study found the top five tasks for entry-level staff are:
- Alert and event monitoring (35%)
- Documenting processes and procedures (35%)
- Using scripting languages (29%)
- Incident response (28%)
- Developing and producing reports (26%)
The top five tasks for junior staff are:
- Information assurance (authentication, privacy)
- Backup, recovery and business continuity
- Intrusion detection
- Penetration testing
Top traits to look for in entry- and junior-level team members
There are a number of traits in three categories – technical skills, non-technical skills and personal traits – hiring managers should consider in entry-level job candidates, according to the (ISC)² report.
The top five technical skills are data security, cloud security, secure software development, data analysis and security administration.
The top five non-technical skills are the ability to work in a team, the ability to work independently, project management experience, customer service experience and presentation skills.
The top five personality attributes are problem-solving, creativity, analytical thinking, a desire to learn and critical thinking.
(ISC)² has addressed the shortage and skills gap with initiatives including developing an entry-level cybersecurity certification.
“By equipping the next generation of cybersecurity professionals with a foundational qualification, hiring managers will have a recognized and practical mark of competency to rely on other than previous experience,” Wisniewski said.
(ISC)² said it polled 1,250 hiring managers at small, mid-size and large organizations in the U.S., Canada, the U.K. and India about their practices and preferences.