This feature first appeared in the Spring 2017 issue of Certification Magazine. Click here to get your own print or digital copy.
Cybersecurity is at a critical juncture. Organizations around the world increasingly recognize the importance of cybersecurity to their reputation and ongoing operations, driven by mainstream media reports about breaches. This recognition results, in many cases, in an increased desire to hire skilled cybersecurity professionals to protect systems and information assets.
This renewed interest in cybersecurity talent also is creating a significant skills gap, a cybersecurity staffing shortage, as employers struggle to stand out among the pack and recruit talented professionals to fill their open positions. Recent research confirms that this trend exists and that organizations are truly struggling to fill positions.
Information security industry association (ISC)2 released its Global Information Security Workforce Study in February. This study surveyed more than 19,000 security professionals and projects that there will be a gap of 1.8 million cybersecurity experts over the next five years. That gap represents a 20 percent increase from the 1.5 million shortfall predicted by the same study last year — and provides quantitative evidence of the anecdotal pain felt by hiring managers around the world.
Successfully filling information security positions in today's highly competitive job market requires that employers try new approaches to building applicant pools and filling positions. More than ever, employers need to stand out from their competition. In 2017, it takes hard work to attract and hire top cybersecurity talent.
Building an applicant pool
Employers should treat hiring information security professionals as a sales effort — they need to win the hearts and minds of job candidates who have many other opportunities available to them. As any salesperson will tell you, the best way to guarantee success is to build a strong funnel of prospects. If you don't keep the pipeline full of strong job candidates, then you will dramatically reduce your likelihood of successfully hiring top talent. The larger your applicant pool, the greater your chances of success.
Companies simply aren't succeeding at filling their applicant pools with qualified candidates. ISACA's Cybersecurity Nexus also published a cybersecurity workforce study, the day before (ISC)2's release. That study provides some valuable detailed information on the applicant pools for cybersecurity positions and it tells a bleak story.
While most corporate job openings receive between 60 and 250 applicants, only 59 percent of companies surveyed reported receiving five or more applicants for cybersecurity positions. Even more disturbing is the fact that only 13 percent of companies received at least 20 applications for information security roles.
Ask any hiring manager about candidate pools and you'll likely hear stories of woefully unqualified applicants cluttering the pool. That's certainly true in cybersecurity — 37 percent of respondents to the ISACA survey reported that fewer than 1 in 4 job applicants possess the skills required to fill a cybersecurity role.
Winning hearts and minds
The bottom line is that recruiters must work harder to not only increase the size of the pool, but also improve the quality of candidates completing applications. That's where the sales effort begins. The highest priority for selling a cybersecurity opening is taking a critical look at the job description and posting.
You should verify that the job description is accurate, of course — but also read it from the perspective of a job candidate who is weighing many attractive options. For example, I recently saw a job description where the second line read, "The successful candidate must participate in a 24x7x365 on-call rotation." Sure, that may be true, but do you really want to open the description with the implication that if a candidate accepts this job, they may never again have truly free free time?
Job postings should be written with a marketing bent. Don't just convey the responsibilities and qualifications required for the position — sell the company, the cybersecurity team and the job! Tell potential employees why your company is an outstanding place to work. You have to convince them that they'd be crazy not to join your team.
Studies consistently show that financial compensation isn't the most important criteria that most employees consider when deciding whether to accept a job — but that doesn't mean that it's not important. Companies seeking to attract top talent must be willing to pay a market-competitive salary. The U.S. Bureau of Labor Statistics reports that the median salary for information security analysts in 2015 was $90,120. You simply aren't going to attract an experienced security superstar if you're trying to fill a skilled role for $75,000.
Evaluating Security Skills
Once you've filled your pipeline with qualified candidates, your next challenge is to narrow that pool by determining which candidates have the skills required to succeed in the position. You can begin by evaluating the candidate on paper and screening for years of relevant experience, education and professional certifications. This pass through the candidate pool isn't designed to select finalists; the purpose is simply to rule out clearly unqualified candidates.
After you've narrowed the pool to a manageable number, you will want to spend some time with each candidate to get a better feel for their background and skills. Whether you conduct interviews on the phone or in person, be sure to ask questions that will really draw out experiences and paint a full picture.
For example, you might ask a candidate for a security consulting role: "Tell me about a time when you made an unpopular recommendation to a technical team. How did that situation unfold and what would you do differently in hindsight?"
Certifications also play an important role in screening applicants for cybersecurity positions. Candidates for entry-level roles should have at least one entry-level security certification on their resumes, such as CompTIA's Security+ certification. Candidates for more advanced positions should possess either the Certified Information Systems Security Professional (CISSP) certification or a specialized advanced technical certification.
Certifications aren't the be-all and end-all of employment qualifications, but they do demonstrate that an individual is committed enough to the cybersecurity profession to seek out certification opportunities and pass a broad-based cybersecurity exam.
Retraining (and retaining) your own employees
Organizations finding it difficult to recruit security talent from external sources may want to explore opportunities for creating their own talent pool. Cybersecurity is a highly desirable field, and it's likely that there are individuals within your own organization who would jump at the opportunity to retrain themselves for a security role.
Search for employees with a proven track record of success in other technical positions and offer them the opportunity to obtain cybersecurity training and on-the-job experience in a low risk environment. The benefit of this approach is that you don't need to sell those candidates on your organization or city — they're already there! You simply need to give them the tools that they need to succeed.
One word of warning if you choose to pursue this approach: As soon as individuals get some training and cybersecurity experience under their belts, they become part of the in-demand cybersecurity workforce and will be attractive to other employers. You may wish to place conditions on their training that they either remain with the company for a certain period of time, or must repay some of the expenses. Check with your human resources team to learn more about the restrictions that apply in your jurisdiction.
Another way that you can reduce your need to hire external candidates for cybersecurity positions is to reduce the likelihood that current employees leave your firm! Treat your employees well and offer them market-competitive salaries to ensure that the grass doesn't look greener at other firms. It's often much easier to retain an existing employee than to fill an open position.
No end in sight
The cybersecurity job market continues to heat up. Employers are bound to feel the crunch as they seek to fill the 1.8 million positions expected to open over the next five years. Today's market clearly favors the skilled cybersecurity professional. Employers who go the extra mile to build strong applicant pools and attract (and retain) top talent will reap the increasingly valuable benefits of having a strong, productive security team.