maxoidos - Fotolia
You've heard it before -- cybersecurity talent is hard to find. With the need for experts growing and the cybersecurity skills required of them changing so rapidly, enterprise hiring challenges are only going to compound. The question is do we really lack people to fill the jobs? Or is there something else going on here that requires us to change how we expand, evaluate and engage with the candidate pool?
"The shortage of strong security talent is driving demand, and many companies are losing out because corporate policies affecting pay and benefits are not evolving to address these concerns quickly enough," Marci McCarthy, president and CEO of IT security networking firm T.E.N., said. "Retention at all levels -- especially at the higher leadership levels where pressure is high and skill sets demand both technical and business acumen -- is a significant problem for many companies."
The challenge may not be solely rooted in budget, either. A company's lack of willingness to pay may not be the cause for a lack of supply; the gap is far too big for this to be the case.
"As an industry, we have over one million open cybersecurity jobs," Tammy Moskites, CIO and CISO at security vendor Venafi, said during a session at the recent ISSA International Conference in Chicago. "Dice, a career website serving information technology and engineering professionals, recently reported a 90% year-over-year increase in cybersecurity jobs."
Based on these figures, it appears the industry is heading in the wrong direction; demand for cybersecurity skills is on the rise, and filling positions can be a long and difficult process. According to a recent survey jointly conducted by market research firm IDC and T.E.N., it takes about three months to fill an entry-level security position.
"Our study also shows senior security leadership positions are often left unfilled for 12 to 18 months or longer," McCarthy said. "Open leadership positions put an organization at risk for compromise, which can be costly and detrimental to the brand. The talent shortage needs to be addressed at all levels. While organizations and individuals are willing to give each other a chance, they still require at least five years under their belt before doing so."
To address this challenge, the cybersecurity skills supply chain needs a reboot. Budgeting should be included as part of this reboot, but a number of other factors must also be considered. Here's a look at a few ways to increase the pool of skilled cybersecurity professionals.
Develop the next generation of cybersecurity professionals
The biggest part of the supply vs. demand dilemma lies in the supply; if there isn't enough supply, we need to figure out how to get more. The challenge here is getting more people interested in security as a career and helping them understand why a job in this field is a good move for them.
One of the biggest concerns is that college students looking at the IT industry often don't understand what "security" is. It can be hard to get students interested in information security as the details of what's truly involved are often missing from the job descriptions they see and read. Students only hear "security" and don't know there's a difference between infrastructure security, systems security, application security, program management, or even marketing and communications.
To overcome this challenge, the industry needs to help people understand what cybersecurity professionals are and what they do.
"Most people think security is only about technology -- people sitting in front of a computer all day," Moskites said. "Students don't know what to get excited about or what to study. They don't know how their studies will relate to the jobs they will look for when they graduate."
The first hurdle to jump when looking for a job is getting past the human resources department and the initial, and often automated, HR filter so they can have a good conversation with HR representatives, the panel of interviewers and ultimately the hiring manager.
To help address this challenge, ISSA International recently released the Cyber Security Career Lifecycle (CSCL). The CSCL provides five career levels, each designed to provide some guidance as to what's required of that role. A "Pre-Professional," for example, is any individual that hasn't obtained a position in the security field, and "Entry Level" includes individuals that have "yet to master general cybersecurity methodologies/principles."
Educating the educators: Develop a cyber-aware faculty
A number of collegiate programs and university courses focus solely on the technology, missing out on the opportunity to teach beyond the bits and bytes. There are business aspects that need to be taught -- for example, understanding why security matters and what its value is to the business.
Students need to be taught that security extends well beyond the core of IT. Subjects such as legal, risk, communications and other nontechnical aspects of the business that organizations deal with day-in and day-out can all be connected to security in some fashion.
Dan Geer, CISO of In-Q-Tel, a non-profit technology investment firm, said people with video game development experience are constantly role playing, storytelling and problem solving, which are all relevant attributes for a cybersecurity professional.
"Game designers would be an invaluable resource for cybersecurity talent in this field," Geer said. "It isn't just about mathematics and engineering."
"The younger population needs to be exposed to the field of security much sooner," Candy Alexander, a security GRC consultant and an ISSA board member, said. "We need to encourage schools to offer more guidance to their students, earlier and more often so they have an appreciation for, a desire to join the field, and can prepare to succeed in the field."
Educating the company: Develop a strong recruitment machine
All too often, companies put a number of false filters on the hires they attempt to make. They may require a degree, a certification or a certain number of years of experience in a particular role or position. All of these filters -- individually and collectively -- squeeze the talent pool to a point such that drastically reduces the number of candidates.
Unfortunately, companies probably put another filter in place that culls candidates out well before they get a chance to meet with the hiring manager: requiring candidates to be a Certified Information Systems Security Professional (CISSP).
"90% or more security engineering jobs require a CISSP, representing tens of thousands of jobs," Moskites said. "Think about this: Certification requires five years of experience in the security space. If the company is hiring for an entry-level role, the people applying for the job may not have five years of experience in the role."
Candidates that could be great options have now been filtered out before they even get a chance to apply.
"Similarly, many job descriptions call for decades of experience with technologies that have only been around for a couple years," Moskites added. "Ten years of FireEye experience, for example, isn't going to work. The solution hasn't even been around that long."
These filters have been working against enterprises for years and likely costing organizations many candidates that could have flourished as career cybersecurity professionals.
Educating the hiring manager: Develop the right team for the company
Additional filters often get applied by enterprises that are only looking for candidates that have direct experience in a particular security-related role. Skills from different industries may be extremely relevant, but they may be represented on a resume by using terms or phrases that are different than the ones the HR team or the hiring managers are looking for. The hiring managers may not realize the core functions of these roles are almost identical to what they need.
For example, there are positions in different industries that analyze data, look for risks, identify anomalies, anticipate disruptive events, and quickly respond to incidents -- skills that are certainly relevant and important in certain security roles.
"A person that studies why bridges fall down could have the skill set and mindset used to identify why networks fall down," Geer said.
Organizations might find they can find the talent they are looking for if they remove theses filters. And it's not just about the hard skills. Soft skills are equally as important as degrees and experience.
"Be sure to hire folks that can also talk to the lines of business," Alexander said. "These skills often get overlooked even though they can provide tremendous value to the company."
Alexander said written and verbal communications, problem solving, and mentorship ability are valuable soft skills to look for in potential candidates for cybersecurity positions. Moskites added creative thinking, troubleshooting and adaptability to the list of soft skills that can indicate if a candidate is a cultural fit for an enterprise.
Geer also expressed the following soft skills be possessed by cybersecurity professionals: "New people joining this field need to be prepared for ambiguity and challenge -- there will be long periods of boredom with unplanned moments of panic. This is an event-driven profession."
Educating the employee: Develop a long-term relationship
Once an organization has made a great hire, it's best to get the most out of the investment -- and that means keeping them happy.
"I give my security professionals raises twice a year," Moskites said. "If they work hard beyond what's expected of them, I give them time off during the week to recoup."
Organizations also need to keep cybersecurity professionals inspired and motivated. Alexander, for example, said enterprises should have clearly defined roles and articulate what the job responsibilities are, but also give employees the opportunity to work on things that excite them, as well as provide ongoing guidance on a career path and how to reach the goals that will get them to the next level.
It's also important to keep those cybersecurity professionals educated.
"Invest in your staff and invest in training," Alexander said. "Don't focus solely on technical training. There are many other skills for security professionals to attain. Communications, program management and leadership are just a few examples."
Companies that continue to hire and retain cybersecurity talent the same way they always have will likely get left in the dust while their competitors hire the top talent right out from under their feet. Ultimately, education is key. Employers need to educate the candidates on what cybersecurity skills they're looking for. The industry needs to educate the educators so they know what to teach our future cybersecurity professionals. Enterprises need to educate human resources departments so they know what the security team really needs and can remove the unnecessary hiring filters.
Additionally, security managers need to educate themselves to remove any preconceived notions they may have and look for candidates with skills that would apply to the role, even if their historical positions and experience are not directly tied to security. And enterprises must educate the employee so they can keep them once they've made a successful hire. In the end, an educated, informed community will be a stronger community.
Find out how the industry is bridging the IT security skills gap
Get the latest on cloud security certifications and their value to enterprises
Discover more ways to fix the shortage of cybersecurity professionals