If you are a cybersecurity professional, you already know that there is a serious shortage of qualified talent. According to the U.S. Bureau of Labor Statistics, there were almost 210,000 unfilled cybersecurity positions in 2015, job postings increased 74 percent during the five years ending in 2015, and the demand is expected to increase an additional 53 percent by 2018. A study conducted by Frost & Sullivan and (ISC)2 in October 2014 adds two details that are troubling. First, if the shortage is not quickly addressed, the global shortfall by 2020 will be an estimated 1.5 million cybersecurity professionals. Second, fewer than 6 percent of the study's participants were younger than 30, indicating that organizations cannot rely on a tidal wave of new graduates to fill vacancies.
The shortage of talent is affecting all types of organizations in a variety of ways. Breaches go undetected, incident response times stretch to days or weeks, malware compromises the network so severely that employees cannot do their jobs and sales can be lost during an uncontrolled denial-of-service attack.
Many companies report that they are too short-staffed to handle the challenges they face. They seem to be actively recruiting on a continuous basis, but they simply cannot find candidates. In some organizations, the pressure to fill open jobs triggers a feeling of desperation, which can result in the hiring of unsuitable personnel. The goal is not to simply put people in vacant chairs; you need to hire the right people. The following can may help you find and retain the right talent for your organization.
- Define the exact skills that you need. Effective cybersecurity requires more than just technical skills — "people skills" can be equally important. Your team members must be effective communicators; verbal and written communication skills are essential, but they also need to know how to listen proactively. The soft skills can be as important as the technical skills if the job requires extensive collaboration or communication with customers, members of upper management or vendors.
- Consider relaxing your educational requirements. Many companies would prefer to hire only personnel with a bachelor's degree in cybersecurity and several years of experience, but talent like that can be hard to find. For some positions, numerous organizations have found that candidates with a background in the military, forensic science, law enforcement or forensic accounting have had the "right stuff" to become exemplary cybersecurity analysts. A growing number of companies are not even requiring any type of degree for certain positions, with one company reporting that one of its best security analysts was actually a former professional poker player. Hackathons and other competitions can often provide recruiters with skilled candidates, despite their lack educational credentials.
- Ask the right questions during the interview. Naturally, it is important to know the candidate's educational background and work experience, but these two areas are not sufficient grounds for hiring a particular candidate. Your new hire will likely be required to perform under intense pressure, so you should consider looking for a sense of humor, a willingness to collaborate and a passion for the work. Ask questions that provide insight into how candidates handle conflicts, what they consider to have been their most difficult challenge, how they coped with being overruled by a superior on an issue about which they strongly believed they were right, or examples of times when they have volunteered for additional responsibilities.
- Be active on the social networks, especially if you are attempting to recruiting entry level or youthful candidates. Keep in mind that ideal candidates are going to be more guarded when online, so be prepared to meet them on their terms to conduct a conversation. Be creative and thoughtful when engaging candidates, but avoid gimmicks and arm-twisting recruitment pitches. The best candidates want to work for the best companies, so your challenge is to position your organization as a leader in the industry without sounding smug or condescending, belittling the competition or pushing candidates to make any type of commitment — even if it is only submitting a resume — until they are ready.
- Once you have hired a candidate, you should turn your attention to retaining him or her. Automating routine tasks can help prevent burnout and free staff members for work that they will find more interesting, less annoying and more challenging. Mentor youthful employees to ensure that they receive the training that they need. Advise employees on the career paths from which they can choose within your organization. Remember that salary alone will not be sufficient to retain an unhappy employee, so look for opportunities to engage staff members in ways that they find interesting and relevant.
The shortage of talent is expected to continue for many years to come. Organizations that position themselves to find and retain the best talent will have an advantage over those that do not, and will be better equipped to protect and secure their networks. Download our whitepaper to learn how to Improve SOC Efficiencies and Bridge the Security Skills Gap.