It’s tempting to view cybersecurity through the lens that new and better technology will knock down threats and deliver all the protection an organization needs. While the right tools, applications and systems are essential, the problem for most organizations is managing a security framework.
Currently, nearly 600,000 cybersecurity positions remain unfilled in the US or put another way about 46% of all cyber positions. Globally, the shortage is approximately 2.7 million. What’s more, the problem is accelerating.
This talent shortage has real world repercussions. It makes it more difficult to use tools and technologies effectively, but it also overburdens existing staff and results in protection gaps that increase risks. Yet, snagging cybersecurity talent is an increasingly daunting task. It often seems as though people with the right background and qualifications simply don’t exist.
The upshot? Security leaders must approach staffing in broader and deeper ways. These days, it isn’t enough to rely only on those with degrees, certifications and past experience. By expanding the labor pool to those who are self-taught or have a knack for cybersecurity—and training them for specific roles—the universe of candidates expands exponentially.
Taking a Position
It’s tempting to rely on all the usual suspects for attracting talent. This may involve posting job listings on LinkedIn and on conventional job boards. Or posting openings at a company’s website or using computer programs to scan résumés and look for talent by searching on keywords.
A starting point for spotting cybersecurity talent is to think more broadly. For example, college job fairs, gaming conventions, hackathons and various other events can serve as valuable resources. A booth or even an informal presence at industry events can pay enormous dividends. It may also be possible to sponsor programs or participate in learning partnerships at universities and technical institutes—and thus establish connections with professors and students.
Yet, it’s also critical to rethink the fundamental way an organization approaches hiring. Unfortunately, many companies are entirely out of sync with the marketplace. For example, it isn’t uncommon on LinkedIn to see “entry level” job postings that require multiple certifications and several years of experience. The idea that an entry level position requires this type of background is unrealistic and counterproductive.
In fact, Gartner and other consulting firms point out that security leaders and human resources departments habitually undermine recruiting efforts by writing job postings that contain too narrow or overly vague qualifications. Not surprisingly, onerous or unclear requirements intimidate and scare off qualified candidates. Buzzwords only serve to complicate things—especially when algorithms are doing much of the initial screening.
Instead, it’s better to focus on broadening the net…and requirements. For instance, only about 25% of all cybersecurity positions are currently held by women. But it also means looking beyond computer science majors to fill cybersecurity positions. Many jobs in the field do not require a formal computer science education and technical certifications. Oftentimes, it’s possible to get a bright and motivated person up to speed quickly, with minimal training.
In other words, it’s the underlying attitude and qualities that matter. The ability and desire to solve puzzles is the cornerstone of a good cybersecurity pro. So too is working with others. With the right training, certifications and a mentoring program, candidates with minimal practical experience who are motivated to learn will ultimately perform well.
The bottom line? Instead of forcing applicants to conform to the unrealistic expectations of the company, itt pays to bend a bit to accommodate the candidate. In the end, everyone wins.
Risks and Rewards
Of course, attracting talent is only part of the picture. There’s also a need to retain expertise—and avoid other firms poaching staff. While salary is certainly a starting point for all work, it’s vital to look beyond the flat earth of thinking that money is the primary factor for winning the talent wars.
In reality, successful organizations strive for an engaged culture—and work hard to establish a framework where people fully trust each other. This means creating meaningful work and providing opportunities to advance in the organization and within the field. Not surprisingly, many younger workers, particularly Millennials, thrive in environments where they have a chance to continually learn, advance and have fun.
And, yes, cybersecurity can be incredibly fun and engaging—even if it’s serious and at times frustrating work. A few ways to make work interesting, while ratcheting up protections, is through red and blue team events, internal hackathons, and various contests—which may include modest prizes and rewards. It’s also possible to tap cyber-skill-building and development tools that emulate real-world events and allow staff to test and develop their skills in realistic scenarios.
When organizations adopt a broader yet more focused framework for cybersecurity staffing, they’re suddenly positioned to gain a clear competitive advantage in the labor market. Instead of constantly scrambling for talent, they can organically attract new candidates.