Recruitment remains a major problem for cyber security departments, and there seems to be no easy solution. One difficulty is that the issue is described in vague terms and throw-away statements: there’s a skills shortage; there are too many vacancies and not enough candidates; cyber security isn’t promoted as a worthwhile career in schools.
All of these are only partly true; and none offers a solution. Consider the ISACA/RSA Conference report titled State of Cybersecurity 2016. 461 cyber security managers and practitioners were asked, among many other questions: “What are the most significant skills gaps you or your organization sees among today’s cybersecurity/information security professionals?”
Knowing that there is a skills gap, one might expect ‘security technical skills’ to be the most popular response. It was not. The primary skills gap lies in the ability of candidates to understand the business (75%). A lack of technical skills scored only 61%; equal, in fact, to another non-technical issue – poor communication.
The reality of cyber security today is that the profession is changing. Technical ability is no longer the prime requirement – rather is it the ability to align security with business and to communicate security issues to completely non-technical business leaders. To a certain extent, technical skills can be taught ‘on the job’ – soft skills are largely inherent in the person.
However, understanding the true nature of the skills gap still doesn’t help the security department struggling to fill its vacancies. The same ISACA/RSA Conference report shows that fully 28% of vacancies remain unfilled for six months while only 8% are filled within one month.
Again, such broad-brush statements hide the reality: some companies can fill vacancies rapidly, while others will always struggle. For example, small companies in tech-concentrated localities will struggle in the face of higher salaries offered by larger companies. In reality, the smaller companies may be the better company for employment since they are forced to make their positions and companies better places for work.
Similarly, large companies can poach staff from smaller companies through better pay packages. So to a certain extent, the pool of existing specialists is continually recycled rather than the large companies taking the responsibility to bring in and train new talent.
None of this changes the reality: for most companies security recruitment is a problem. To solve this, they have to be imaginative. One example is to recruit from within, but ahead of the expected need. That way the right attitude can be recruited, and the right technical skills can be developed.
Referral programs can also be successful – and they are more successful where a decent referral bonus is on offer. But one of the most successful routes is to develop a solid intern program, preferably with a local higher education establishment. Mentoring interns provides immediate resource. It should still be paid, but would be less than a full-time employee.
During the time the interns are still at college, they can be trained into security specialists. Both sides get a good look at the other, with a good probability of an experienced, motivated and fully acclimatized employee at the end.