Blue collar man
Cybersecurity staffing is a hot button issue. Every security organization has had (at least) some level of conversation about adding talent to the team, and how doing so requires personnel inventory that is not currently available. Security media have reported that the problem is only going to get worse. Depending on your source, the industry could see 1.5 million unfilled security jobs by 2020 or 3 million by 2024. Even at “low end” estimates, that’s still a lot of vacancy.
Professionals in the in the industry have been debating the root cause of the staffing shortage. Consensus is that cybersecurity is a growing field and not enough people are entering the profession due to a variety of factors: Lack of formal education, lack of awareness about what it takes/means to be/become a security practitioner, diversity and acceptance issues, not enough support for security programs from executive teams, etc. There has been a lot of speculation but little data to guide hiring processes and decisions. Aside from dangling attractive employment packages in front of top practitioners, many security teams are at a loss for how to revamp hiring and make it more efficient and effective. As a result, many companies stay the course and bemoan the plight of the industry.
One organization, CyberSN, a cybersecurity staffing firm, commissioned a study to gain a better understanding of hiring firms’ “common practices, challenges, and pitfalls of cyber-recruiting.” The idea behind the study, conducted by Chenxi Wang, Founder of the Jane Bond Project, is to aggregate data that help organizations understand “why jobs go unfilled for reasons beyond the talent shortage.” Though benchmark data are useful, they are only so if an organization chooses to take action against it. Simply understanding that 20% of companies finding hiring knowledgeable security practitioners “difficult” and 80% say that it’s “very difficult” won’t fill open positions. Knowing that “more than 50% of the companies” surveyed are “hiring above salary range” won’t do your organization any good unless you can first find eligible candidates.
The more interesting part of the survey is the “Top 3 Reasons Why Recruiting for Cyber Security is Difficult.” According to the study, the reasons are “lack of available talent, a broken HR process, and unreliable compensation data for cyber security positions.” Though the report did not provide a breakout of the percentage of respondents who chose each category, only the middle reason—a broken HR process—is truly something that can be affected immediately.
Let me explain.
Yes, there are currently more jobs in security than available security talent. (N.B. There are individuals in the industry who argue that this is a false flag, and others who say organizations can do more to lessen the burden on current staff, thereby reducing overall need.) Finding efficiencies in your organization is absolutely one method of reducing the talent gap. Still, security is a growing field and no matter how you look at it, more practitioners will be necessary in the months and years to come.
Companies that feel the pain—or even the pressure—can get involved in education efforts. Palo Alto Networks teamed up with the Girl Scouts, for instance. Some colleges and universities are offering pre-college kids the opportunity to learn to hack, and a simple internet search reveals dozens of cybersecurity camps for kids.
Improved education and skill development is 100% mandatory, but the impacts will only be felt once kids are old enough to enter the workforce. For the short term (and I do not advocate focusing solely on short term at the expense of long-term needs), security can work more closely with HR departments and recruiters. In a Dark Reading article about the survey, Wang relayed a story about an organization whose HR team turned away a highly-qualified prospective candidate because “he ‘didn’t look into your eyes’ when he talked.” This, Wang explains, demonstrates a lack of understanding about hiring for a niche field.
Indeed, HR generalists are vetting security candidates alongside sales people, for instance, whose personalities are vastly different. While a sales person may know how to “turn it on” during an interview, being the most engaging person in a room is not a requirement for many security positions. HR might not “warm up” to security candidates in the same way she/he would to someone who isn’t effusive, but that doesn’t make the candidate less qualified for the position.
Diedre Diamond, CEO of CyberSN says “it isn’t fair” to expect HR departments to recruit for security positions. However, it might not be practical for many companies to hire a recruiting specialist like CyberSN. Even organizations that can hire custom recruiters would benefit from improved relations with internal HR teams (most companies don’t only use external firms). Savvy HR professionals might eventually learn the idiosyncrasies of various lines of business, but how often do hiring managers sit down with the HR person pre-screening candidates and explain typical personality traits or habits of the people they want to hire? A good guess: almost none. Typically, HR receives a job description or list of desired qualifications from the hiring manger then massages those details into a publishable format. She/he might ask the hiring manager for additional evaluable information, like certifications or degrees that can be added to the job description, but that’s about it.
This exchange, while commonplace, isn’t helping HR staff grow acquaintance with security practitioners, yet this information would help HR be a better partner in the hiring process. If security managers would take time to get to know HR staff and familiarize them with security’s idiosyncrasies, HR would be more equipped to find and pass along better candidates. Without this knowledge, HR is left to its own devices, which is to screen out candidates based on generic information.
Security pros often feel it’s easier to use their personal/professional network to find candidates rather than work with/rely on HR. In the long run, though, developing a hiring partner will lessen security’s own burden, thus freeing up more time to manage actual security.
Attend InfoSec World 2018 in Orlando, Florida, March 19-21, 2018 to learn more about how to effectively overcome staffing challenges.