The cyber security workforce gap has been well documented – with most estimates of the shortage hovering around 1.5 million. We’ve written about the gap, and how the best organizations are overcoming it.
But there’s another problem that’s staring us in the face: As an industry, we’re just not that good at hiring for cyber security positions.
Really, the very concept of hiring for cyber security is still in its infancy.
Steve Katz is widely credited as being the first to hold the CISO title back in 1985. But most organizations didn’t really start building dedicated cyber security teams until much later, leaving us with only a few years of hiring data around cyber security jobs.
That means that for most corporate recruiters and HR professionals, hiring for cyber roles has been a learning process based mostly on trial and error.
Here are the mistakes we see companies making most often and how to avoid them:
1. Focusing too much on past experience
If you’re looking for highly experienced resources, or those with long academic and professional backgrounds in cyber security – good luck. There aren’t many out there. This is partly because most cyber fields are still very young, and partly because the most senior resources tend to get gobbled up by the highest bidder in a wildly out-of-control job market.
But if you look closely, many of our current generation of cyber security thought leaders came from education backgrounds outside of cyber. These leaders brought with them a diverse set of experiences and ideas, and the industry is richer for it. There’s no reason this trend should stop.
So we suggest spending more time talking about the types of people you want, and not the companies they’ve worked for. Talk with those sifting through the resumes – often your HR or recruiting team – about personality traits that would be desirable, and make sure they understand what the job really entails (problem solving, creativity, client service, etc.).
Sometimes people coming out of related disciplines like IT or business make for excellent entry-level cyber hires. Even people coming from seemingly unrelated disciplines, like the arts or sciences, may bring a unique perspective and a new set of skills that could add to your team.
Encourage those doing the searching to think outside the box about what might make a successful candidate.
2. Not adapting your hiring process for cyber security
For all of the aforementioned reasons, hiring for cyber security positions is a little different than for other parts of your business. Candidates are harder to find and even harder to assess.
You’ll need to find a process that fits your hiring cadence and team, but you should at least consider adding these two key steps to your interview process:
Requesting cover letters: Cover letters are considered by some a relic of an outmoded hiring process. But they change your hiring process in two key ways: First, they give applicants an opportunity to concisely explain why their past experiences align to the role (especially when their background isn’t strictly cyber security), and second, it helps you evaluate the soft skills of the candidate.
Requiring an assessment, especially for junior hires: Some senior-level hires may balk at a test as part of the hiring process, but junior hires won’t (if they want the job, at least). Assessing new hires based on a reasonable skills expectation, problem-solving ability, or technical aptitude is a great way to filter candidates and can help prevent bad hires. But don’t require an assessment just for the sake of it – put thought and effort into building a practical assessment that accurately reflects the specific KSAs you need for the position (read more about using cyber security KSAs here).
3. Overshooting the skills required
To put it bluntly: too many companies have wildly unrealistic expectations of entry-level hires. The mentality that seeks to find entry-level hires with vast and refined skillsets can make it exceedingly difficult to fill positions. It often causes companies to exclude candidates that should be in demand: those that have a small but reliable set of skills, PLUS the desire and passion to grow into a role.
Companies fall into this trap because they lack the workforce development capabilities to rapidly bring new hires to mission readiness. And while building a workforce development program to do this requires considerable effort in its own right, it’s a far more sustainable solution than looking for purple squirrels – those elusive, fresh-from-school hires with low salary expectations and the ability to wear multiple hats within your security organization. They simply don’t exist.
Be realistic about the baseline skills needed to do the day-to-day job, and build pathways for entry-level hires to grow quickly and advance in the organization. And make sure that your job descriptions accurately reflect those realistic skill requirements.
4. Offering the wrong mix of benefits
With cyber security salaries skyrocketing, it’s not surprising that many companies are trying to avoid competing for hires based on salary alone, instead touting a wide array of other benefits to give their company an edge.
One way to differentiate your company is through an improved workforce development program. More than 65% of workers say training and development is the most important workplace policy, topping the list of desired perks alongside scheduling flexibility and medical/dental benefits. And only a third of companies, according to a recent (ISC)2 workforce study, are covering the cost of security training for their employees.
This means there’s a huge demand for cyber training – and few companies stepping up to provide it to their employees.
Capitalizing on this imbalance is one way to put yourself ahead of other companies competing for the same talent, and at the same time, making meaningful improvements to your security posture.
Small changes to your hiring practices can make a big difference in your ability to find and hire the right candidates for your security team. And feeding those new hires into an established workforce development program (check out this cyber workforce development case study) can take your team to the next level, allowing for sustained excellence within your security operations team.
To learn more about how to build a workforce development program that incorporates these hiring best practices, check out our virtual white paper, the Essential Guide to Cyber Workforce Development.