Cybersecurity challenges are increasing, and people are getting harder to find. Here’s how to build a solid team.
The adage is true: Good people are hard to find, especially in the cybersecurity space. As threats mount and become more sophisticated, it is more important than ever to build cohesive, forward-thinking cybersecurity teams that can think strategically and excel operationally. Unfortunately, there are not that many seasoned cybersecurity pros to go around.
Those that do exist are in high demand. The Enterprise Strategy Group and the Information Systems Security Association surveyed 343 cybersecurity professionals around the world in 2017. Half of them received solicitations for other cybersecurity jobs at least once each week.
70% of these cybersecurity pros said that the skills shortage had affected their organization, forcing their company to recruit junior employees instead of more experienced people. It also hindered their ability to plan longer-term cybersecurity strategies, forcing them instead to focus on high-priority security events.
Faced with this cybersecurity skills crunch, how can organizations attract, recruit and retain top cybersecurity talent to build the perfect team? Changing recruitment practices to suit the market can help to attract and identify new people.
Relax outdated requirements
Focusing on fewer certifications can broaden the pool of potential candidates without sacrificing quality. Many companies may demand a slew of cybersecurity certifications before they will consider a candidate. The ESG survey found that the (ISC)2 Certified Information Systems Security Professional (CISSP) certification is the most popular among cybersecurity pros, with 52% having earned it according to the ESG research. Fewer than one in five professionals attained the next most popular certification.
The same goes for bachelor’s degrees. With an increasing number of expert security professionals coming from non-traditional, self-taught backgrounds, university degrees may be an outmoded concept in a skill-constrained market. Looking outside traditional university graduate groups might surface some promising candidates.
Don’t just stop at non-university graduates when looking outside traditionally-targeted groups for cybersecurity skills. Cast the net wider by actively encouraging applications from underrepresented groups such as women, people of colour, and those from untraditional socioeconomic backgrounds.
Look beyond traditional candidates
How can you target those groups? Instead of waiting for them to find you, you may have to go and find them. Go beyond the traditional job boards and recruitment outsourcing channels. Seek out cybersecurity groups that meet both physically and online to find potential candidates.
This kind of active outreach helps companies find those promising candidates that others miss. A strong social media presence can help here, but that means more than simply having your own Twitter account. It means taking time to find and participate in those cybersecurity forums where talent collects. That is a time-intensive process.
A focus on diversity can also help to retain and develop cybersecurity staff internally. By creating a welcome atmosphere that mentors and encourages staff from all backgrounds, businesses can hang onto cybersecurity employees and increase their value over time. Today’s SoC analyst could be tomorrow’s cloud security specialist, given enough internal training and encouragement.
Innovate to attract
For many cybersecurity pros, a positive work environment goes beyond one that is welcoming and collaborative. It also involves one that is fun and stimulating to work in. Attract the right kind of professional by highlighting exciting projects and technologies within your cybersecurity operation.
Are you creating an internal pen testing team, or even engaging in red/blue team exercises? Do you encourage your cybersecurity professionals to contribute to open source projects in this space? Are you folding security into a DevOps software development initiative? These are all projects that might excite cybersecurity pros and encourage them to choose your company over another.
Make no mistake: Recruiting cybersecurity skills is an uphill battle. But being creative and flexible in your approach, and by encouraging a culture of innovation and experimentation, you will put yourself ahead of the pack in the race to find the right people.
Supercharge your cybersecurity recruitment and retention in these ways:
Relax requirements around certification and qualifications.
Look further than the traditional cybersecurity talent pool for skills.
Invest time in training. It may be easier to find someone with the right aptitude and spend a few months helping them develop specific skills.
Create a welcoming environment to retain and foster skills internally.