It’s a good time to be a cybersecurity expert — and a bad time to try to hire one.
“We’re as close as possible to our unemployment rate being zero,” says Sam Olyaei, senior research analyst, at Gartner Security & Risk Assessment Summit in National Harbor, MD. “If you’re a cybersecurity professional with any kind of skill set, you already have a job and multiple offers on the table.”
There are currently more than 348,000 open security positions, according to CyberSeek. By 2022, there will be 1.8 million unfilled positions, according to the Center for Cyber Safety and Education. As companies evolve toward digital business and bimodal setups, these skills are becoming more difficult to find and more expensive to hire, particularly in rural areas.
Companies need to be able to attract this type of talent, or risk being a part of the business strategy.
“The talent shortage is here and it’s here to stay. It’s not going away, so we can either confront it or be left behind and lose our seat at the table,” says Olyaei.
Attracting cybersecurity experts is challenging, but companies can adjust what they are currently doing to recruit and offer internal opportunities.
Evaluate your job postings
“Review your current job postings,” says Matt Stamper, research director, to determine whether the listings themselves are an issue. “Are the titles enticing? Are they accurate? Do they describe multiple roles in one listing? Figure out what the minimum role requirements are and list only those. You should also consider whether certifications like CISSPs/CISMs are absolutely necessary for the position.” This is also a good time to take a look at your company culture to see if it might attract or deter the type of candidates you’re ultimately seeking. If the culture is lacking, it doesn’t necessarily mean you need to overhaul the company. But adjusting the job listings and presentation to make the team look innovative and fresh can result in better candidates.
Automate the boring parts
Because it’s so difficult to hire new staff, it’s important that you have your team focus on the most important tasks and automate the manual ones, such as log reviews. By using tools to complete manual tasks, your skilled team can use their time on value-add activities. Look again at your job listings to see if you’re trying to hire for positions that should really be outsourced.
Support and grow your current team
There are many people who are interested in cybersecurity — even in your own company — but they may be confused about the requirements for getting started. Look internally, but outside of IT, for individuals with skill sets that could be helpful to your team.
Look to local universities and see if their curricula match your desired skill sets. If they don’t, talk to the deans or heads of computer science departments, explain what you’re looking for, and explore potential internships where your team can coach and guide future talent.
Don’t forget sources of nontraditional talent, such as hackathons. These can be helpful for getting adjacent communities, such as mathematics, thinking in a cybersecurity direction.
Don’t duplicate work
Some government groups do a lot of cybersecurity legwork that will be valuable to your team. Investigate the National Initiative for Security Education Cybersecurity Workforce Framework and the National Initiative for Cybersecurity Careers and Studies. The first categorizes and describes cybersecurity work within 7 categories and 33 specialty areas. The second is a blueprint of key cybersecurity competencies. Leverage them to fast-track your recruiting. Engage with your HR team and find ways to start solving this shortage.