It’s no secret that women are underrepresented in cybersecurity. There are plenty of statistics that confirm the gender gap in cybersecurity, including a 2024 survey that showed women make up less than a quarter (24%) of the cybersecurity workforce and only 1% of women hold top executive positions.
To change the industry and remove barriers for women in cybersecurity, companies need to be proactive in adding more women to their cybersecurity ranks. Higher representation helps dispel the stereotype that tech jobs are just for men and encourages more women to join the cybersecurity community. cybersecurity expertsIt’s also an advantage when a company’s workforce is representative of the general population, especially in the security industry. To achieve this, companies need to start by getting better at recruiting female cybersecurity professionals.
Although women represent about 24% of the cybersecurity workforce, there are some encouraging numbers in the latest data. The (ISC)² 2023 Global Cybersecurity Workforce Report revealed that 26% of employees are in the under 30s category are women. With more women in cyber moving from early career to mid-career, there will be more women available to offer mentoring and networking opportunities to younger women looking to get their start and move up in the field.
The (ISC)² study also showed that while women in cybersecurity are less represented, however, DEI initiatives are making a difference in the amount of women in cybersecurity. For example, companies that have job descriptions that refer to DEI programs/goals result in 26.6% of the workforce being women. Those who don’t result in only 22.3% of their cybersecurity workforce being women.
The ISC2 report also stated that -‘Organizations that adopt initiatives, such as skills-based hiring and using job descriptions that refer to DEI programs/goals, can create a more diverse cybersecurity workforce. Those with skills-based hiring have an average of 25.5% women in their
workforce compared with 22.2% of those who have not adopted this initiative.’
Too often, employees will talk about the importance of diversity at company-wide meetings and forget about what it all means by the time they get back to their desks. Unless diversity is a core part of a company’s human resources and hiring strategy, it will be difficult to move the needle toward a more representative workforce.
Priscilla Moriuchi, Director of Strategic Threat Development at Recorded Future, told Forbes that diversity is not simply about doing the right thing.
"Diversity in perspectives, leadership, and experience is good for business,” she said, noting this is especially true in cybersecurity. "We need people with disparate backgrounds because the people we are pursuing (threat actors, hackers, 'bad guys') also have a wide variety of backgrounds and experiences. The wider variety of people and experience we have defending our networks, the better our chances of success."
Deidre Diamond, Founder and CEO of CyberSN mentions, “Society is waking up and realizing cyber attackers are diverse – all races, genders, religious backgrounds, and more, and from all over the world. “Cyber professionals need to know how their adversaries think, work, and perceive to work against them. How do you know if you don’t have those around you on your team to help you see those blind spots and look at things differently?”
There are a number of things people look for when pursuing a new job, regardless of gender, including better pay, more flexibility in hours, and a shorter commute. However, there are some things women candidates will be looking for to address their concerns about the gender gap in cybersecurity..
Demonstrate a real commitment to diversity: What efforts has your company made to create a more diverse cybersecurity workplace? Are those efforts visible to applicants? Women will be looking for signs that all genders, races, and nationalities are welcome at your company, so include images that reflect diversity on the company website and social media. Also, encourage the women at your company to participate in professional organizations like Secure Diversity and WiCys, which foster networking opportunities and provide connections, making it easier to recruit female cybersecurity experts.
Career development: Women want to work at a company where they have access to opportunities to learn skills that will advance their cybersecurity careers. These opportunities should be encouraged and not treated like a hassle or something that’s taking away from her day-to-day work. Enacting a mentoring program is another great way to foster talent, not just for women but all minorities underrepresented in cybersecurity.
Job security and satisfaction: Since there is a workforce shortage in the cybersecurity, many women enter the field for the job security it promises, but job security doesn’t mean much if the work environment is poor. Women want to work at a company where they are treated as a valuable member of the team. With so many cybersecurity jobs available today, your company risks losing female cyber candidates to other companies if your company has a reputation for allowing hostile work attitudes to persist.
Great (and equal) pay: Another reason women get into cybersecurity is because of the high salary they can earn. Average salaries between $100,000 and $200,000 a year are the norm. However, some companies fall into the trap of paying women less than what equal male counterparts make because of a variety of reasons that may go unnoticed by well-intentioned managers. Human Resources is essential in ensuring pay is equitable and suggesting remedies when it is not, especially when making initial offers to candidates.
Looking beyond job titles: The roles and responsibilities assigned to different jobs titles are all over the map in cybersecurity. We’ve identified 45 functional roles and 10 categories in cybersecurity. This can lead to Human Resources departments dismissing talented candidates just because the title doesn’t fit. Before eliminating women candidates, take a hard look at her skills and experiences, not just the job titles she’s held.
Despite the challenges some women face in the cybersecurity industry, men and women share a lot of the same concerns about their jobs. This can range from lack of support from upper management to lack of work/life balance. Many companies have begun to address these concerns, improving the overall work environment for the entire cyber team, which can only help in recruiting more women.
Being proactive about diversity in cybersecurity is essential in evolving the industry. It can be as simple as tapping the female employees for references or looking beyond the job title and at the skill set. The talent is out there. It’s just about knowing where and how to look for it.
For support in diversity hiring, get in touch.
Are you curious about the state of cybersecurity jobs in today's economy? Discover the latest data on 140k+ cybersecurity job postings in the U.S., refreshed every 30 days. Let CyberSN's expert analysis reveal the key takeaways from this extensive dataset, providing invaluable insights into the state of the cybersecurity job market. Stay ahead of competition and make informed decisions.
Submit the form below to access the latest cybersecurity job posting data.
If you need support hiring cybersecurity professionals or want more insights on the current job market, get in touch.
The “Great Resignation”, or the “Big Quit”, is one of the biggest challenges for employers and professionals in all industries right now. Is it a temporary trend as we recover from the unrest of a global pandemic, or is it symptomatic of a larger employment problem? And how does the cybersecurity industry, which was suffering from a labor shortage even before the pandemic, keep their staff engaged, productive, and happy?
For 20 years, from 2000 to 2020, the US resignation rate never surpassed 2.4% of the total workforce. During the height of the pandemic in April 2020, the quit rate plummeted to just 1.6%, with employees plunged into lockdown and either unable to job hunt or laid off by employers. As the pandemic continued into 2021, the number of resignations has been steadily climbing, reaching 2.9% in August 2021, the highest on record. Tech is one of the hardest hit industries, with resignations increasing by 4.5%.
Many are attributing this employee exodus to the pandemic shifting priorities in both our lives and careers, with professionals delaying transitioning out of their roles until the pandemic eased, requiring more flexibility or better work-life balance. Half of professionals surveyed in ISACA’s State of Cybersecurity Report felt that cyber employees are leaving their current jobs due to lack of promotion opportunities and poor financial incentives, with 40% also blaming high stress levels at work. Stress amongst cybersecurity teams is common, with 91% of CISOs stating that they suffer from moderate or high stress and 57% of employees currently in a burnout state.
ISACA’s report also cited limited remote work responsibilities, poor work culture, and lack of management support as key factors contributing to cyber resignations. While a small number of cyber resignations were attributed to the professionals’ desire to change career path (i.e. 8% stated that cyber professionals leave their jobs to switch industries), it’s clear that the vast majority of resignations were motivated by working conditions and employer practices.
Another factor driving cyber resignations is the ill-defined job descriptions used in the industry, which rarely reflect the real tasks, projects and working conditions of a role. This results in a misunderstanding of what is required from and expected of a cyber professional in their day-to-day duties, making them more likely to pursue a new role sooner.
After recognizing this, CyberSN developed our exclusive Job Taxonomy to provide the cybersecurity industry with a common language. Our Job Taxonomy categorizes every single cyber job in the US into our 45 functional roles, streamlining job description creation and making roles far easier for professionals to find. This means companies can more accurately portray what it’s expecting from its cyber professionals.
The best way to avoid being affected by soaring resignation rates is to focus on employee retention. The work doesn’t stop once the right professionals have been found and hired — to keep them engaged and enjoying their role, employers must commit to improving team communication, developing diversity, equity, and inclusion policies, investing in emotional intelligence (EQ) training, and even reskilling current employees to promote internally. By providing consistent career planning and investing in company culture, organizations will see retention flourish.
CyberSN have identified that all people want the same 7 things at work:
By understanding and implementing these 7 things, employers can see improved retention and avoid the negative impacts of the Great Resignation.
A certain level of employee churn is expected. People grow and change, making way for fresh perspectives. However, it’s important to ensure that employees are never leaving for the wrong reasons. The Great Resignation does have a silver lining — the spike in resignations will hopefully cast a spotlight on retention and cause a shift in hiring and continued employment practices, giving the job seeker a more equitable experience and putting retention on the front-burner of employer policies.
For support with employee retention, training, and all things cyber recruitment, reach out to a CyberSN consultant.
Resumes are seen as an essential part of the job search today. Leonardo Da Vinci is credited with creating the first resume in 1482 and in the 538 years since, the basic format of the resumes we create has changed only marginally. Concurrently, 38% of cyber professionals are experiencing overwork and burnout, causing widespread workplace stress. In an era of ever-improving technology, should we be considering another approach to job seeking that empowers career satisfaction?
Resumes are a tried and tested way to organize your experience and skills, prepare for an interview where you’ll be talking about yourself, and communicate your personality to prospective employers. They’re a trusted medium, understood by professionals and organizations alike. Resumes often use the same format – they lead with personal information, then list roles and previous work experience and highlight the things that we deem to be most relevant to the position in mind.
However, resumes fail to represent the true value that professionals have to offer. Vital task and project information is often missing, with personal details prioritized instead. Resumes also allow hiring managers to focus on certain groups that they want to hire or subconsciously look for things they understand, such as education, previous companies, or even names - leading to inadvertent hiring biases.
As a result, diversity cannot be achieved, job screening is poor, professionals waste time interviewing for jobs that don’t fit them, and job seekers end up settling for roles they don’t love. And if they don’t love them, they won’t stay in them – retention in the cybersecurity industry is particularly poor, with the average tenure of a CISO now only 18-24 months.
In an era of ever-improving technology, we need a better way to find each other, enable inclusive behavior, and match with the right jobs, fast.
A CyberSN confidential public profile is built interactively by job seekers to highlight the tasks and projects that they’ve worked on. In addition to being tailored towards SEO and applicant tracking systems (giving you an advantage over recruiting software systems and exclusionary algorithms), profiles are built using the same common language as our CyberSN Job Taxonomy – made up of our 10 cybersecurity job categories and 45 functional roles.
This means that our profiles use the same language as our job descriptions, making the matching process and communication between professionals and organizations seamless. With a CyberSN profile, there’s no need to decide which areas of your experience are relevant for a job – we let you know why your unique profile matches the role. After you’ve built it, a profile is yours to export and use as you wish.
While our profiles are public and easily searchable by organizations, your personal data is not - eliminating the fear of employer reprisal and unconscious hiring bias. A major factor that’s missing from job boards and career resources is up-to-date, cybersecurity-specific salary information, with relevant salary information often restricted to more general IT jobs. CyberSN is one of the only places to find comparable cybersecurity-specific salary information, which is constantly updated with the latest data. This helps you understand your worth to an organization as your career progresses.
As well as applying to jobs, your profile lets jobs apply to you. Whether actively searching or not, a profile on CyberSN allows employers around the world to find and present job opportunities that will match your experience. Don’t wait to look for a job only when you desperately need one – always be looking for a role you’ll love, even if you are in one you don’t (or do).
A CyberSN profile is also an effective way of assessing: skills to develop, past projects worked on, and potential training opportunities. Professionals can streamline their career development by using their profile for performance reviews, mapping which certifications they require, and negotiating salary increases, offering more control over your career development.
Check out a sample CyberSN Profile and discover how it can provide you an advantage in your next job search.
A traditional resume is probably not going to be enough to find a job you love. Increase your chances of finding exciting opportunities and represent your unique value with a resume and a CyberSN confidential public profile. Our profiles mean you’re judged on your experience and nothing else, ultimately improving your workplace satisfaction.
Our profiles are proven to boost employee retention levels, with 53% of Cybersecurity professionals placed by CyberSN still working for the same company 4.5 years later. Creating a profile takes only a few minutes and gives you access to our matching tools, our network of professionals, and our marketplace of 60,000+ cybersecurity jobs across the US.
Increase your chances of finding and being found by roles that fit with a CyberSN confidential public profile.
We’re experiencing a national security crisis. Poor staffing and resource management in the cybersecurity industry has become a threat to the entire country, its citizens, and our organizations.
Not only are we short half a million cybersecurity professionals in the US, but employed cyber professionals are unhappy, and this is reflected in employee turnover. The average tenure of a CISO is 18-24 months, and with 41% of workers globally looking to change jobs, much of this time is spent looking at other roles. If this is the case among security leaders, then it’s no surprise that these feelings of discontent and distraction are permeating entire teams.
Security professionals are often underutilized, underheard, and overworked. 70% feel that their personal lives are affected by their work managing threats, with alerts coming in 24/7 and constantly growing in frequency. Heightened stress levels and the inability to switch off have led to 38% of cyber professionals experiencing burnout at their organizations.
But despite this job dissatisfaction and almost half of professionals looking for new opportunities, cybersecurity jobs are often staying open for 9 months or more before they’re filled. It’s clear that the cybersecurity job searching and hiring system is broken.
Cybersecurity job descriptions rarely reflect real tasks and projects, with the constant copying and pasting of role information leaving us with vague, impersonal job descriptions that are difficult to relate to. On the flip side of this, cybersecurity resumes do not represent the true value of what the professional has to offer. Job boards and online resources like social networks focus on job descriptions and personal profiles, lacking the career and succession planning that cybersecurity professionals need.
As a result, everybody is settling. Cybersecurity job seekers are tired of interviewing behind their employers’ backs, and employers have no choice but to move forward and fill their roles with candidates who are not the best fit. As well as causing widespread discontentment and settling, this is affecting diversity, equity, and inclusion within the industry. Diversity requires succession planning and a long-term commitment to education and business development, all impossible in this culture of restlessness.
And although this is a bleak outlook for any industry, in cybersecurity the cost is potentially enormous. Unfinished or neglected work and open roles leave the entire organization at ongoing and growing risk of IP, privacy, compliance, and brand-related business losses.
The brand new CyberSN Marketplace offers a solution to the current cybersecurity career and hiring crisis. We have developed the industry’s first “Deep Job Platform” for Cybersecurity professionals, delivering access to 53,000+ cybersecurity jobs posted in the United States, categorizing these jobs into our easily-searchable common language taxonomy, and classifying and matching confidential public profiles to suitable jobs, allowing job seekers to connect at their choice with jobs that match.
Find out more in our next blog!
2020 brought many transformations to the cybersecurity community. The key takeaway from our perspective here at CyberSN was the change to the talent seeker and the job seeker as it relates to the hiring process. In short: the roles and expectations of both cybersecurity professionals seeking employment, and hiring managers looking to fill job vacancies have changed forever.
Cyber professionals are in high demand and have experienced different modes of working as the pandemic took hold. Many cyber professionals set up an office at home without affecting their productivity. Cyber professionals who were hiring had to adjust how they were acquiring talent and the changes they needed to make to attract, vet, and retain quality cyber talent.
In support of this, we’ve outlined five ways cybersecurity hiring has changed forever (with one bonus prediction):
This is probably the biggest, most obvious realization that came out of the 2020 pandemic. Remote work is no longer a privilege. It is now expected in every cybersecurity job. Cybersecurity has evolved from the days when cyber professionals rarely were allowed to work offsite to a time where they’re rarely mandated to work on premise. So long as productivity and security remain optimal, this likely will not change. If your company doesn’t have a permanent work from home policy, you will be a much less attractive employer for cyber professionals. Make sure your company is prepared. It’s no longer a request. It’s an expectation.
Remember the days when a cyber professional would dress up, drive to a company, pay inflated parking rates, and be subjected to a series of face-to-face interviews? Many times, they would be subjected to re-answering the same questions over and over. Most of the interviews were conducted secretly so their current employer wouldn’t find out. Cyber pros were forced to make excuses so they could take a day off to interview for a new opportunity. This is no longer the case. CyberSN has not had an in-person interview since early 2020. Everyone on both sides of the interview lens should be prepared for video interviews, which means paying special attention to your surroundings to make sure it’s what you want people to see.
Compensation has been on the rise as the demand for experienced cyber professionals continues to skyrocket. Compensation is typically salary and bonuses, though cyber professionals are also being offered generous stock option packages and other benefits where available. Take inventory of all the good things your company has to offer in addition to money and put it on the table if you want to be competitive in attracting and hiring cyber professionals. Like cyber salaries and applicable benefits packages, demand for cyber pros will only continue to grow, so if you’re not weighing out what you have now and presenting your best offer, you’re not going not going to fare well.
The interview process for cyber professionals is faster than ever. We are seeing offers being presented on the same day of the interviews. We even had one during the interview. If you’re hiring, be prepared to move quickly with an offer. If you’re interviewing, be prepared to field an offer and make a decision quickly, sometimes right on the spot. Those who are prepared to move quickly (and do) will benefit greatly in this hiring market. It’s no longer an option to sit around and wait. If a person feels like a good fit, make a move, or else risk that person moves on to the next readily abundant opportunity.
While we’ve placed most of the focus on the hiring teams to put their best foot forward, there are also developments that lean the other way (towards the cyber professionals seeking new jobs). Make note that almost every new opportunity we are involved with is requiring Cloud/SaaS experience.
There is a greater focus on securing all cloud applications. It’s no longer the responsibility of a few security or IT professionals. It’s now the responsibility of all cyber and IT professionals. Users are geographical spread out these days, and they’re relying on cloud applications and file sharing more than ever. Securing these systems and data has never been so vital to an organization and it’s employees. It’s impossible to rely on a few individuals to be able to protect the vast amount of data that is spread out throughout the U.S. Thus, Cloud/SaaS experience is a must. If you don’t have it as a working piece of your portfolio, it’s time to dive in, else risk being overlooked.
As we mentioned above, remote working is expected by all who are employed within the cyber industry. But that expectation for flexibility will no longer be unique to a cyber professional’s “physical” presence. Soon that flexibility will be associated with time. No longer will work hours fit into the typical 8 a.m. - 5 p.m. window. Different work habits by different people spread out over multiple time zones will require a lot more flexibility.
Households with children require organizations to allow workers flexibility in their workday. Also, it’s become quite commonplace for employees to take pause for a few mental health breaks. So many workers are cooped up in their homes and only leave to get their mail. Organizations will have to be flexible on the specific times that people login, and instead, focus on the work that is produced to make sure the job is being done. Productivity is the key metric here. So long as the work is getting accomplished on time it shouldn’t matter so much when it’s getting done.
It’s pretty incredible to watch an industry grow, and we’ve been lucky enough to play a role in one we’re very passionate about. The changes we’ve outlined above are a direct result of the last 12 months we’ve all experienced. It’s amazing how much things can change in such a short amount of time.
If you need help figuring out the right solutions for your cyber needs, give us a call. We’re here to help!
A 0% unemployment rate for the cybersecurity industry is a huge success. There’s an abundance of cyber jobs for everyone. When glancing at the state of the cybersecurity job market, you’d expect that everyone would be extremely happy with the way things are going. It’s a wonderful problem. The problem is that with full employment the challenge is finding people for open cyber positions. This is the exact issue cybersecurity hiring managers are faced with.
Demand is something that the cybersecurity industry has been experiencing a gross surplus for years. A 0% unemployment rate isn't always as great as it sounds. With more open positions than available qualified cyber pros, hiring managers need to think long and hard about their recruiting tactics to engage the right candidates for open cyber jobs. The industry is in dire need of cyber analysts to implement, tune, and monitor cyber solution systems. There’s a need for more DevSecOps professionals to facilitate the strengthening of CI/CD pipeline security. And perhaps the most alarming deficiency within the cybersecurity industry is the existence of more advanced (and continually advancing) adversaries and attackers than security engineers, threat hunters, cyber researchers, pentesters, and leadership to combat them.
The market for qualified cybersecurity professionals is at peak competitiveness. Great for the cyberpro on the hunt, difficult for the hiring manager who is in dire need of cybersecurity skill sets. So how do we best leverage a 0% unemployment rate within the cybersecurity industry where it seems there exists no qualified help in sight?
Last year, Cybersecurity Ventures reported that there will be 3.5 million unfilled cybersecurity jobs globally by the end of 2021. Combine that with a workforce that’s already reached its maximum occupancy and you can see how problems would start to develop.
To help your organization prepare for hiring challenges in the year ahead, let’s discuss the implications that a 0% unemployment rate has on the cybersecurity job market, while also laying out some strategies for how your company can combat them.
With today’s current economic uncertainty, raising salaries can be a daunting step to take for many organizations. And, if we’re being frank, there seems to be a fundamental issue with companies not budgeting the salaries required to attract a qualified cybersecurity professional. Further, there’s a stark underestimation of the effort that it takes to attract, nurture, and bring a prospective cyber pro through your doors in such a high demand / highly competitive environment. There exists some concern over the economy which has led some firms into believing that they have the upper hand in salary negotiations. This oversight couldn’t be further from the truth. Even in today’s climate, the demand for cybersecurity professionals has never been higher and the vast majority of skilled cyber pros are employed and many are well compensated. In order to persuade them to leave their current situation to come work for you, you must offer them better benefits than they currently receive, with compensation typically being a primary motivator.
With an average of two job openings for every one qualified candidate, cybersecurity professionals have significant leverage when it comes to negotiating salaries. How can employers combat this? Well, the simple answer is to pay more. That’s not the only answer.
While considering the cybersecurity salary ranges you’re currently offering, consider everything else you can offer. Do you have a great healthcare plan? Flexible working hours or generous PTO allotments? Like all workers, cybersecurity professionals negotiate for the best benefits plan that they can obtain and benefits in addition to compensation can provide significant value. Currently, one of the best add-ons to any benefits package is flexible remote work options. The pandemic has shifted to a remote workforce and professionals want to know your company's plan on returning to the office environment. Be transparent with your full remote or transition to office plans in the offer.
There’s a lot to think about here, and honestly, the effort and time needed to recruit qualified cyber professionals to fill your cyber solution needs can be a quite daunting task. You might want to consider the help of KnowMore, which can do a lot of the legwork for you and put you in front of the exact pool of cyber professionals you’re looking to attract. That’s a key differentiator when it comes to the hiring process. It takes a great deal of resources to vet those that do, don’t, and may fit. So why not cut out one or two of those right at the outset?
With a lack of qualified professionals to address unfilled positions, many organizations make poor hiring decisions out of desperation. It’s commonplace to see companies get obsessed with trying to find a perfect fit while wasting months overlooking decent-fit candidates. As time goes on, the need to fill the position only grows stronger and many can end up hiring someone unsuited for the role just to get it filled.
To avoid this situation, the best thing to invest in is training. With 0% unemployment, finding the perfect cyber pro for your open position may not be feasible depending on what you’re offering. CyberSN President, Mark Aiello, addressed this issue in a recent article for Forbes and was quoted saying: “Many companies get so hung up on finding the perfect candidate that they miss so many qualified individuals who might tick off five, seven, or even eight out of the 10 skills listed as requirements for a position. In the time it takes to find these unicorn security professionals, a company could have hit the ground running by training someone who was 75% of the way there.”
Another major challenge accelerated by a 0% unemployment rate is retention difficulties. With so many open positions, cyber professionals are bombarded by new job opportunities. You cannot fault them if they occasionally take a peek. And once this happens, many are exposed to some “too good to be true” opportunities that catch their interest. A recent study done by ISACA polled companies across the country and found that “...64% of respondents indicated that they have trouble retaining qualified cybersecurity professionals.”
In the cybersecurity job market, hiring an employee is only half the battle. In our experience as the leading cybersecurity staffing firm in North America, CyberSN has consistently found that retaining cybersecurity talent is actually more difficult than finding it. You don’t want to be in a situation where you spend significant time and resources training your new hire only to watch them leave after six months.
To help enhance employee retention at your organization, consider the following best practices:
Another significant driver of the 0% unemployment rate is the increase in cybercrime. In fact, the FBI reported in May of last year that cybercrime appears to have jumped by as much as 300 percent since the start of the COVID-19 pandemic.
This increase in cyber attacks will cost the world around $6 trillion annually by 2021, as reported by CSO Online. These frightening statistics will only lead to more unfilled jobs and extreme pressure on employers to hire for them. The cybersecurity personnel shortage doesn’t just serve as a detriment to individual employers, it represents a nationwide security threat. In the years ahead, employers will have to work even harder to hire and retain their cyber pros to ensure they don’t leave their operations vulnerable to attack.
With so few unemployed cybersecurity professionals to choose from, filling cyber jobs has become notoriously difficult. Given the current shortage, companies would be wise to recruit active job seekers and also cyber pros who are passively looking—i.e. those who are actively employed but could be open to new opportunities if the offer was right. Unfortunately, the disclaimer here is that these passive candidates are even harder to find and persuade.
To truly be successful in finding qualified cybersecurity professionals in a 0% unemployment job market, it’s best to seek help from those with experience and specialization in the cybersecurity industry. Companies who utilize internal hiring and recruiting teams, always fall into the same pitfalls of not knowing where to look, crafting less than enticing job descriptions, and not speaking the same language as job seekers.
Hiring a company that specializes in cybersecurity recruiting and who truly understands the motivations behind both parties, ensures a quicker and more effective hiring process. For example, with CyberSN’s Engaged Staffing service, we take the work of finding interested and qualified candidates and scoping their qualifications off the plate of the employer. We can also work with the employer to do pre-interview prep to make sure they present the optimal image of their organization and benefits package.
To fill your open cybersecurity roles, engaging with cybersecurity specialists with a proven track record of hiring success should be a logical next step. By leaving it to the cybersecurity recruiting pros, you will save valuable time and money while also saving your organization from the inherent risks of leaving important roles on your cybersecurity team vacant.
Happy New Year. After a year of uncertainty and emotional stresses, I look to 2021 with great optimism. The cybersecurity community is significantly stronger and being counted on now more than ever. The need for cybersecurity talent has grown exponentially. The importance of cybersecurity professionals is universally understood and appreciated at a much higher level.
We as a community are treating each other better too! It’s wonderful to see our cybersecurity leaders working together the way we all are. Our response to recent breach announcements shows us that we have learned to support each other. I remember when Equifax shared their breach a few years back, the CISO at the time was attacked and ridiculed. Fast forward a few years to the FireEye/SolarWinds breach; the cybersecurity community has been kind and supportive to the cybersecurity leadership victims. It’s awesome to see this advancement in our ability to provide empathy and support vs. blame and shame. We are one team and we all can be breached… We are defending against more attackers than we have defenders and therefore we must work together. Thank you for bringing this empathy and kindness to the cybersecurity community; we will attract and retain more talent, to include diverse talent when we come from a place of empathy and kindness.
Below I have highlighted five contributing factors that we predict will lead to significant growth in the cybersecurity job market in 2021. Please feel free to reach out anytime. CyberSN is 100% focused on solving your cybersecurity talent challenges.
Cloud computing has provided attackers with a larger set of potential exploitable targets prior to the digitalization shift. Increases in new or past rapidly planned cloud deployments has created additional opportunities for attackers to elevate privileges, add persistence, and breach credentials and data. Managing cloud cybersecurity risks to accelerate business operations, data privacy, and compliance will be critical roles in 2021.
Cybersecurity spending is projected to increase in 2021. CISOs will revisit and revamp cyber strategies addressing potential threats and detection/defense gaps introduced by remote workforces, authentication threats, on-premise office infrastructure, cyber hygiene, supply chain threats, and cyber awareness.
Data-driven approaches will begin to solidify threat and incident analysis, threat anticipation, and breach response practices. Data-driven cybersecurity will influence decisions on “normal patterns'' versus anomalies and provide insights from all cybersecurity data, visualizations, and reusable models. All of this will inform adding intelligence, automation, and measurable value.
Cybersecurity programs will leverage Application Security Engineers and DevSecOps professionals to focus on integrating automation to the development pipeline, rather than detecting software flaws. This proactive approach will enable them to manage risks which lead to security vulnerabilities in APIs, production software, and the overall architecture.
The rapid shift to digitalization has added data access complexity as well as less visibility and potential blind spots for SOC analysts and Cyber Fusion teams. Recent breaches have reminded the cybersecurity industry that alerts from defense products should not be the time to begin searching for breach indications. Organizations will reinforce their cybersecurity playbooks by enhancing or adding proactive approaches which will include threat hunting and threat awareness.
As the new year unfolds, so too does the unique challenges that present themselves to us. This is especially true in the cybersecurity industry. As quickly as we develop new, bolstered proactive processes and technologies to minimize potential breaches, new threats are born and introduced to challenge those very efforts. Thus, as we stated in our intro here, we must work collaboratively to create success as a collective whole. Cybersecurity isn’t only an industry, it’s a community, and we as cyber pros are each a thread in that ever-growing fabric. When we band together, that fabric becomes stronger, and with that, success is more easily accomplished. CyberSN is dedicated to the successful advancement of the cybersecurity workforce. Let’s work together and make 2021 the best year yet!
News of the FireEye security breach shook the cybersecurity industry last week, proving that even the most skilled cybersecurity operations can face attack. Then came the news of the SolarWinds breach affecting the highest levels of the US government. While the cyber world debates the reasons for the attacks and the response, business leaders should take this moment to evaluate the strength of their cybersecurity program, especially in light of added stresses on teams due to Covid-19 workplace changes. It’s not just about whether you have the right tools in place. You need the right people to address emerging threats, too. If your cybersecurity team is overworked, or you have unfilled red team or threat hunter positions, you’re leaving your company vulnerable.
FireEye, a $3.5 billion cybersecurity company that has identified some of the most elaborate and sophisticated hacking operations in the world, announced on Dec. 8 it had experienced a cybersecurity breach of their top cybersecurity tools which used “novel techniques” to gain access. In a statement FireEye said:
Recently, we were attacked by a highly sophisticated threat actor, one whose discipline, operational security, and techniques lead us to believe it was a state-sponsored attack. Our number one priority is working to strengthen the security of our customers and the broader community. We hope that by sharing the details of our investigation, the entire community will be better equipped to fight and defeat cyber attacks.
Since then, reports have revealed this breach was part of a larger hacking and espionage effort including SolarWinds security software and top government agencies, including the Department of Treasury.
Speculation will likely continue for weeks, and it has left many in the industry wondering, if this could happen to FireEye, which has some of the top tools in the industry for detecting threats, would my security team have detected this or similar activity?
“It really reinforces the importance of people in cyber,” said Dom Glavach, Chief Security Strategist at CyberSN. “An adversary compromised the supply chain then leveraged this to gain access to high profile networks, highlighting that we do not necessarily have a tools problem. You need strategy, you need tools, and most importantly, you need people.”
Chief information security officers and cybersecurity managers are likely evaluating or purchasing new tools and downloading indicators of compromise now to protect against similar threats, and they must also make sure they have the right people in place to identify those threats. After all, cybersecurity is a people versus people game, Glavach said. Adversaries have proven they have the funding, the drive to innovate, and the ability to hone their tactics, techniques, and procedures to successfully gain access to high-profile companies. It will take tools, strategy, and people to fight these sophisticated threats.
No company is ever going to be 100% protected from attack, and a good cybersecurity team with the right members in place can better prevent, detect and recover cyber attacks earlier, reducing the damage they might cause.
Good leadership and a clear cybersecurity strategy are the basis for a strong cyber program. Frequent turnover in the CISO position or lack of buy-in from executives on how the strategy should be implemented can leave a company vulnerable on multiple fronts. You might be able to keep a cyber team running without a clear strategy in the short term, and eventually, you will run out of steam.
Next, filling or adding positions on the offensive side should be your top priority. Here are three areas that are essential to nearly every size company today.
We all know how hard it is to recruit cybersecurity professionals. Here’s how you can recruit and hire the cyber talent you need quickly.
Ping people in your professional and social networks who work in the cybersecurity industry and ask them for referrals. Do they know a threat hunter who’s looking for a change? If you’ve been searching for more than six weeks, you need to be proactive to identify candidates.
Do you have an employee referral program? Make it higher for anyone who refers one of these key cyber hires. The holidays are here and people are looking for extra money—give them the incentive to reach out to friends with a significant bounty.
Do you have multiple cybersecurity positions open right now? It’s time to adjust your hiring plan to prioritize cyber roles on the offense side. If you planned to hire for other positions this year, take that money and switch to these threat-hunting positions.
When you decide it’s time to get outside help to fill cybersecurity roles, pick an agency that knows the cybersecurity industry and what to look for. Maybe you’ve used an agency in the past, or your human resources department has a firm it prefers—unless they specialize in cybersecurity, the service is unlikely to get you the candidates you’re looking for or save you time.
As one of the few staffing agencies that specialize in cybersecurity, we’ve talked to many clients about their frustration with traditional staffing agencies and recruiters who don’t know what it takes to fill essential roles. When it comes to filling positions quickly, you should go with the experts. They can offer different levels of service based on your needs and budget.
If your company doesn’t have the resources to hire a staffing agency to do the work for you, try going where cybersecurity professions are actively looking for jobs. CyberSN’s proprietary platform, KnowMore, is a place where cyber pros can post resumes confidentially, allowing companies to review based on skills. Companies can also use the platform to create better job descriptions that tell savvy professionals your company knows exactly what it’s looking for.
The threats revealed by the FireEye and SolarWinds breaches highlight the importance of having a well-rounded security program in place. Tools are vital, and without the leadership combined with proper staffing, your strategy will be less effective and can leave your data needlessly vulnerable. As you review your cybersecurity operation in the coming weeks, ask yourself, do I have the right people for the job? If not, it’s time to go find them.
Most CEOs will tell you security is an important aspect of their business operations. But too often, what’s deemed important by management doesn’t always translate into real priorities. We’ve seen too many cybersecurity teams stretched thin on staffing, overworked, and improperly aligned with the rest of the organization. This leaves companies vulnerable to cybersecurity threats, huge losses, and bad PR.
Recently, CyberSN Founder and CEO Deidre Diamond spoke with Dan Blum, Cybersecurity Strategist and Author of the book, “Rational Cybersecurity for Business: The Security Leader’s Guide to Business Alignment,” about this pervasive problem. Cybersecurity operations are complex, but the solution to better security is simple; companies must align business processes with cybersecurity operations.
Hear the discussion. Watch “Hire, Motivate, and Manage a Business-Aligned Cybersecurity Team.”
Blum, who has years of experience in the corporate security field at organizations like the Burton Group, Inc., and Gartner, defines cybersecurity-business alignment as:
“A state of agreement or cooperation between persons or organizations with a common security interest. It is enabled through security governance structures, processes, communication skills, and relationships that engage the business. When in a state of alignment, all business leaders, staff, and business-related processes act in accordance with clear roles and responsibilities to support the security program and strategy.”
In other words, alignment happens when cybersecurity is fully integrated into company operations, all employees understand the importance of security, and chief information security officers have input when important decisions are made. It also means funding cybersecurity teams and technology to allow them to do their job and do it well.
Unfortunately, many companies understaff their cybersecurity teams or silo them away from important projects and decision-making meetings. Management may understand that cybersecurity is a vital aspect of business but they are not clear on the investment required to do cybersecurity right. According to Blum, only 44% of boards of directors consider cybersecurity to be strategic. If more than half of directors say that cybersecurity is less important than other aspects of the business, then it will be nearly impossible for CISOs to get the resources they need.
“They may think they are funding it adequately but they are not giving it the attention required to make sure the work that’s being done is really fitting the business needs,” said Blum.
Corporate leaders want to run lean in hopes of maximizing profits, but as Diamond points out, the number one problem facing cybersecurity teams is the lack of budget to properly staff. The result is a cybersecurity team that feels stressed out, burned out, and has trouble disconnecting at the end of the work day. It also causes high turnover, putting more pressure on the team and more work on managers to fill an already hard-to-fill role.
This is especially troublesome in the CISO position. Most CISOs remain in the job less than three years. Considering how difficult these leaders are to replace and that it takes about six months for a new CISO to fully know a company’s security operations before even implementing a program, losing your CISO should be part of your risk prevention strategy.
After conducting more than 70 interviews of corporate security professionals, Blum learned that security breaches are often predictable when cybersecurity operations are not aligned. When a CISO is denied funding for security measures, it leaves companies vulnerable. Having a skeleton staff leaves the security operations in disarray. Poor integration into the rest of the company can lead to hundreds of millions of dollars in costs and ultimately the company’s top leaders stepping down.
“The biggest problem that companies have is a lack of a definition of security that fits their business,” said Blum. Management must define how security applies to their business strategy, their vertical industry, the culture, mission and mandate of business, as well as what oversight of that security means, said Blum. Security is part of how companies do business in a digital environment and should be treated as such.
Here are some steps companies can take to ensure a well-aligned security program:
Diamond emphasized how clearly defined cybersecurity roles is a major gap she’s seen in cybersecurity staffing. Roles that are poorly defined make it harder to recruit, but also make it more difficult to define accountability. These problems lead to dysfunctional teams and hinder retention. Companies also need to bake hiring and retention into the job description and responsibilities of managers, she said. Finding cybersecurity professionals takes work and time, as does investing in the relationship-building efforts and EQ training required for keeping those employees. Documenting it as part of the job shows that the company takes cyber staffing seriously.
How can teams make security as seamless as possible? It’s a question managers and executives should be asking regularly and work collaboratively throughout the organization to achieve. Enacting cybersecurity-business alignment can shed light on potential problems earlier in the process and open the door to new ideas and innovation.
“Through alignment you can release a lot of untapped potential,” said Blum. “Look for progress not perfection. Making some progress is really going to move the needle but it happens with the team. It’s a team sport.”
Hiring cybersecurity professionals is as challenging now as ever. With a shortage of people actively looking, cyber pros can be picky about where they work and the compensation they earn. Not every company can afford to pay the same level of salary as Google, but that doesn’t mean they don’t offer a rewarding opportunity for cyber professionals.
Fortunately, there are things hiring managers and HR professionals can do to find talented people for those hard to fill cybersecurity jobs, even when the salary you’re offering might be lagging.
Once someone makes a decision to seek a new opportunity, they’ve mentally left their current employer. When this happens it’s like turning on their radar and they become receptive to the outreach that comes their way, both cold and warm. We know that the average cyber pro receives two job inquiries a day. Every day spent debating a potential hire risks that they’ll speak with a firm willing to pay a lot more money than you. The faster you move someone through your hiring process, the less likely other companies will beat you to making an offer.
When your salary is low, take inventory of everything else that you offer. Do you have stock options? How about an amazing health care plan? Retirement plans? How about flexible work environments and unlimited PTO? Open door policies or an accelerated career path? We see cybersecurity professionals taking less money when evaluating multiple offers because the compensation package as a whole makes the offer very competitive. Prepare a one-pager that explains all that you offer and make sure that everyone in the process is capable of discussing it with the candidate.
You already know your salary offer will most likely be low. Make sure your attitude is high. Seems like common sense, right? Nope. Anecdotally, I estimate that 25% of all first interviews are rejected by the candidate because they didn’t leave with a good feeling. Make sure your words and actions convey that you’re an open and welcoming person and company. Remember that cybersecurity professionals are no different than any other human. They want to work for people who are nice and who value them. Let them know they’ll be valued if they come to work for you.
What? Why should I send a thank you note? They should be sending one to me! Well, hopefully they do send one to you and you should always send one to them. It is a small gesture that makes an enormous statement about who you and your company are. I suggest you go on Amazon where you can buy a pack of 50 cards for $9.99. A thank you card is much more effective than a follow-up email. And there is nothing wrong with doing both. It will have a huge impact on the cybersecurity professional and most likely the first time it has ever happened to them.
Resume services are nothing new, but can be surprisingly effective for relatively little money. We created our Resume Service, which we call Talent Scout, to serve clients who can’t afford a full search placement and that have the internal talent acquisition team who can interview and extend an offer.
Talent Scout takes one of the most difficult stages in the hiring process off your plate by identifying five candidates who are qualified and interested in your opportunity. We make sure each cybersecurity professional’s resume that we send is someone who is qualified and interested in what your company offers. We take the laborious process of identifying interesting candidates away from you and present cyber professionals for you to interview and close.
If your company keeps losing cybersecurity talent to bigger, better funded companies, you still have options. There are many cybersecurity professionals who seek smaller companies, close-knit work environments, and feeling like an important member of the team, not just a number. To secure qualified cyber pros, focus on the unique benefits your company offers, both financial and culturally. And don’t be afraid to ask for help when important cyber roles are going unfilled. The cost of securing some help today could save you the major cost of a data breach down the road.
If you’re looking for more tips on how to find skilled cyber pros, make sure to subscribe to our blog, or reach out to us. We’re happy to answer your cybersecurity hiring questions.
The declaration of COVID-19 as a global pandemic in March 2020 quickly changed how we work, turning office culture on its head. Companies quickly adapted to a fully remote model, while employees learned how to balance work and personal life within the confines of their home. This new work environment put added pressures on cybersecurity professionals. Not only were they, in many cases, shifting from in-person to remote work, but they were also tasked with giving remote workers what they needed to operate securely and head off a host of new threats.
Now that working from home is the new normal, for the foreseeable future, many cybersecurity professionals are rethinking what they want out of their own work life. Companies are looking at a wide range of new policies to retain talent and attract new workers. Because cybersecurity professionals are in high demand and the need to maintain security is great, leadership must create work environments that work for the company and provide what cyber professionals want.
According to Gallup, the percentage of employees working from home doubled, from 31% to 62% in the three weeks during the start of the pandemic. Research and polling on employee sentiment indicate workers want to keep these work-from-home options in place. That same Gallup poll found that of the people who wanted to continue remote work, those in tech fields were among the highest percentage.
Prudential’s Pulse of the American Worker Survey, released in May, shows that the majority (68%) of workers expect working from home will become a normal part of business, and about 20% said they were considering changing to a job that allows them to work from home fully remote. Here were some other takeaways from the survey:
It’s clear from these data points that remote work has had a positive effect on employees in some ways, but they are looking to leadership to continue improvements to the workplace in this new COVID-19 era.
One of the biggest advantages working from home has given companies, especially those looking to hire cybersecurity professionals, is the increases in the pool of candidates. Companies no longer need to hire local talent, but can recruit from anywhere. It also increases the competition—if more companies are recruiting cyber pros who are fully remote, then your company must find ways to compete.
Jim Harter, Ph.D. coauthor of the bestseller It's the Manager, which addresses urgent issues organizations face today, said recently that in light of new workplace policies, “managers must learn how to lead remote teams and leaders must implement strong remote work cultures,” to maintain healthy workplaces. Harter notes that using science-based judgements to make workplace policies will help companies meet the needs of their workers—and attract new ones. These include:
Workplace culture is an important part of any employee’s opinion of a company, and can make the difference between a new hire and someone who passes on your offer. Company leaders may have leaned upon in-person workplace benefits to entice professionals in the past, whether that was an on-site gym, work outings, or free conference attendance. Without these perks, offering other benefits such as flexible work hours, more paid time off, and additional training opportunities will be of greater value to those looking to make a job change.
The changes in the workplace will likely continue to put strains on the company’s IT and cybersecurity departments, forcing managers to assign people to new roles to fill critical needs. This will require “upskilling”—training and professional development to make sure each team member has the resources and knowledge to do their job well.
The small pool of qualified cyber professionals considering a job change is adding another layer of complexity to cybersecurity hiring during COVID-19. Company leadership must prioritize maintaining and emphasizing what cyber pros find most desirable. That includes opportunities for training and advancement, a healthy, supportive work environment, and flexibility to balance family and home life in these chaotic times.
Emily Wilson, cross-portfolio lead for employee experience management at SAP SuccessFactors, wrote in Forbes that companies should not assume that people are clamoring to work for you just because some companies happen to be laying off.
“With the number of laid off and furloughed workers increasing daily, there is the misconception that employees with jobs are grateful just to have them,” said Wilson. “COVID-19 has significantly changed employee expectations to be sure. But just as employees are expected to adapt to a new way of working, businesses also must learn to support them in new ways. Businesses must take this opportunity to learn to be flexible as well.”
No matter the size of the company or the strains put upon cybersecurity departments due to COVID-19, companies must provide what employees need to perform their jobs, stay motivated, and be able to adapt to changes when they arise. Doing so will make your company more resilient and strengthen its ability to overcome the challenges that lie ahead.
We talk to a lot of people who want to know how to make their next career move. People are looking for not just better pay, they are looking for opportunities for professional development, better work-life balance, and permanent remote offices. Covid-19 has brought some changes to the workplace and the way we interview for jobs, but one thing remains the same—there is still a shortage of qualified cybersecurity professionals.
Here, we’ll talk about advancing your cybersecurity career, whether you are looking for work or are thinking about changing companies, and ways to find a job you’ll love.
With many roles and responsibilities in the cybersecurity field, there are numerous ways for someone in infosec to work their way from entry-level to a more advanced cyber career. For example, starting as an IT auditor or security analyst can give you the experience needed as a penetration tester. From there, roles like security architect and security engineer can take you on to a management role like information security manager.
As you consider your cybersecurity career pathway, it certainly helps to understand the skills and certifications that will position you for advancement into these roles. But, almost as important is understanding where you want to go and what kind of role you want to play.
Talk to the people on your team, and within the cybersecurity industry, about how they got to where they are. Did they start on the help desk? Did they focus on honing specific skills? What are the attributes they consider valuable to advancement? This knowledge will not only show you what to do to land the role you want, but also help you discern which jobs provide the most opportunity for career advancement.
Unfortunately, the economic downturn brought about by Covid-19 has led to downsizing in all industries, even vital roles in cybersecurity. That’s the position Stefan Rajaram, now a global information security assurance analyst at Crane Co., found himself in earlier this year.
“The roles that are out there right now are mainly senior roles and required a lot more years of experience than I already had,” said Rajaram in an interview with CyberSN Founder and CEO Deidre Diamond.
Instead of fixating only on the job hunt itself, Rajaram said he treated getting a new job like a job, spending eight hours a day applying to positions, and also doing online training and advancing his skills. As a pen tester, he focused on red teaming, a skill he later heard from a recruiter was a must for a position he was applying for.
Hear more of what Rajaram learned during his job hunt here
Opportunities for advancement often present themselves when you’ve already got a job, sometimes when you weren’t even looking. Chad Fame started his job hunt when he was approached by a CyberSN recruiter. Although he had been approached by a recruiter before and found that job was not a good fit, the option presented by CyberSN “was a good opportunity to explore.”
“I was coming from a place where I had a job, I was comfortable, I knew where everything was,” he told Diamond. “Coming in to look for a new job, or interview for one, is kind of daunting.”
Among the things to consider is whether the company where Fame was interviewing would be doing well six months down the road. He said if a company is putting the effort into hiring now, “they have the work that needs to be done now and in the future.” However, he still wanted to ask the right questions about where the company was going, including if there were cuts planned.
Asking the hiring manager the right questions is especially important during today’s job climate to ensure the move will be the right fit, including whether the team can remain fully remote, if there is opportunity for training and mentoring, and availability for other benefits that can drive a cybersecurity career in the right direction.
Getting to this stage of career development for Fame was the result of working in a number of different industries, including legal, pharmaceutical, and healthcare. Fame said he gained cybersecurity experience by working on audits and compliance. From there he moved into risk management. Having a variety of experience can give cyber professionals more options when seeking the next opportunity, and helps when negotiating compensations with a new employer during the hiring process.
When leaving his old position, Fame told Diamond he got a counter offer from his previous employer and that anyone looking should be prepared for that conversation too. Companies want to retain their talent and could offer you what you’re looking for if they’re at risk of losing you.
Hear more about Fame’s interviewing experience >> “Career Advancement During Covid”
With career advancement comes increased challenges and responsibility, but also greater compensation. Diamond said in the “Career Advancement During Covid” interview that cybersecurity professionals should be ready to negotiate.
“Compensation is more than just salary,” said Diamond. “When you’re in the conversation of salary, make sure you’re in the conversation of total compensation at the same time.”
Salaries may differ depending on the company’s compensation structure, including bonuses, stock options, benefit plans, vacation time, how often you have to be in the office, the cost of living in that region, and many other factors. Once an offer has been made, professionals should evaluate the opportunity based on the whole package.
“It is ok to keep talking if you don’t have what you want,” she said.
Even with some uncertainty in the job market, there are still many opportunities at leading companies, and it’s clear that organizations are willing to negotiate to get the right person for the position. Building your skills, knowing your worth, and having a great resume to show it off can help any cyber pro make the next move in his or her cybersecurity career.
Whether you’re a start-up or a Fortune 500 company, cybersecurity consulting is a good way to assess the effectiveness of your cybersecurity operations. Having another set of eyes on your security systems, looking for ways attackers could infiltrate, and creating a strategy for addressing any security gaps can save your business time and the disruption of a security breach.
Cybersecurity consulting has another less well-known feature that is arguably more valuable than identifying potential threats: insights on cybersecurity staffing. A cyber team is only as good as the people within it, so hiring is a crucial aspect of keeping your company and customer data secure. By tapping a cybersecurity consultant, you can gain expert knowledge on the industry, where to find skilled cyber pros, and how to market your company to top talent.
When vetting cybersecurity consulting firms, here are some qualifications you should be looking for.
You may think you know what you need, but a skilled cybersecurity consultant can help you drill down into the specific aspects of your needs. By understanding your objectives, the consultant can identify skills gaps and provide a staffing headcount based on current and future initiatives. For example, your company might be evaluating security information and event management tools. A good cybersecurity consultant can offer advice on the availability of certain product skill sets and their respective labor cost.
A cybersecurity consultant should be someone who is able to provide the latest information about solutions and products especially those that are becoming more popular, those that are new to the market and other trends. This could include career and employee development trends and new training resources available.
You are never going to build or keep a great cybersecurity team if you aren’t offering enough compensation. You need a cybersecurity staffing consultant who will be blunt about your salaries and compensation packages. Your company may not be able to offer the same salary as a larger company, but a cybersecurity staffing consultant can help you develop other types of compensation, such as ample paid time off, work-from-home options, and an inclusive company culture that will attract professionals.
At CyberSN, our cybersecurity staffing consultants see a lot of compensation data because companies and professionals give us this data every day through our job search platform KnowMore. One thing we’ve seen is that it’s not just about the money. Professionals are looking for better work-life balance, especially since the lines between work and home have become so blurred. Training opportunities and the ability to work remotely permanently are two of the top requested perks we’re now seeing.
Part of the challenge of building out the right cyber team is that job titles, roles, and responsibilities vary from company to company. Having a cyber consultant who knows the industry, terms, and job titles vastly improves the results of your recruiting efforts.
We identified this problem at CyberSN and developed a common cybersecurity language, not just for those in the information security industry, but for those who hire, too. This included identifying different facets of the industry and defining 45 cybersecurity job titles and more than 100 subtitles.
Here are a few questions you should ask before engaging with a consulting firm on your infosec operations.
Do they work primarily for large corporations or is this a firm that specializes in start-ups? A firm may claim to be generalists, but cyber needs vary depending on the company’s size and industry, whether that’s e-commerce, banking, or health care. Make sure you hire a consultant that understands your industry.
Before working with a firm, it helps to know who you will be working with, their area of expertise, and how many hours they will be available. Are you looking for 24/7 availability or someone to develop a strategy for improving diversity? Whatever your need, ask for specifics about the level of expertise you will be provided.
Companies are striving to create inclusive workplaces, especially when race and gender are such a part of the national conversation in the United States. Whatever your cybersecurity needs, diversity is likely to be part of the conversation. When your team is made up of people with different backgrounds and world views, it will help improve your ability to identify threats from around the globe. Discuss diversity training as well as hiring practices to ensure you are creating a welcoming environment for all employees.
As a woman-owned company, diversity and inclusion are important in all we do, which is why more than half of our placements are diversity hires.
This may seem obvious, but if you’re looking for expertise in cybersecurity, make sure the team you get has experience working in the industry and understands both the employer’s and employee’s side of the job.
Ask your cybersecurity consulting firm what you’re getting from them and hold them accountable throughout for that deliverable. CyberSN, for example, offers hiring strategies for companies struggling to fill cyber roles. After working with one cybersecurity industry expert and one cybersecurity hiring expert, the company will have a clear strategy for recruiting and hiring cyber pros that fit their needs and within the company.
No one wants to hire another consultant who swoops in, offers unrealistic advice, and is only concerned about the paycheck. Before you sign a contract with a cybersecurity consulting firm, clearly define what you’re looking for from the relationship. Make sure the firm is willing to help set goals and create a realistic strategy that works for your type of company. Finally, hiring a firm that understands that it’s not just about the tech. Developing the human side of a cybersecurity team can help protect your company, as well.
Cybersecurity jobs are notoriously difficult to fill. According to a study by Burning Glass Technologies, cybersecurity positions take 20% longer to fill than typical IT roles, at an average of 50 days. For every open position, the study found companies only have an average of two people in the applicant pool to choose from.
Cybersecurity recruiting is challenging for many reasons, but few companies have attempted to get to the root of the problem and find a better solution. It’s what makes CyberSN an outlier in the cybersecurity recruiting industry. We’re the only company that specializes in just cybersecurity and we’re the only company that guarantees filling a job in under 39 days.
How is it that CyberSN is the only game in town? Here’s the story.
CyberSN was born from conversations founder and CEO Deidre Diamond was having with her friends in the cybersecurity industry. Some were telling her they were struggling to find jobs. At the same time, she was hearing from others about a shortage of cyber professionals. Diamond saw this disconnect as an opportunity to reach an untapped market—there must be a faster, easier way to match cybersecurity professionals looking for a job upgrade and companies in need of skilled cyber talent.
Since the job search and recruiting process went online, both job seekers and companies have turned to keywords and automation to make the process easier. While this has cut the time required to find a job for most people, the result in specialized industries, like cybersecurity, has been a failure.
Diamond found some companies were cutting and pasting attributes from past job descriptions, regardless of what’s needed, to create nonsensical franken-jobs that savvy, experienced cyber pros see through immediately.
“These are highly wanted professionals,” said Diamond. “They’re not going to read that!”
Then there were the HR recruiters who don't understand what a job description means, making it hard to seek out skilled people for the job. Add to that cybersecurity professionals who are serious about their privacy online and stay away from LinkedIn and it was a wonder companies and cyber pros ever found each other.
“What hit me square in the face is that when content became free, it also became meaningless,” said Diamond. “Job descriptions became meaningless and resumes were always meaningless—you can put anything on a resume.”
With bad job descriptions and bad resumes, “It’s matching garbage content to garbage content,” she said. Plus, there’s the enormous cost companies must incur just to hire, and the mental energy it takes to apply, prepare, and interview for a job.
“There is an element of job searching that’s so bad it's causing mental distress. It’s amazing that in the year 2020 we can’t match people.”
Diamond wanted to know, how do you fix it?
Sometimes solving a problem takes coming at it from the outside. Diamond didn’t come up through the cybersecurity industry, but instead in sales and management in the tech industry. After graduating with a degree in criminal justice, Diamond considered a career in law or in social work, but after seeking career advice, took an entry-level position with Motion Recruitment, a tech recruiting firm headed by two serial entrepreneurs. There, she was on a professional growth track that would take her into senior leadership. After 13 years in tech recruiting and helping take the company from $2 million to $89 million in sales as the vice president of sales, she became vice president of sales at the security software company Rapid 7, and then on to serve as CEO at Percussion Software.
Having led a company, Deidre began thinking about building her own company and took some time away to develop her ideas. It was during this time Diamond was at Black Hat, running into people she knew and hearing from just about everyone that they were looking for something new—cybersecurity professionals who were looking for a career change and companies looking to hire.
“You talk to cybersecurity professionals and they’d say, ‘I can’t get an interview that's the correct interview for me,’” said Diamond. Others said they wanted a new job but were working so much they didn’t have the time to look.
Diamond launched CyberSN in 2014 as the solution to this pervasive staffing problem. Tapping her industry connections in tech hubs on the East and West Coast, Diamond grew her staff from one to a full, professional team specializing in matching skilled talent to jobs they love.
What cybersecurity recruiting quickly taught Diamond is that the current model for recruiting cyber talent was broken too. Working on contingency when filling cyber roles was not practical and difficult to scale based on the 90- to 100-day timeframe it took to fill some roles. If CyberSN could speed up this process, she could make it more profitable, Diamond thought.
“I am used to growing and I wanted to build an army,” said Diamond. “I was willing to invest and take a risk.”
First she started with her connections in the industry. She and her team had more direct access to cyber professionals who are very private and often hard to track down online. Then she took a hard look at the job descriptions companies were writing and realized that needed to be streamlined too.
The most substantial lead the company made was in 2016 when she brought in a team with vast experience in the cybersecurity industry to build a platform that would help CyberSN’s cybersecurity recruiters fill positions faster. The proprietary platform that would eventually be launched to the public as KnowMore gave CyberSN an advantage no other company had—a way to more efficiently match skills and experience with a company’s needs by using a common task-based language.
“That’s when we really changed the game in terms of cost of sale,” said Diamond “We were able to make matches in 30 days instead of 100 days.”
As a woman in the tech industry, she understands the challenges many women face, from hostile work environments to a lack of investment from venture capitalists. For Diamond, diversity is key to addressing these issues. CyberSN is not just about filling jobs, but helping companies to develop women and diverse talent. She also founded Secure Diversity, a nonprofit which aims to empower all genders, and specifically women, to find career opportunities in cybersecurity. As a result, companies come to CyberSN because they know they will have access to a diverse pool of talented cybersecurity professionals.
“The people who come to us really care about getting better at hiring and want to see a more diverse workforce,” said Diamond.
Diamond said she and all of CyberSN are committed to continuing to transform the job searching and matching landscape. Whether it’s finding more efficiencies or creating strategic partnerships, the company plans to grow and build on their reputation for being number one in the industry for identifying and placing diverse cyber professionals.
To learn more about CyberSN and the menu of services they offer for finding, matching, and hiring cybersecurity professionals, contact us today.≥
It’s no secret that tech has struggled to diversify its workforce. Equal representation of minorities and women in tech still has a long way to go. But as companies also struggle to fill cybersecurity jobs, there can sometimes be a disconnect between needing to fill a position today and working harder to make cyber teams more diverse in the future. To properly address the problem, first we need to understand what’s causing the problem.
In 2014, some of the biggest tech companies in the world came together to look at the representation of women and minorities among their ranks through a joint diversity study. The idea was that by understanding the demographics of the company, it would be able to better move toward a more diverse workplace.
Unfortunately, the 2020 study showed little has changed in the past decade, despite efforts to increase diversity. While women are now 23% of Facebook’s technical workforce, African-American employees are woefully underrepresented (3.8% of the workforce) as well as at Twitter (2% of the workforce). At Apple, 53% of new hires are from historically underrepresented groups in tech, however the lack of diversity in leadership roles indicates people within these groups are not sticking around or being promoted.
The need for more women in tech and an overall increase in diversity throughout the tech world is well documented and even more pressing when it comes to cybersecurity. In 2020, it should go without saying that diversity is good for business, leading to better products and services that are designed for a wide range of people. With the demographics of the U.S. becoming more diverse each year, smart businesses should be making diversity hiring a priority if they are to compete in the future, yet as we see with these tech giants, it takes more than simply acknowledging the problem.
To create a diverse workforce, your company must hire and retain a diverse staff. Encourage an environment where team members are supportive. Competition should be healthy, not cut-throat. Nicknames and teasing, even if done “in good fun” can leave employees feeling like they’re on the outside.
Companies are wise to take a hard look at company culture and ensure it is not discriminatory, especially if areas of your workforce are male-dominated. A 2017 poll by the Pew Research Center found that 50% of women said they had experienced gender discrimination at work. The numbers were even higher for women working in tech at 74%, or in a male-dominated workplaces at 78%.
Bottom line? There’s a need to ensure workplaces are safe environments for all employees and that companies foster a culture of support and inclusion, free of snarky comments and cliques. Letting a negative workplace environment fester can not only lead to attrition, but as word gets out in tight-knit circles like cybersecurity, it can hamper recruiting too.
Every hiring manager and HR recruiter is looking for that impressive resume with a specific degree from a top school and all the right job titles, but in a tight cybersecurity job market, those can be hard to come by. Instead of relying on HR software to curate resumes, look more closely for people who may not be an exact fit at first glance but have all the right skills.
While most hiring managers may be reluctant to admit it, unconscious bias can influence hiring decisions, especially when looking for people who will fit in with the team. This can often lead to hiring people like themselves, in appearance, background and world-view. One way companies are overcoming this, according to TechRepublic, is to use diverse analytics software to hide personal information, such as name, age, gender, and ethnicity, allowing recruiters to focus on more relevant factors like job skills and experience.
This kind of tech is the idea behind the CyberSN platform KnowMore, which also puts the focus on skills and experience, creating anonymous profiles companies can review without the professional worrying about bias.
Because there’s a shortage of cybersecurity professionals in the workforce today, it’s a great opportunity for people who have left work for a while to re-enter the workforce. It remains an amazing untapped talent pool.
COVID-19 is forcing many people, especially women who are often the caregivers, to opt out of the workforce. It can be difficult for women to come back to work after such breaks, leaving talented people willing to work sidelined. Why risk losing a qualified professional just because of a career gap? In the interview, ask about the break—motivated people will often tell you about volunteer work, training, or professional development they did during that time, ensuring they stayed engaged and kept skills fresh.
The financial research firm Morningstar formed a women’s initiative group that aims to make Morningstar a leading supporter of women in financial services, and created a diversity council to provide a platform for discussions on diversity to foster change. Tech company Vail Systems created a policy requiring at least one woman participate in the interview process for each role. The company also makes sure to have women representing Vail at all of its recruiting events.
These examples reveal that hiring for diversity takes more than simply a desire to do so. Taking action within the company indicating diversity is a priority is a good first step. Giving your hiring process a fresh look and how it may be leaving people out is another.
As a woman-owned company, CyberSN is committed to improving diversity throughout the cybersecurity industry and helping others do so too. Our results speak for themselves. At CyberSN, 52% of our placements are diversity hires. We know it’s possible to find great talent among all races and genders. If you’d like to learn what your company can do to improve workplace diversity, get in touch.
Cybersecurity job titles are all over the map. Some companies have their own definition of what a security engineer does, while another company requires a whole other set of skills and experience. Cybersecurity roles and responsibilities for specific job titles can vary from organization to organization, leaving many hiring managers, HR recruiters and job seekers speaking different languages about the same job!
NICE Cybersecurity Workforce Framework attempts to standardize cyber job titles—in a 144 page document. Few companies have HR recruiters who have even heard of NICE, let alone know what any of these job title definitions are. The Bureau of Labor Statistics put most of cybersecurity’s many different roles and responsibilities under the giant umbrella of “information security analyst,” defined as people who “plan and carry out security measures to protect an organization’s computer networks and systems.”
Defining these roles and responsibilities should not be complicated. While there will always be slight differences between different jobs at different organizations, having standardized terms make it easier to search for talented cyber pros. Here you can find a list of 45 Cybersecurity Job Categories and many more subcategories that will help you use the right language to create a job description cybersecurity professionals will want to apply to.
Before you dive into the list, though, let’s go over some of these categories and what they mean.
When it comes to C-level leadership roles, the titles are pretty self-explanatory. Chief Information Security Officer (CISO) and Chief Security Officer (CSO) are the people who oversee all of cybersecurity and then some. When it comes to keeping the company safe from cyber threats, the buck stops there.
Similar to the CISO and CSO are roles like Security Director, which can have different names and areas of focus depending on the type of company and its size. For example, a CISO may have a Cloud Security Director and an Information Security Director reporting to them. Other leadership roles that bring with them more responsibility and higher compensation include Privacy Officer, Compliance and Risk Manager, and Security Product Manager.
For many years, corporate leaders looked at cyber leadership roles as purely technical, but with the speed of today’s attackers and the importance of aligning with the business, Board of Directors and strategies throughout the organization, well-rounded leaders are more important than ever. As Harvard Business Review notes, “Today’s cyber leaders must be able to embed security throughout the company’s operations, rapidly respond to threats, and influence fellow senior leaders. In short, they must be able to lead. And that means companies need to hire and develop security executives who have the skills to do so.”
Technical roles include both people who configure, maintain and tune the systems for securing information as well as those who defend, detect, and respond to attacks.
Security engineers may build or monitor the environments and protections to minimize attacks before they can happen. Application Security Engineers are focused on securing software applications. Then there are Security Analysts who monitor and may actively hunt for threats and Incident Responders who review and remediate identified threats. There are Penetration Testers who look for vulnerabilities much like an attacker would and Cryptographers who focus on encryption.
As we’ve said before, it’s not just the title that matters. Hiring managers must vet candidates based on whether they have the right skill set for the job. Having the wrong title on your job description could prevent you from finding that person. When people search for potential jobs, they start first with their own title and then run through similar, frequently used titles that closely match their skills. If they aren’t looking for your job title, they may never see the opening at your company.
In turn, some great candidates may work at a company that used uncommon or unconventional titles. If your organization vets professionals using resume search software, it may miss highly qualified people.
There are a number of cybersecurity roles that focus on the executing and integrating security measures across the organization through policies and programs. Many of these are considered GRC (Governance, Risk and Compliance) roles. This can include Security Auditors, Cybersecurity Attorneys, Cyber Insurance Specialists, Security Awareness Trainers, and Customer Support Representatives.
Attackers depend on human error to infiltrate organizations, which is why it’s so important to have liaisons between human resources and technical roles within cybersecurity. Too often the job of ensuring every employee understands the importance of security practices falls onto the wrong department—IT may be charged with finding cyber insurance or HR may show a short security protocol video during onboarding never to be mentioned again. Non-technical cybersecurity roles are needed to keep large organizations focused on protecting its data.
Using a common language is essential in any profession, whether it’s technical or creative, and cyber is no different. As cyber hiring consultants, we’ve worked to use a common language so that it’s easier for people to find the kinds of jobs they’re looking for, and for companies to understand the skills potential hires would bring. Getting familiar with cybersecurity roles and responsibilities for each job title will help your company do the same as well.
When you have one or more cybersecurity positions to fill, it’s only a matter of time before the pressure will start to mount to get someone in the role ASAP. You know you can’t just throw anyone in the role. When you consider that the top data breaches in 2018 affected more than 100 million people, finding skilled, experienced, trustworthy talent makes getting cybersecurity recruitment right that much more important.
Having a positive company culture and being active on social media are ways to raise the profile of your company and help with cybersecurity recruitment, but they won’t get you more resumes in your inbox like the right job description and a solid network of connections will. We’ve mined the expertise of our recruitment team to put together this list of cybersecurity recruitment tips to help you find better talent in less time.
Chances are the best and brightest in cybersecurity are already working at another company. It’s why most cybersecurity professionals will tell you they are contacted by recruiters on a near daily basis. To find the right candidate for your cybersecurity post, you will have to be more aggressive than managers hiring in other fields.
If you have a position that’s been open longer than six months and your traditional recruitment avenues have produced nothing, you need to look somewhere else. Are you attending local industry meetups? Do you know what local cybersecurity professionals are reading? Where are they chatting online? To find new talent you’re going to need to do some good old fashioned networking.
While this may seem like a challenge, for many companies it can be an opportunity to increase diversity. Breaking outside of your regular recruiting network and connecting with groups like Secure Diversity introduces you to candidates from different backgrounds who are likely to bring balance to your company’s experience set. For example, a report by Cybersecurity Ventures estimates women made up 20% of the cybersecurity workforce in 2019, so it’s clear there is still a lot of work companies can do to increase diversity in this field.
One of the biggest mistakes companies make when it comes to cybersecurity hiring is immediately eliminating candidates without the required degree. Any hiring manager will tell you a great candidate has so much more than the required college degree, yet we see plenty of companies get hung up on this. Many companies are finding that experience, trustworthiness, and a range of skills are more important.
Focusing on candidates with an eagerness to learn and develop will open a new pool of great talent that’s likely to be more interested if your company offers them the opportunity to grow. Highlighting professional development opportunities and the value of growth as part of the company culture will entice motivated and talented job seekers to not only apply, but once hired, be likely to stay longer too.
One of the toughest challenges in cybersecurity recruitment is getting the job description right. Often, a company may not even have the right job title, going unnoticed by dozens of great candidates who are searching for other titles.
If you have a job posting that’s been languishing unfilled for months, it’s time to take an honest look at what you’re putting out there to candidates. It may have one or more red flags that turn off promising talent. Start at the beginning with whoever wrote it. Was the description cut and pasted from other cybersecurity job descriptions? Is it asking the candidate to work the job of two or more people? If so, you’ll need to loop back with HR and come up with a better job description if you want to see new resumes come in.
Speaking of HR, human resources can be a pain point for hiring managers and candidates alike. While they are working hard to check all the boxes, it can slow the process down, leaving candidates wondering if your company is really serious about filling the post. With an estimated 3.5 million cybersecurity positions expected to go unfilled by 2021, you will need to act in a timely fashion when a good candidate applies.
Sometimes, you just don’t have the bandwidth to hunt down quality talent. Making connections and attending networking events takes time. Hiring a recruiter who can invest the resources into finding the right candidate can save your company time in the long run. Look for a recruiting firm that specializes in cybersecurity. Recruiters who don’t speak the language of cybersecurity and aren’t well-versed in the skillset you’re looking for won’t yield the same results a cybersecurity recruitment firm will.
Another way to shift your search into high gear is using the tool KnowMore. This talent matching platform is a resource for both job seekers and employers, allowing you to browse candidates, search by role, and even start a conversation directly with the candidate.
Acing cybersecurity recruitment begins with acknowledging that it’s different than filling other jobs. The specialized skill set and high level of trust required makes finding the right talent more difficult. By adopting these approaches, however, you can start to attract better talent faster.
At a time when working remotely is challenging existing security practices, cybersecurity and information security staffing remains a priority for many companies. Hiring freezes are being lifted or never even applied to essential cybersecurity positions. As hiring managers look to fill their teams at this critical time, they report that there doesn’t seem to be enough cybersecurity professionals to go around and are struggling to find qualified people.
CyberSN has been solely focused on the information security and cybersecurity industry since 2014. Founder and CEO Deidre Diamond saw a disconnect between how companies were approaching cyber talent and what skilled cyber pros were looking for. The mission of CyberSN is to take a different approach to fix a broken system and offer a range of services that match companies with the right infosec professional.
While most companies approach hiring the same way they’ve been doing it for the past decade or more, scrapping the old system to try something new has paid off—we can fill cybersecurity positions in under 39 days, compared to the many months it can take recruiters and internal human resources teams. Here’s how we did it.
Too often companies think they can throw a job description on LinkedIn, Monster, and Indeed and the resumes will roll in. Unfortunately, information security professionals aren’t always on these channels because they are suspicious of their ability to protect personal information. So then, where can you look?
What if there was a job board that was only for cybersecurity professionals? It’s a question we asked ourselves after hearing from companies about their struggle to staff their cybersecurity teams using traditional channels.
Using these requirements as a guide, we created the KnowMore job search platform. Today, it has profiles from thousands of information security professionals who are seeking work. Some are actively looking for a job, while others may be passively looking for a different opportunity, such as relocating or more pay.
We know how critical it is for companies to fill their cyber teams, especially today with so many emerging threats. To help companies connect with qualified cyber professionals, we recently launched KnowMore Community Edition as a free service, allowing them to not only search, but also post jobs for free.
On KnowMore Community Edition, each professional fills out a profile based on the skills they have to offer. The profile also includes those “deal-breaker” aspects of the job that can derail hiring late in the process, like desired salary and work-life balance benefits. The profiles are confidential, stripping away the fluff that comes with a traditional resume to the most important metrics.
When you find a profile that sparks your interest, you reach out through KnowMore. The person behind the profile can opt to keep the conversation going, drop the anonymity, and connect via email or phone.
What if we told you there are information security professionals out there actively looking and the reason your company is struggling to hire them is because they look at your job postings and don’t like what they see?
The unfortunate truth is that many companies don’t know how to write a job description for cyber. They cut and paste requirements and responsibilities from old job descriptions that may not even fit the role. Other times they throw every possible dream attribute into the description as if they were looking for some unicorn cyber pro. When qualified people look at these kinds of job descriptions, they react with a hard pass.
We started looking for an efficient way for companies to build a better job description and stop disqualifying themselves the second they post an open role. The job description builder tool in our KnowMore platform asks questions about the role you are trying to fill and the skills needed to succeed. In under 10 minutes, you can build a job description that’s straightforward and speaks directly to cyber professionals using their language. The method gets companies beyond the buzzwords and breaks them free of the cut-and-paste job descriptions that are holding them back.
Because many information security professionals stay clear of social media and mega job search sites because of concerns about privacy, companies are forced to get innovative when it comes to cyber staffing. Attending industry events, building a network in the industry, keeping up-to-date on emerging threats, and knowing how to “speak the language” are the best ways to recruit talented people.
But what if you don’t have the time for that?
In developing CyberSN’s menu of services, we saw that companies need insider knowledge in the cyber industry to recruit, but that few had someone internally who could offer that. In response, we developed Talent Scout, a staffing service that does the searching for you and provides a list of vetted candidates.
For companies that have a strong internal hiring process, but are struggling to identify interested cyber professionals, using Talent Scout can really expedite the information security staffing process.
The goal of any company should be to hire people who are not only qualified, but also love their job. It’s our goal too. But there are some factors that prevent companies from achieving it when it comes to information security staffing:
Both of these problems indicate something broken within your cybersecurity hiring process. If this is the case, your company is not alone. Turning to outside help can not only help you fill the position, but also shift your hiring process so that you’re more successful in the future.
CyberSN developed our Engaged Staffing service to help cyber professionals find jobs they love and to make the talent search for companies easier. We’ve refined the process since 2014 and are now able to deliver professionals to you ready for in-person interviews in under 39 days. By getting to know your company and its needs, we can find skilled cyber professionals who also understand your company and are eager to work there.
Because cyber is a job seeker’s market, we also show your company how to present itself in the best light, from helping write a better job description to making a job offer.
For companies with a well-established hiring process in place, it can be difficult to make changes, let alone hire an outside recruiter. But there are ways to shift the information security process to get better results.
Seeking expert advice is the fastest way to improve hiring outcomes. A better understanding of the cybersecurity industry, cyber culture, and salary expectations give companies the advantage.
But how do you get that knowledge?
CyberSN’s expertise is one of our top features, relying on our team’s experience working in the industry. We saw that companies wanted to mine that knowledge to improve hiring at their own companies, so we made it a part of our services.
Our Strategy Consultation provides you with insights on building better job descriptions, right-sizing compensation packages, developing organizational charts, and understanding not just your company’s cyber needs, but also job seeker expectations in the workplace. A consultation includes talking with two of our subject matter experts—one specializing in cybersecurity and the other in cybersecurity staffing—about the problem areas in your current hiring process. You’ll walk away with a new hiring strategy targeted specifically at filling cyber teams.
As the only company focused solely on cybersecurity staffing, we know there are problems with the job search and hiring process that need addressing, but at the end of the day, it all comes down to people. Matching qualifications, certifications, and requirements is something anyone can do, but finding a professional with the right skills for the role, as well as the interest to invest themselves in your company, that takes a willingness to understand what motivates people in the industry. If your company is struggling to thoroughly address the challenges in information security staffing, it must be willing to do things differently.
If you want to know more about our innovative approach and the secrets to finding successful matches, reach out and talk to us.
While many companies are today working from home, at some point, the workforce will return to the office. It’s not clear what this will look like; it may be a small portion of workers heading back in phases or everyone at once. There is also the possibility that working from home will remain the norm and working in an office becomes a scheduled routine. Regardless of the when, how or how many, managing cybersecurity risks during an office homecoming after adapting to remote work can be challenging. Establishing a post-COVID cyber baseline as devices and people return to the office can minimize the cyber threats.
When organizations quickly pivoted to work-from-home, they adapted quickly to facilitate work with new software, tools, and reduced availability of people in critical roles. During that period of rapid transition, people could have potentially shared passwords to critical business systems with co-workers. This could include sharing passwords to laptops and video conferencing services used at home by family members.
Baseline: Reset passwords to laptops and essential accounts. Ensure multi-factor is enabled.
In the rush to get people working remotely, not every employee was able to take a company laptop home. In some cases, the company laptop failed during the stay-at-home. This forces employees to use personal devices to connect to the company network. New research from Bitsite found that almost half of companies had malware on their corporate-associated home networks, compared to 13% of corporate networks.
"Use of personal devices creates problems around document preservation matters and adds increased risk," wrote Brenda R. Sharton, a litigation partner and global chair of Goodwin's Privacy + Cybersecurity practice, in an article for the Harvard Business Review. "In addition, the software powering some home equipment can be months or even years out of date."
Baseline: Scan the network to identify new or unknown devices.
People across the organization have been tasked with getting things done, sometimes putting aside security because of urgency. Sending emails on mobile devices could result in accidental sends from personal emails, and online storage and USB devices could have been used for downloading or printing documents. These activities mean confidential information or PII data may be everywhere.
Baseline: Use SIEM alerting on common file storage services and personal emails with attachments.
Many organizations are susceptible to lost hardware during times of rapid change. Furloughed employees may still have their company-issued laptop, while others took advantage of the swift deployment of working from home to grab a device from the office. Lingering devices put you at risk of data loss or a network breach.
Baseline: Update laptop and mobile device inventory and disable missing devices.
Working from home likely required software installs, whether for office productivity, video conferencing, PDF-converters, or electronic signatures. Some software even supported virtual happy hours and entertainment to keep teams connected. By one estimate, 62% of people have signed up for new tools and platforms during the COVID-19 crisis. Some of this new software may not meet company requirements, or could have vulnerabilities that put your company at risk.
Baseline: Scan for laptops for unauthorized software and potential shadow IT.
Application and operating system updates were likely part of your work-from-home cyber strategy. But this may not have included infrastructure devices supporting the physical office and changes to firewall policies, cloud security groups, and other security software that is just as essential to update to keep the organization protected.
Baseline: Scan, prioritize, and update infrastructure devices and policy rules.
As people return to the office, the pace and focus will be on connecting and restoring the workload. People will be busy playing catch-up and not necessarily focused on cyber threats. With six out of 10 people reporting they have fallen victim to a phishing scam before the rise in attacks during the COVID crisis, it stands to reason phishing and ransomware will continue.
Baseline: Include cybersecurity awareness into the return to the office messaging.
While another major shift in the work environment may seem daunting, the investment in work-from home security sets companies up well for a return to the office. Keeping track of what was done as people shift to work-from-home will give organizations a solid baseline. Track what worked well and use the things that didn’t work as well to make security modifications and tighten access restrictions. These lessons learned will only enhance your organization’s ability to be agile if any major disruption happens again.
The shortage of cybersecurity professionals has been well studied, documented, and publicized. According to ESG Research, 51% of companies say their organization has a problematic shortage of cybersecurity skills. The most well cited study on the cyber workforce shortage, by (ISC)², estimates that an additional 4 million more cybersecurity professionals are needed to defend organizations above the 2.8 million professionals worldwide currently working in the field. It’s an issue we’ve even talked about on this blog. Even in this current economic climate where all industries are facing uncertainty, the need for more cybersecurity professionals still exists.
The painful reality is that companies need skilled cyber professionals to tackle emerging threats efficiently. Companies are planning to spend more in 2020 on cybersecurity than they did last year, according to a recent report from ESG Research.
“Many organizations are in the process of reengineering their entire cybersecurity infrastructure in an attempt to improve efficacy, streamline security operations, and support new technology-driven business processes,” the report said. If your company is investing in its cybersecurity operations, it’s likely you will need to hire more people.
Let’s dive into each step a little deeper.
It’s simple supply and demand. When there are more open positions than people who are able to fill them, professionals can demand higher pay. To get talented cybersecurity professionals to work for you, your company will likely have to pay more.
We understand raising salaries can be an uphill battle at some companies. Wage growth has been sluggish even when there was record unemployment, so why would a company think cybersecurity professionals are any different? Now that the economy is facing an uncertain road ahead, some organizations may falsely believe that they have the salary negotiation advantage.
The truth is, the majority of skilled cybersecurity professionals are currently employed and earning good pay. To get one of them to leave and come work for you, you must offer a better opportunity, and that almost always includes better pay.
Because there are so few cybersecurity professionals out of work, even in the current economic climate, your company must also recruit candidates who are passively looking—that is, currently employed but open to other opportunities. To search for passive job seekers successfully, your company will need help from someone with experience in the cyber industry.
Companies that use internal teams for recruiting and hiring all face the same problem; it hasn’t worked great in the past, yet they keep doing it. Few internal human resources or recruiting professionals know where to look to find those passive candidates. When they do, they approach prospects with poorly written job descriptions that indicate your company communicates poorly or is expecting a new hire to do the role of two or more people.
Hiring an outside recruiter is another option, but competition will remain high and success rates mixed. According to (ISC)², one out of five people surveyed said they receive at least one recruiting contact daily.
Hiring for cyber can be so tricky; you don’t so much need a recruiter as a matchmaker. Hiring a company that specializes in cybersecurity staffing, that speaks the language and understands what you and the job seeker are looking for ensures a swifter and more efficient hiring process.
For example, CyberSN’s Engaged Staffing solution does more of the work for the company—finding interested and qualified candidates, vetting them for skills and qualifications, and prepping them for interviews. We even work with companies pre-interview to help them present the best image of their organization possible, from writing the job descriptions to preparing the hiring team for the interview. Companies that are serious about filling their cyber teams with skilled professionals know it’s key not to waste time on their own and to call for help when needed.
Resume algorithms are killing cybersecurity hiring. Too often the human resources department cuts and pastes requirements into a job description, eliminating dozens of potential hires before the company even posts the job.
People who enter cybersecurity don’t always follow a straight path. Many gain skills beyond certifications and degrees through experience. If possible, look for ways to bypass any systems that cull resumes based on educational qualifications and years of experience. Instead search for essential skills and a record of success. If you need help getting around algorithms, our job searching platform KnowMore can help. By building a professional’s profile that’s better than a resume, it helps companies and job seekers thwart the algorithms.
Attackers are always evolving and so should your cyber team. Without professional development to sharpen skills and understand emerging threats, you are not only leaving your team vulnerable, you are also sending a bad signal to future employees.
Ambitious and hardworking people are always looking for ways to improve themselves and take that next step, whether it’s running one more mile, learning a new language, or moving ahead in their careers. You want those people at your company, but without the incentive of professional development opportunities these talented cyber professionals will look elsewhere.
The cybersecurity workforce shortage poses challenges for companies, but is not insurmountable. Knowing where to look, what cyber professionals are looking for, and how to present your company in the best light will improve success rates. Companies also have to admit when they’re in over their heads. Cybersecurity is an essential part of business. If you’re continuing to search for cyber professionals without success, it might be time to ask for help.
Staying up to date on cybersecurity news is not just about knowing where the latest data breach happened. It also requires following the rapid changes in the industry, and knowing which companies are on the forefront of information security, and who the thought leaders are. Staying on top of cybersecurity news also helps CISOs and security managers ensure their teams are well-informed and aware of emerging threats. Knowing what’s happening in the cyber industry today helps your team prepare for tomorrow. Your infosec team is likely checking in on cyber news sites like The Hacker News, Threatpost, and SC Media, but there are more resources to help cybersecurity leadership get a full picture of what’s happening in the industry. Here are some of our favorites.
Nobody has time to scroll through numerous cyber news sites each day. If you’re looking for a one-stop-shop for your cybersecurity news, it’s hard to beat Cyber Security News, an aggregator site run by Cyware, a cybersecurity solutions firm. What makes the site perfect for busy managers and CISOs is its functionality and customization options. With a free registration (which requires only an email address) you can subscribe to daily, weekly, or monthly threat briefings delivered to your inbox. You can customize the alert feed by topic so the most relevant news rises to the top, and you can bookmark posts you’d like to share with the team later. By our count, the site posts between 20 and 30 alerts each day from leading cybersecurity news sites and thought leaders, making it easy for you to get updates quickly and when you want them.
There are plenty of people pontificating about the intersection of security, technology, and people. Most of us don’t have time to check in on these big-picture issues every day; however, knowing what some of the top minds in cybersecurity are discussing keeps you and your team ahead of the curve, and ahead of threats. This is also where you’re going to get insights on issues that go beyond the day-to-day tasks of security, such as workplace culture, workplace diversity, responding publicly to data breaches, and when and how to invest in your people. Thought leaders like Chris Roberts, Chief Security Strategist for Attivo Networks, and Alyssa Miller, a hacker, security evangelist and cybersecurity professional, are great to follow, as is Bruce Schneier, a fellow and lecturer at Harvard's Kennedy School and a board member of Electronic Frontier Foundation.
Sometimes the best news about the industry comes from people you already know. We all know LinkedIn is a place hiring managers have turned to for finding talent, but it’s also a great resource for intelligence gathering, especially within your region. Keeping an eye on what your connections are up to, who’s hiring, and major shifts in security leadership at other companies are all clues as to how other cyber teams are faring. Following hashtags like #cybersecurity and #cyberjobs also keeps you informed on what people in the industry are talking about. We know that not all cybersecurity professionals are on LinkedIn because many in the industry are suspicious of social media and its ability to protect user data. Still, when it comes to gathering information on what’s happening in the industry from a large sample of cybersecurity professionals, LinkedIn can’t be beat.
At publish time, face-to-face meet-ups and conferences are on a temporary hold. When it's appropriate/safe to get together again, these events play an important role in keeping cybersecurity teams up-to-date on tools and techniques emerging in the industry. Events like local meet-ups provide people a chance to meet others in their region and do a little old fashioned networking. It not only aids managers and staff when hiring and job seeking, respectively, but it also contributes to shared knowledge and builds problem solving skills. Similarly, cybersecurity and infosec conferences, like RSA Conference, provide access to industry experts, professional training, information on cutting-edge tools and techniques, as well as discussions on larger issues that are impacting the industry, such as talent retention and diversity. Cyber professionals are often stereotyped as people who love to stay at home, happy living in their own tech bubble. Yet we find the best cybersecurity professionals and thought leaders are engaged with others, constantly looking for new ways to solve problems and address threats. This requires more than just talking with friends in chat rooms. It also means following the latest in cybersecurity news.
Friends,
Since I was a young girl I have felt a sense of responsibility to care for others, a responsibility to always help when people are scared, sad or stressed. Today I feel this even greater, as our world and our country faces a major healthcare crisis and as our economy is negatively affected; I am compelled like you to help. Thankfully myself, my team, and those I love have not gotten sick. Those of us who have this luck must do more and so we will.
We are all concerned, we are all affected; and we must stay informed. My team can help support us all to stay informed on the cybersecurity job market. By sharing what CyberSN sees in the cybersecurity job market from week to week we can lower our anxiety together 🙂 Knowledge is power. CyberSN can support the cybersecurity community by offering solutions to the new job challenges we will experience. Today is my first weekly share of knowledge and solutions. CyberSN is here to help. Please read on to learn how and share with our community.
As you read my assessment of the state of the cybersecurity job market, it's good to understand where my data comes from. CyberSN is a national full-service cybersecurity staffing and technology company. We have a high concentration of staffing leaders specifically in New England and the Bay Area. In our almost six years of business we have only staffed cybersecurity roles, no IT, no SW developers. We are the largest solely focused direct hire cybersecurity staffing firm in the US. We speak only cybersecurity.
Over the last four weeks myself and the entire CyberSN team have felt your stress, for your stress is our stress and vice versa. By way of business we are connected by jobs and jobs are the foundation of how we support ourselves and our families. In an economically challenged market, many jobs are at risk and everyone is concerned. At the same time the cybersecurity space was already short 500,000 professionals in the US before the COVID-19 crisis. In theory, this means that there should be no problems for cyber professionals to find work and yet there is more to this story. Unfortunately, our current job searching and matching system is broken, I have spoken about this vulnerability for years. You can see my talk from the RSA Conference 2020 to learn more about our broken job searching system. Now and moving forward through this economic challenge we will feel the impact of this broken job searching system even more. Today amongst all the unknown, we must think strategically about what we are doing and understand the risks upon us. Here is what we are seeing in the market, the problems and solutions included 🙂
As of today April 2, 2020:
70% of businesses put all jobs on hold two weeks ago and these roles are still on hold. These firms are putting all roles on hold, not just cybersecurity positions. Most cyber leaders feel the hold will last two to four more weeks and yet there has been no concrete timeline from those they report to. In addition, companies that are pre-IPO or directly affected by the health crisis directly such as manufacturing, travel, hotels, airlines, restaurants, and staffing services have put all roles on hold indefinitely and beginning layoffs or furloughs. We have not seen cybersecurity professionals being laid off at these firms. We have not seen these layoffs for cybersecurity professionals amount to greater than 1% as of yet.
30% of the market is moving forward, interviewing, hiring and onboarding cybersecurity professionals. These organizations understand that their cybersecurity teams are already overloaded and putting roles on hold would do more harm than good. The challenge for these organizations is the candidate pool is scared to make a move during the health crisis, further diminishing the available pool of talent.
Companies are pushing start dates for new hires that were scheduled for late March or April. We have not seen offers being rescinded from our clients and we have heard from 2% of the market that this has happened to them. Much of the start date push is due to the work from home mandate for non-essential industries. Many companies are not in the cloud and find the remote onboarding process to be too difficult.
Employment Eligibility Verification (Form I-9) seems to be a big challenge since law is that I-9 has to be verified in person. Good news, on March 20, the Department of Homeland Security provided some assistance for I-9 verification by announcing temporary COVID-19 provisions that permit employers to inspect the Section 2 documents remotely, through a video call, email or fax, to onboard remote employees. This knowledge should help leaders through this challenge so they can move forward and onboard remotely.
Exhausted cybersecurity professionals are working even more during the crisis. They have no relief in sight. Their firms have been looking to hire people year over year with little success. Now their already overworked cyber teams are doing more work. What these companies are lacking is a budget to pay for an external recruiting service.
This was a challenge way before the health crisis and now our fellow colleagues feel this pain even more. Already, recruiting departments don’t have the skill to find and match qualified and interested cyber professionals to jobs. This is because they don’t speak cybersecurity and they don’t have access to cybersecurity professionals. As this case study conducted by Chenxi Wang reports, “cybersecurity roles remain unfilled on average eight months; until an outside recruiting firm is brought in”.
Cyber professionals are getting burned out quicker due to working around the clock during this crisis. This bothers me greatly at a time like this when stress is high at home and work. I want to make sure that all cyber professionals affected by this crisis will find well-matched jobs quickly. To do this and help those leaders that don’t have a budget to use an outside staffing resource like CyberSN, I am offering our services at our cost for new job searches.
We are a privately held firm with no outside investments. We care deeply about the health and well-being of our community. I am grateful that we can make this offer. This offering will allow organizations who truly want to fill their roles the ability to do so and at the same time make sure no cyber professional goes unemployed for long. There is no greater stress than that of unemployment. I suspect we will see layoffs and we will feel greater pain. Together we will succeed. I will keep sharing what we are seeing as things change rapidly. Love and safety to you all.
Sincerely,
Deidre
