Have you heard about the workforce shortage in cybersecurity? Skilled cyber professionals are hard to find and desirable jobs at great companies are left unfilled for months. At least that’s what most tech staffing agencies will tell you. This mindset has infected too many companies, their HR departments, and the staffing agencies they hire, leaving cyber departments understaffed and companies at greater risk.
There is truth to the tight cyber labor market. The latest (ISC)2 report says global IT skills shortages have surpassed 4 million openings. But the lack of professionals is not the only reason companies are struggling to fill cybersecurity roles. The challenge has as much to do with the people doing the hiring as it does the people available for hire.
“I’m calling B.S. on the common belief that it’s a lack of security skills that’s causing these issues,” CyberSN President Mark Aiello wrote in Forbes. “From my professional experience, when I witness security people losing their jobs unexpectedly due to layoffs, restructuring or the like, it can take six months or more for C-level candidates to find a new position.”
In a market where cybersecurity expertise is in high demand, this doesn’t make any sense.
“These folks should be scooped up faster than an unencrypted database full of credit card numbers,” wrote Aiello.
The disconnect between hiring managers and skilled security professionals is at the core of most cybersecurity staffing challenges. The best way to bridge that disconnect is to work with a tech staffing agency that “speaks cyber” and understands the common problems that can derail the cyber hiring process to successfully fill your open positions.
Cybersecurity professionals are passionate about their work tracking down threats. They also know that most people have no idea what their job entails on a day-to-day basis. If you’re posting a job description that wasn’t written by someone within the cyber team, cybersecurity professionals can spot it from a mile away.
Bad job descriptions are not HR’s fault. Most people in human resources lack knowledge of cybersecurity roles and culture, so they use vague language or tech buzzwords that mean different things to different people. The result is a job description that’s nothing more than a long list of technical competencies, educational requirements, certifications, and job titles. When listed as iron-clad requirements, they unfortunately eliminate many talented candidates.
A cybersecurity staffing firm can quickly identify red flags within a job description and work with companies to define requirements, roles, and responsibilities that not only make sense to people in the cybersecurity industry, but also portray the job accurately.
Many IT or tech staffing agencies use the same tactics recruiters in other industries use, especially LinkedIn. They rely on generic IT searches to find cybersecurity specialists, not realizing there is a significant difference in knowledge base and skill set.
When it comes to finding great people, it can be difficult. Cybersecurity professionals are skeptical of social media and job search applications and their ability to protect personal information. When asked how to avoid risk when using social media, Ran Canetti, a Boston University College of Arts & Sciences professor of computer science and director of the BU Center for Reliable Information Systems and Cybersecurity said, the best solution is to not use them at all.
“This might cost a small price, but it’s more than worth it,” Canetti said.
If cyber professionals are not on LinkedIn or job search sites, recruiters who rely on these tools will never find them.
An agency that specializes in cybersecurity staffing knows the players throughout the industry, who is happy in their job and who is not. The recruiters put in the time networking, going to conferences and events, and making connections to develop a rich pool of connections they can tap when trying to fill positions for clients.
With 45 different different cybersecurity job categories, many more job titles, and no industry-accepted definition for any of them, general recruiters are already at a disadvantage before they get past the first line of the job description. Tech staffing agencies that lack cybersecurity industry know-how may not be able to identify talented people right for the role, but who have a slightly different job title elsewhere.
“Many companies get so hung up on finding the perfect candidate that they miss so many qualified individuals who might tick off five, seven or even eight out of the 10 skills listed as requirements for a position,” said Aiello. “In the time it takes to find these unicorn security professionals, a company could have hit the ground running by training someone who was 75% of the way there.”
Your company wants to fill open cybersecurity positions with less effort and in less time. If your internal team needs help and you want to take the search to a staffing agency, it will save your company time, effort and a lot of headaches if you choose a firm that knows the industry and can identify candidates that will fulfill your company’s most essential cybersecurity needs.
Many of the challenges firms face when filling cybersecurity positions can be traced back to the job description. Cybersecurity job descriptions are notoriously difficult to write, yet they’re often the first impression a potential hire has of what it’s like to work for your company. With a lack of industry-accepted terms for jobs and roles, writing a clear and comprehensive job description can feel like stumbling in the dark.
The tight cybersecurity job market and well-publicized skills gap certainly make cybersecurity hiring more difficult, however, there are small steps companies can make to improve job descriptions and hiring success.
Say for instance your company is looking for a security engineer. Here are some of the subcategories that land within that title.
You can see the difficult situation many managers and HR departments find themselves in when crafting a cybersecurity job description. If you can’t settle on whether you need a security architect, cloud security architect, or information security architect how are you going to find a candidate?
When deciding on a job title, do some research within the local cyber community. What other titles are companies using for similar jobs and responsibilities? Is your company committed to having unique job titles? It might be time to compromise and use a job title that more accurately portrays the role.
Ascribing to a common language is the foundation of all human relationships. To reach the best candidates and easily communicate your position requires you use the language people within the cyber community are speaking. You’d be surprised how many HR recruiters and hiring managers have no idea what some of the terms in their cybersecurity job descriptions mean, even though they wrote them!
Experienced cyber professionals also know enough to steer clear of poorly conceived job descriptions, especially those in which job requirements don’t track to the title or are a laundry list of job requirements, clearly indicating the new hire will be asked to do two or more jobs. Knowing what you are asking for and having an understanding of the terms being used in the job description will elevate your cybersecurity job description and show your company is serious about cyber.
With so many open positions in today’s job market, the best candidates are oftentimes people who are already employed, but open to a change in employment. These passive job seekers are skilled, but also savvy. If they are going to make the effort to change jobs, there must be benefits, such as higher pay, more remote work from home, or a shorter commute. Here are some ways you can quickly communicate why your job is better than theirs.
We get it. It’s not always easy to ask for help, but when a position has gone unfilled for six, seven, eight months on end, the problem might require outside expertise.
Staffing agencies are a common solution for companies who need to fill a position fast, but this has its drawbacks. Recruiters may return a list of candidates we would categorize as “warm bodies.” Instead of truly talented cybersecurity personnel, they show you resumes from people who are under-qualified or work in an unrelated area of cyber. Many staffing agencies are generalists and have a lack of understanding of the industry. Using a firm without expertise in cybersecurity won’t get you good candidates either.
Look for a history of experience filling cybersecurity positions in your industry. These agencies not only understand the language, but also have developed connections that allow them to locate talented passive job seekers. Understanding the current cybersecurity landscape, which companies are flourishing, who’s happy and who is not is essential.
Another advantage agencies that specialize in cybersecurity bring are tools that help HR personnel and hiring managers find the right match without a recruiter. Programs like CyberSN’s cybersecurity jobs platform offer tools and templates to build job descriptions specifically targeted toward people in the cybersecurity industry for free.
Bottom line: an agency that has expertise in cyber can communicate your job more effectively, resulting in a better slate of candidates and ultimately filling that position faster.
Organizations are taking novel coronavirus (COVID-19) outbreak precautions with employees, travel restrictions are being put in place, and leaders are providing general workplace safety information on outbreak precautions. The chief security officer and your cybersecurity organization have a critical role to play in business continuity and COVID-19 preparations. To remain operational and minimize cyber risk, CSO’s should focus on the following COVID-19 Checklist.
Organizations must be prepared to activate contingency and business continuity plans, including protocols for employees working from home to limit the spread of the COVID-19. The workforce location may shift from on-site to full remote for an extended period of time. Because many of your employees do not typically or have never worked remotely, CSO and cybersecurity organizations should assess remote access systems. Are these devices patched and is redundancy functioning properly? Are there 2FA mechanisms and password reset capabilities? Are remote devices up-to-date and logging for all employees? If your organization has not performed a remote access exercise recently, now is the time to schedule a full “work from home” exercise and evaluate your readiness.
The potential outbreak has created an environment where people are searching for information and may be more susceptible to view a suspicious link or attachment. Malicious actors will leverage the COVID-19 warnings, alerts, and preparations with phishing and malicious attachments. Messages targeting account password resets are also in play as organizations prepare for workforce disruptions. Awareness is critical with people on edge, seeking information, and wanting to help. Work with your organization’s COVID-19 awareness team and include cyber awareness with the messages on preparation and company communications.
The COVID-19 cyber risks go beyond technical controls. Preparing for staff disruptions is as important as ensuring visibility to remote access security events. Cyber leadership must identify critical roles and the individuals on the cybersecurity team who perform them. A plan should be put in place in the event of an extended absence of these key individuals in critical roles. Cyber teams of all sizes must consider cross-training of critical responsibilities or the use of external staffing consultants to bridge the gap in absent critical roles.
Hopefully COVID-19 will have no to minimal impact on your organization. While this can be a stressful time for companies, it does provide an opportunity to review outbreak response protocols and off-site security measures. With any event response, business operations will see less disruption if the CSO and cyber team communicate important security measures as the situation develops.
While the scramble to recruit and retain smart cybersecurity professionals is universal, some companies struggle more than others. If you ever wonder how some competitors managed to perennially field solid cybersecurity teams while your organization can hardly even find enough candidates for your open jobs, it might be time to evaluate the way you market to and interact with cyber job seekers. CyberSN recently spoke with a number of recent applicants and employers on what engages employees most effectively. Things like a decent compensation package are table stakes for drawing great candidates. However, there are often other simple touches that can make all the difference. Here are five tips for attracting cybersecurity professionals to your roles.
It should go without saying, common courtesy can go a long way towards keeping the lines of communication open with good candidates. For example, if you’re recruiting currently employed candidates, try to be flexible about scheduling interviews. And whatever you do, minimize cancelations on your end.
“Meeting during the day is already a challenge because you have to find a way to schedule time off from your current job,” said a Security Engineer who wishes to remain anonymous. “It’s particularly difficult when a potential employer cancels at the last minute, which happens anywhere from 25% to 40% of the time in my experience. For a couple of companies, this happened with, I just declined to reschedule.”
If you’re a hiring manager working with a company with a lot of bureaucracy and red tape to jump through during the interview process, consider either personally reaching out or having a recruiter reach out to prep candidates for what to expect.
“Having insights about the company from the recruiter made a difference,” Robert Burns, Sr. Consultant at Booz Allen Hamilton explained. “Just a little bit of information about who I was meeting with ahead of time, so I could prepare and have a better understanding of what I’d be talking about with different individuals.”
Compensation is obviously important, and so are work-life balance benefits like flex time. But so are relocation benefits. It might seem obvious that the best way to open up a bigger pool of candidates is to widen geographic boundaries. Surprisingly, few companies actually do this. We’re not talking about a huge investment – just $10-15k will make a huge impact.
“Even though there’s a huge gap in the field, it’s very difficult to find organizations that will pay you or give you the flexibility to cross from coast to coast,” says Burns, who worked with CyberSN to get him relocated to a work location that worked for him.
When interviewing, you can’t get hung up on years of experience or even certifications. You need to learn to find candidates who have the right raw materials for training by asking the right interview questions. Make sure you are interviewing for someone’s ability to do the job. Find out what they have been doing and not how for how many years they have been doing it. Years do not equate to capability. Also, make sure your posting avoids using any red flags for job seekers!
“In interviews, we would ask questions around curiosity. Trying to hone in on how an individual thinks can be important,” says Dan Garcia, Sr. Security Engineer at Datto. “Asking questions like, ‘What is the last thing you took apart and why?’ Just trying to get at their intellect. From that, we found some pretty great candidates that had the right mindset.”
Finally, look for ways to be creative in your outreach. Cybersecurity is a creative field, and smart candidates respond to clever employers. Run or participate in events like capture the flag and tabletop exercises. Go to the same places that cyber pros go.
“Datto once took out a billboard where we Base64 encoded the career site URL, and we had a candidate apply to be a software engineer from that,” says Ryan Weeks, Chief Information Security Officer. “He now leads our application security pen-testing team.”
Listening closely to the experience of candidates and gathering feedback from employers gives insight into what mistakes are being made that are easily addressed. What’s working (and not working) in your cybersecurity talent experiences? Did we forget any tips for attracting cyber professionals?
Firms struggling to recruit quality cybersecurity candidates may be a little too quick to blame the security skills gap without looking in the mirror first. In many cases, companies take themselves out of the running for the best available candidates the day the job is posted.
Why?
Experienced cybersecurity professionals run away far and fast the second they see poorly conceived job descriptions and requirements. Poorly written job requirements are a dead giveaway that an employer that doesn’t know much about security. A bad job posting can signal any number of bad omens for good candidates, such as:
For most candidates, these are indicators that lead to immediate disqualification.
“Just like a resume tips the hand of a job seeker, job requirements tip the hand of an employer,” explains a Red Team PenTester placed by CyberSN.
There are a number of ways that job postings turn off cybersecurity candidates.
Let’s dive deeper into the following 3 red flags when it comes job postings.
Red Flag #1: Job Requirements Make No Sense
When job requirements don’t track to the title, or to broad cybersecurity responsibilities, candidates will start giving the employer side-eye. In many cases this is the product of someone who knows very little about cybersecurity. Most likely this is from someone copying job requirements from other cybersecurity job listings.
“It seemed likely that a lot of employers were looking at other job listings and probably copying and pasting those job responsibilities, which I think is typical for companies, because they know that they need cybersecurity to protect their assets, but they don’t necessarily know what that means,” says a Security Engineer, placed by CyberSN, explaining his experiences when running into requirements that weren’t “structured in an organized or sensible manner.”
Red Flag #2: Two Or More Jobs In One Description
Another common problem are listings that rattle off job requirements which clearly show that the person will be asked to do two or more jobs. When candidates hear that an employer wants them to be an appsec guru, a security architect, and a SOC analyst all in one, they’re highly unlikely to put their hats into the ring for consideration.
Red Flag #3: Experience Requirements Don’t Match Job Level
Another common red flag for candidates is when the experience requirements asked of them in no way match up with the level of job being advertised. When entry-level positions (with entry-level wages) require 5-10 years of experience, it’s clear that there are a lot of things wrong with the organization’s expectations and, potentially, company culture. Another corollary to this is when the experience requirements ask for many years of background in brand new technology.
*
To be sure, for employers seeking to build out a brand-new security team, it can be tough to craft the perfect job requirements. When they’re on the hunt for the first or second security hire for the organization, they often really do need a renaissance man or woman who can ‘do it all’ until they can scale up the team after a period of time.
This was the exact experience of one client, a Security Engineer from a mid-sized SaaS company, who eventually came to CyberSN for recruiting help.
“I didn’t know how to craft the messaging internally. For a company that has never had good security, telling them you need someone to do disaster recovery, you need someone to do compliance, you need someone to do platform security, application security, security operations, maybe network security and someone to lead all of it, they didn’t really believe me,” this Engineer said. “As a result, I suggested to start with just one. But how do you put together the job posting that says, ‘You’ll be our first security hire, AND you’ll have to do all of it?”
Many of the candidates we work with are passive. Meaning they are not overtly looking but willing to make a switch for the right opportunity. Poorly written job postings will NEVER attract these candidates. A well-crafted job posting will. In a passive job seeker market like the one we are in, this makes all the difference.
It’s a tough situation, and one in which employers need to look to the experts to help them carefully and thoughtfully craft a job description that makes sense. Otherwise, they risk hearing crickets after posting their security jobs. At CyberSN we take great care when assisting our clients draft a job description. We encourage them to take a deliberate approach and circulate it among their network for input before posting.
