It’s no secret that women are underrepresented in cybersecurity. There are plenty of statistics that confirm the gender gap in cybersecurity, including a 2024 survey that showed women make up less than a quarter (24%) of the cybersecurity workforce and only 1% of women hold top executive positions.
To change the industry and remove barriers for women in cybersecurity, companies need to be proactive in adding more women to their cybersecurity ranks. Higher representation helps dispel the stereotype that tech jobs are just for men and encourages more women to join the cybersecurity community. cybersecurity expertsIt’s also an advantage when a company’s workforce is representative of the general population, especially in the security industry. To achieve this, companies need to start by getting better at recruiting female cybersecurity professionals.
Although women represent about 24% of the cybersecurity workforce, there are some encouraging numbers in the latest data. The (ISC)² 2023 Global Cybersecurity Workforce Report revealed that 26% of employees are in the under 30s category are women. With more women in cyber moving from early career to mid-career, there will be more women available to offer mentoring and networking opportunities to younger women looking to get their start and move up in the field.
The (ISC)² study also showed that while women in cybersecurity are less represented, however, DEI initiatives are making a difference in the amount of women in cybersecurity. For example, companies that have job descriptions that refer to DEI programs/goals result in 26.6% of the workforce being women. Those who don’t result in only 22.3% of their cybersecurity workforce being women.
The ISC2 report also stated that -‘Organizations that adopt initiatives, such as skills-based hiring and using job descriptions that refer to DEI programs/goals, can create a more diverse cybersecurity workforce. Those with skills-based hiring have an average of 25.5% women in their
workforce compared with 22.2% of those who have not adopted this initiative.’
Too often, employees will talk about the importance of diversity at company-wide meetings and forget about what it all means by the time they get back to their desks. Unless diversity is a core part of a company’s human resources and hiring strategy, it will be difficult to move the needle toward a more representative workforce.
Priscilla Moriuchi, Director of Strategic Threat Development at Recorded Future, told Forbes that diversity is not simply about doing the right thing.
"Diversity in perspectives, leadership, and experience is good for business,” she said, noting this is especially true in cybersecurity. "We need people with disparate backgrounds because the people we are pursuing (threat actors, hackers, 'bad guys') also have a wide variety of backgrounds and experiences. The wider variety of people and experience we have defending our networks, the better our chances of success."
Deidre Diamond, Founder and CEO of CyberSN mentions, “Society is waking up and realizing cyber attackers are diverse – all races, genders, religious backgrounds, and more, and from all over the world. “Cyber professionals need to know how their adversaries think, work, and perceive to work against them. How do you know if you don’t have those around you on your team to help you see those blind spots and look at things differently?”
There are a number of things people look for when pursuing a new job, regardless of gender, including better pay, more flexibility in hours, and a shorter commute. However, there are some things women candidates will be looking for to address their concerns about the gender gap in cybersecurity..
Demonstrate a real commitment to diversity: What efforts has your company made to create a more diverse cybersecurity workplace? Are those efforts visible to applicants? Women will be looking for signs that all genders, races, and nationalities are welcome at your company, so include images that reflect diversity on the company website and social media. Also, encourage the women at your company to participate in professional organizations like Secure Diversity and WiCys, which foster networking opportunities and provide connections, making it easier to recruit female cybersecurity experts.
Career development: Women want to work at a company where they have access to opportunities to learn skills that will advance their cybersecurity careers. These opportunities should be encouraged and not treated like a hassle or something that’s taking away from her day-to-day work. Enacting a mentoring program is another great way to foster talent, not just for women but all minorities underrepresented in cybersecurity.
Job security and satisfaction: Since there is a workforce shortage in the cybersecurity, many women enter the field for the job security it promises, but job security doesn’t mean much if the work environment is poor. Women want to work at a company where they are treated as a valuable member of the team. With so many cybersecurity jobs available today, your company risks losing female cyber candidates to other companies if your company has a reputation for allowing hostile work attitudes to persist.
Great (and equal) pay: Another reason women get into cybersecurity is because of the high salary they can earn. Average salaries between $100,000 and $200,000 a year are the norm. However, some companies fall into the trap of paying women less than what equal male counterparts make because of a variety of reasons that may go unnoticed by well-intentioned managers. Human Resources is essential in ensuring pay is equitable and suggesting remedies when it is not, especially when making initial offers to candidates.
Looking beyond job titles: The roles and responsibilities assigned to different jobs titles are all over the map in cybersecurity. We’ve identified 45 functional roles and 10 categories in cybersecurity. This can lead to Human Resources departments dismissing talented candidates just because the title doesn’t fit. Before eliminating women candidates, take a hard look at her skills and experiences, not just the job titles she’s held.
Despite the challenges some women face in the cybersecurity industry, men and women share a lot of the same concerns about their jobs. This can range from lack of support from upper management to lack of work/life balance. Many companies have begun to address these concerns, improving the overall work environment for the entire cyber team, which can only help in recruiting more women.
Being proactive about diversity in cybersecurity is essential in evolving the industry. It can be as simple as tapping the female employees for references or looking beyond the job title and at the skill set. The talent is out there. It’s just about knowing where and how to look for it.
For support in diversity hiring, get in touch.
The ongoing evolution of the cybersecurity landscape and threat complexity has initiated an arms race between security teams and cyber criminals. As well as scrambling to keep up with new and developing threats, organizations are seeing their talent exfiltrated by recruiters at an alarming rate. The cybersecurity talent pool is short nearly 500,000 people in the United States alone, and over 4 million people worldwide. As the force behind the technology, your people are your most important asset, so ensure that you prepare and defend against talent exfiltration by taking the right steps towards a nurturing, human-first workplace.
The average tenure of a CISO is just 26 months, with many cybersecurity professionals moving roles even more frequently. The reason behind such erratic and frequent job changes is clear; cybersecurity work environments are often negative spaces:
Cybersecurity recruiters understand these challenges, meaning they can easily guide your talent towards new, hot jobs by listening to the marketplace and the professionals in their network, paying close attention to high turnover and stagnating profiles on LinkedIn.
Staying ahead of talent exfiltration means creating a nurturing, inspiring work environment for your cybersecurity team, and taking the right steps to improve work-life balance.
1. Start with your retention plan
If you’re looking to hire, focus on your retention plan first. If a lot of your employees are leaving, look at what you’re not offering them and the reasons why. Good retention is a key part of your employer brand, showing new hires and existing staff that you care about their career progression and personal needs.
2. A human-first approach
As humans, we all want to be treated kindly, feel safe in our jobs, and, of course, make money. Managing others means caring for and seeing them as more than just their job title. It’s also important to have a good understanding of your employee’s roles and responsibilities, at both a task and project level, in order to identify further requirements.
3. Take security seriously
People may leave your team for a variety of reasons, and it’s not always your fault, but sitting back and waiting for roles to be filled means you’ll lose more. Leaving open roles unfilled is a sign that you’re not willing to invest in security and therefore don’t see its value. When you don’t invest in resources to find the best professionals, you send a clear message to the rest of your team that you don’t care about their work
4. Monitor and invest in your employees
Make sure that you’re equipped to monitor how your employees are feeling and performing on a regular basis. It’s important to continually invest in training and support based on how your teams progress.
5. Employ the right resources
Working with a talent agency that understands the pressure of the cybersecurity industry and the requirements you have is key to hiring the best candidates and preventing talent exfiltration.
At CyberSN, our expertise in the cybersecurity industry and talent matching helps you build your teams faster, stronger, and to last, understanding not just what roles you’re hiring, but why. We believe that cybersecurity professionals should love their job, so we strive to match our candidates’ passions with the right opportunities. CyberSN are more than just HR; we help attract the most diverse, interested and qualified candidates, quickly filling your jobs with candidates that will succeed and be retained.
2020 brought many transformations to the cybersecurity community. The key takeaway from our perspective here at CyberSN was the change to the talent seeker and the job seeker as it relates to the hiring process. In short: the roles and expectations of both cybersecurity professionals seeking employment, and hiring managers looking to fill job vacancies have changed forever.
Cyber professionals are in high demand and have experienced different modes of working as the pandemic took hold. Many cyber professionals set up an office at home without affecting their productivity. Cyber professionals who were hiring had to adjust how they were acquiring talent and the changes they needed to make to attract, vet, and retain quality cyber talent.
In support of this, we’ve outlined five ways cybersecurity hiring has changed forever (with one bonus prediction):
This is probably the biggest, most obvious realization that came out of the 2020 pandemic. Remote work is no longer a privilege. It is now expected in every cybersecurity job. Cybersecurity has evolved from the days when cyber professionals rarely were allowed to work offsite to a time where they’re rarely mandated to work on premise. So long as productivity and security remain optimal, this likely will not change. If your company doesn’t have a permanent work from home policy, you will be a much less attractive employer for cyber professionals. Make sure your company is prepared. It’s no longer a request. It’s an expectation.
Remember the days when a cyber professional would dress up, drive to a company, pay inflated parking rates, and be subjected to a series of face-to-face interviews? Many times, they would be subjected to re-answering the same questions over and over. Most of the interviews were conducted secretly so their current employer wouldn’t find out. Cyber pros were forced to make excuses so they could take a day off to interview for a new opportunity. This is no longer the case. CyberSN has not had an in-person interview since early 2020. Everyone on both sides of the interview lens should be prepared for video interviews, which means paying special attention to your surroundings to make sure it’s what you want people to see.
Compensation has been on the rise as the demand for experienced cyber professionals continues to skyrocket. Compensation is typically salary and bonuses, though cyber professionals are also being offered generous stock option packages and other benefits where available. Take inventory of all the good things your company has to offer in addition to money and put it on the table if you want to be competitive in attracting and hiring cyber professionals. Like cyber salaries and applicable benefits packages, demand for cyber pros will only continue to grow, so if you’re not weighing out what you have now and presenting your best offer, you’re not going not going to fare well.
The interview process for cyber professionals is faster than ever. We are seeing offers being presented on the same day of the interviews. We even had one during the interview. If you’re hiring, be prepared to move quickly with an offer. If you’re interviewing, be prepared to field an offer and make a decision quickly, sometimes right on the spot. Those who are prepared to move quickly (and do) will benefit greatly in this hiring market. It’s no longer an option to sit around and wait. If a person feels like a good fit, make a move, or else risk that person moves on to the next readily abundant opportunity.
While we’ve placed most of the focus on the hiring teams to put their best foot forward, there are also developments that lean the other way (towards the cyber professionals seeking new jobs). Make note that almost every new opportunity we are involved with is requiring Cloud/SaaS experience.
There is a greater focus on securing all cloud applications. It’s no longer the responsibility of a few security or IT professionals. It’s now the responsibility of all cyber and IT professionals. Users are geographical spread out these days, and they’re relying on cloud applications and file sharing more than ever. Securing these systems and data has never been so vital to an organization and it’s employees. It’s impossible to rely on a few individuals to be able to protect the vast amount of data that is spread out throughout the U.S. Thus, Cloud/SaaS experience is a must. If you don’t have it as a working piece of your portfolio, it’s time to dive in, else risk being overlooked.
As we mentioned above, remote working is expected by all who are employed within the cyber industry. But that expectation for flexibility will no longer be unique to a cyber professional’s “physical” presence. Soon that flexibility will be associated with time. No longer will work hours fit into the typical 8 a.m. - 5 p.m. window. Different work habits by different people spread out over multiple time zones will require a lot more flexibility.
Households with children require organizations to allow workers flexibility in their workday. Also, it’s become quite commonplace for employees to take pause for a few mental health breaks. So many workers are cooped up in their homes and only leave to get their mail. Organizations will have to be flexible on the specific times that people login, and instead, focus on the work that is produced to make sure the job is being done. Productivity is the key metric here. So long as the work is getting accomplished on time it shouldn’t matter so much when it’s getting done.
It’s pretty incredible to watch an industry grow, and we’ve been lucky enough to play a role in one we’re very passionate about. The changes we’ve outlined above are a direct result of the last 12 months we’ve all experienced. It’s amazing how much things can change in such a short amount of time.
If you need help figuring out the right solutions for your cyber needs, give us a call. We’re here to help!
A 0% unemployment rate for the cybersecurity industry is a huge success. There’s an abundance of cyber jobs for everyone. When glancing at the state of the cybersecurity job market, you’d expect that everyone would be extremely happy with the way things are going. It’s a wonderful problem. The problem is that with full employment the challenge is finding people for open cyber positions. This is the exact issue cybersecurity hiring managers are faced with.
Demand is something that the cybersecurity industry has been experiencing a gross surplus for years. A 0% unemployment rate isn't always as great as it sounds. With more open positions than available qualified cyber pros, hiring managers need to think long and hard about their recruiting tactics to engage the right candidates for open cyber jobs. The industry is in dire need of cyber analysts to implement, tune, and monitor cyber solution systems. There’s a need for more DevSecOps professionals to facilitate the strengthening of CI/CD pipeline security. And perhaps the most alarming deficiency within the cybersecurity industry is the existence of more advanced (and continually advancing) adversaries and attackers than security engineers, threat hunters, cyber researchers, pentesters, and leadership to combat them.
The market for qualified cybersecurity professionals is at peak competitiveness. Great for the cyberpro on the hunt, difficult for the hiring manager who is in dire need of cybersecurity skill sets. So how do we best leverage a 0% unemployment rate within the cybersecurity industry where it seems there exists no qualified help in sight?
Last year, Cybersecurity Ventures reported that there will be 3.5 million unfilled cybersecurity jobs globally by the end of 2021. Combine that with a workforce that’s already reached its maximum occupancy and you can see how problems would start to develop.
To help your organization prepare for hiring challenges in the year ahead, let’s discuss the implications that a 0% unemployment rate has on the cybersecurity job market, while also laying out some strategies for how your company can combat them.
With today’s current economic uncertainty, raising salaries can be a daunting step to take for many organizations. And, if we’re being frank, there seems to be a fundamental issue with companies not budgeting the salaries required to attract a qualified cybersecurity professional. Further, there’s a stark underestimation of the effort that it takes to attract, nurture, and bring a prospective cyber pro through your doors in such a high demand / highly competitive environment. There exists some concern over the economy which has led some firms into believing that they have the upper hand in salary negotiations. This oversight couldn’t be further from the truth. Even in today’s climate, the demand for cybersecurity professionals has never been higher and the vast majority of skilled cyber pros are employed and many are well compensated. In order to persuade them to leave their current situation to come work for you, you must offer them better benefits than they currently receive, with compensation typically being a primary motivator.
With an average of two job openings for every one qualified candidate, cybersecurity professionals have significant leverage when it comes to negotiating salaries. How can employers combat this? Well, the simple answer is to pay more. That’s not the only answer.
While considering the cybersecurity salary ranges you’re currently offering, consider everything else you can offer. Do you have a great healthcare plan? Flexible working hours or generous PTO allotments? Like all workers, cybersecurity professionals negotiate for the best benefits plan that they can obtain and benefits in addition to compensation can provide significant value. Currently, one of the best add-ons to any benefits package is flexible remote work options. The pandemic has shifted to a remote workforce and professionals want to know your company's plan on returning to the office environment. Be transparent with your full remote or transition to office plans in the offer.
There’s a lot to think about here, and honestly, the effort and time needed to recruit qualified cyber professionals to fill your cyber solution needs can be a quite daunting task. You might want to consider the help of KnowMore, which can do a lot of the legwork for you and put you in front of the exact pool of cyber professionals you’re looking to attract. That’s a key differentiator when it comes to the hiring process. It takes a great deal of resources to vet those that do, don’t, and may fit. So why not cut out one or two of those right at the outset?
With a lack of qualified professionals to address unfilled positions, many organizations make poor hiring decisions out of desperation. It’s commonplace to see companies get obsessed with trying to find a perfect fit while wasting months overlooking decent-fit candidates. As time goes on, the need to fill the position only grows stronger and many can end up hiring someone unsuited for the role just to get it filled.
To avoid this situation, the best thing to invest in is training. With 0% unemployment, finding the perfect cyber pro for your open position may not be feasible depending on what you’re offering. CyberSN President, Mark Aiello, addressed this issue in a recent article for Forbes and was quoted saying: “Many companies get so hung up on finding the perfect candidate that they miss so many qualified individuals who might tick off five, seven, or even eight out of the 10 skills listed as requirements for a position. In the time it takes to find these unicorn security professionals, a company could have hit the ground running by training someone who was 75% of the way there.”
Another major challenge accelerated by a 0% unemployment rate is retention difficulties. With so many open positions, cyber professionals are bombarded by new job opportunities. You cannot fault them if they occasionally take a peek. And once this happens, many are exposed to some “too good to be true” opportunities that catch their interest. A recent study done by ISACA polled companies across the country and found that “...64% of respondents indicated that they have trouble retaining qualified cybersecurity professionals.”
In the cybersecurity job market, hiring an employee is only half the battle. In our experience as the leading cybersecurity staffing firm in North America, CyberSN has consistently found that retaining cybersecurity talent is actually more difficult than finding it. You don’t want to be in a situation where you spend significant time and resources training your new hire only to watch them leave after six months.
To help enhance employee retention at your organization, consider the following best practices:
Another significant driver of the 0% unemployment rate is the increase in cybercrime. In fact, the FBI reported in May of last year that cybercrime appears to have jumped by as much as 300 percent since the start of the COVID-19 pandemic.
This increase in cyber attacks will cost the world around $6 trillion annually by 2021, as reported by CSO Online. These frightening statistics will only lead to more unfilled jobs and extreme pressure on employers to hire for them. The cybersecurity personnel shortage doesn’t just serve as a detriment to individual employers, it represents a nationwide security threat. In the years ahead, employers will have to work even harder to hire and retain their cyber pros to ensure they don’t leave their operations vulnerable to attack.
With so few unemployed cybersecurity professionals to choose from, filling cyber jobs has become notoriously difficult. Given the current shortage, companies would be wise to recruit active job seekers and also cyber pros who are passively looking—i.e. those who are actively employed but could be open to new opportunities if the offer was right. Unfortunately, the disclaimer here is that these passive candidates are even harder to find and persuade.
To truly be successful in finding qualified cybersecurity professionals in a 0% unemployment job market, it’s best to seek help from those with experience and specialization in the cybersecurity industry. Companies who utilize internal hiring and recruiting teams, always fall into the same pitfalls of not knowing where to look, crafting less than enticing job descriptions, and not speaking the same language as job seekers.
Hiring a company that specializes in cybersecurity recruiting and who truly understands the motivations behind both parties, ensures a quicker and more effective hiring process. For example, with CyberSN’s Engaged Staffing service, we take the work of finding interested and qualified candidates and scoping their qualifications off the plate of the employer. We can also work with the employer to do pre-interview prep to make sure they present the optimal image of their organization and benefits package.
To fill your open cybersecurity roles, engaging with cybersecurity specialists with a proven track record of hiring success should be a logical next step. By leaving it to the cybersecurity recruiting pros, you will save valuable time and money while also saving your organization from the inherent risks of leaving important roles on your cybersecurity team vacant.
Happy New Year. After a year of uncertainty and emotional stresses, I look to 2021 with great optimism. The cybersecurity community is significantly stronger and being counted on now more than ever. The need for cybersecurity talent has grown exponentially. The importance of cybersecurity professionals is universally understood and appreciated at a much higher level.
We as a community are treating each other better too! It’s wonderful to see our cybersecurity leaders working together the way we all are. Our response to recent breach announcements shows us that we have learned to support each other. I remember when Equifax shared their breach a few years back, the CISO at the time was attacked and ridiculed. Fast forward a few years to the FireEye/SolarWinds breach; the cybersecurity community has been kind and supportive to the cybersecurity leadership victims. It’s awesome to see this advancement in our ability to provide empathy and support vs. blame and shame. We are one team and we all can be breached… We are defending against more attackers than we have defenders and therefore we must work together. Thank you for bringing this empathy and kindness to the cybersecurity community; we will attract and retain more talent, to include diverse talent when we come from a place of empathy and kindness.
Below I have highlighted five contributing factors that we predict will lead to significant growth in the cybersecurity job market in 2021. Please feel free to reach out anytime. CyberSN is 100% focused on solving your cybersecurity talent challenges.
Cloud computing has provided attackers with a larger set of potential exploitable targets prior to the digitalization shift. Increases in new or past rapidly planned cloud deployments has created additional opportunities for attackers to elevate privileges, add persistence, and breach credentials and data. Managing cloud cybersecurity risks to accelerate business operations, data privacy, and compliance will be critical roles in 2021.
Cybersecurity spending is projected to increase in 2021. CISOs will revisit and revamp cyber strategies addressing potential threats and detection/defense gaps introduced by remote workforces, authentication threats, on-premise office infrastructure, cyber hygiene, supply chain threats, and cyber awareness.
Data-driven approaches will begin to solidify threat and incident analysis, threat anticipation, and breach response practices. Data-driven cybersecurity will influence decisions on “normal patterns'' versus anomalies and provide insights from all cybersecurity data, visualizations, and reusable models. All of this will inform adding intelligence, automation, and measurable value.
Cybersecurity programs will leverage Application Security Engineers and DevSecOps professionals to focus on integrating automation to the development pipeline, rather than detecting software flaws. This proactive approach will enable them to manage risks which lead to security vulnerabilities in APIs, production software, and the overall architecture.
The rapid shift to digitalization has added data access complexity as well as less visibility and potential blind spots for SOC analysts and Cyber Fusion teams. Recent breaches have reminded the cybersecurity industry that alerts from defense products should not be the time to begin searching for breach indications. Organizations will reinforce their cybersecurity playbooks by enhancing or adding proactive approaches which will include threat hunting and threat awareness.
As the new year unfolds, so too does the unique challenges that present themselves to us. This is especially true in the cybersecurity industry. As quickly as we develop new, bolstered proactive processes and technologies to minimize potential breaches, new threats are born and introduced to challenge those very efforts. Thus, as we stated in our intro here, we must work collaboratively to create success as a collective whole. Cybersecurity isn’t only an industry, it’s a community, and we as cyber pros are each a thread in that ever-growing fabric. When we band together, that fabric becomes stronger, and with that, success is more easily accomplished. CyberSN is dedicated to the successful advancement of the cybersecurity workforce. Let’s work together and make 2021 the best year yet!
Most CEOs will tell you security is an important aspect of their business operations. But too often, what’s deemed important by management doesn’t always translate into real priorities. We’ve seen too many cybersecurity teams stretched thin on staffing, overworked, and improperly aligned with the rest of the organization. This leaves companies vulnerable to cybersecurity threats, huge losses, and bad PR.
Recently, CyberSN Founder and CEO Deidre Diamond spoke with Dan Blum, Cybersecurity Strategist and Author of the book, “Rational Cybersecurity for Business: The Security Leader’s Guide to Business Alignment,” about this pervasive problem. Cybersecurity operations are complex, but the solution to better security is simple; companies must align business processes with cybersecurity operations.
Hear the discussion. Watch “Hire, Motivate, and Manage a Business-Aligned Cybersecurity Team.”
Blum, who has years of experience in the corporate security field at organizations like the Burton Group, Inc., and Gartner, defines cybersecurity-business alignment as:
“A state of agreement or cooperation between persons or organizations with a common security interest. It is enabled through security governance structures, processes, communication skills, and relationships that engage the business. When in a state of alignment, all business leaders, staff, and business-related processes act in accordance with clear roles and responsibilities to support the security program and strategy.”
In other words, alignment happens when cybersecurity is fully integrated into company operations, all employees understand the importance of security, and chief information security officers have input when important decisions are made. It also means funding cybersecurity teams and technology to allow them to do their job and do it well.
Unfortunately, many companies understaff their cybersecurity teams or silo them away from important projects and decision-making meetings. Management may understand that cybersecurity is a vital aspect of business but they are not clear on the investment required to do cybersecurity right. According to Blum, only 44% of boards of directors consider cybersecurity to be strategic. If more than half of directors say that cybersecurity is less important than other aspects of the business, then it will be nearly impossible for CISOs to get the resources they need.
“They may think they are funding it adequately but they are not giving it the attention required to make sure the work that’s being done is really fitting the business needs,” said Blum.
Corporate leaders want to run lean in hopes of maximizing profits, but as Diamond points out, the number one problem facing cybersecurity teams is the lack of budget to properly staff. The result is a cybersecurity team that feels stressed out, burned out, and has trouble disconnecting at the end of the work day. It also causes high turnover, putting more pressure on the team and more work on managers to fill an already hard-to-fill role.
This is especially troublesome in the CISO position. Most CISOs remain in the job less than three years. Considering how difficult these leaders are to replace and that it takes about six months for a new CISO to fully know a company’s security operations before even implementing a program, losing your CISO should be part of your risk prevention strategy.
After conducting more than 70 interviews of corporate security professionals, Blum learned that security breaches are often predictable when cybersecurity operations are not aligned. When a CISO is denied funding for security measures, it leaves companies vulnerable. Having a skeleton staff leaves the security operations in disarray. Poor integration into the rest of the company can lead to hundreds of millions of dollars in costs and ultimately the company’s top leaders stepping down.
“The biggest problem that companies have is a lack of a definition of security that fits their business,” said Blum. Management must define how security applies to their business strategy, their vertical industry, the culture, mission and mandate of business, as well as what oversight of that security means, said Blum. Security is part of how companies do business in a digital environment and should be treated as such.
Here are some steps companies can take to ensure a well-aligned security program:
Diamond emphasized how clearly defined cybersecurity roles is a major gap she’s seen in cybersecurity staffing. Roles that are poorly defined make it harder to recruit, but also make it more difficult to define accountability. These problems lead to dysfunctional teams and hinder retention. Companies also need to bake hiring and retention into the job description and responsibilities of managers, she said. Finding cybersecurity professionals takes work and time, as does investing in the relationship-building efforts and EQ training required for keeping those employees. Documenting it as part of the job shows that the company takes cyber staffing seriously.
How can teams make security as seamless as possible? It’s a question managers and executives should be asking regularly and work collaboratively throughout the organization to achieve. Enacting cybersecurity-business alignment can shed light on potential problems earlier in the process and open the door to new ideas and innovation.
“Through alignment you can release a lot of untapped potential,” said Blum. “Look for progress not perfection. Making some progress is really going to move the needle but it happens with the team. It’s a team sport.”
Hiring cybersecurity professionals is as challenging now as ever. With a shortage of people actively looking, cyber pros can be picky about where they work and the compensation they earn. Not every company can afford to pay the same level of salary as Google, but that doesn’t mean they don’t offer a rewarding opportunity for cyber professionals.
Fortunately, there are things hiring managers and HR professionals can do to find talented people for those hard to fill cybersecurity jobs, even when the salary you’re offering might be lagging.
Once someone makes a decision to seek a new opportunity, they’ve mentally left their current employer. When this happens it’s like turning on their radar and they become receptive to the outreach that comes their way, both cold and warm. We know that the average cyber pro receives two job inquiries a day. Every day spent debating a potential hire risks that they’ll speak with a firm willing to pay a lot more money than you. The faster you move someone through your hiring process, the less likely other companies will beat you to making an offer.
When your salary is low, take inventory of everything else that you offer. Do you have stock options? How about an amazing health care plan? Retirement plans? How about flexible work environments and unlimited PTO? Open door policies or an accelerated career path? We see cybersecurity professionals taking less money when evaluating multiple offers because the compensation package as a whole makes the offer very competitive. Prepare a one-pager that explains all that you offer and make sure that everyone in the process is capable of discussing it with the candidate.
You already know your salary offer will most likely be low. Make sure your attitude is high. Seems like common sense, right? Nope. Anecdotally, I estimate that 25% of all first interviews are rejected by the candidate because they didn’t leave with a good feeling. Make sure your words and actions convey that you’re an open and welcoming person and company. Remember that cybersecurity professionals are no different than any other human. They want to work for people who are nice and who value them. Let them know they’ll be valued if they come to work for you.
What? Why should I send a thank you note? They should be sending one to me! Well, hopefully they do send one to you and you should always send one to them. It is a small gesture that makes an enormous statement about who you and your company are. I suggest you go on Amazon where you can buy a pack of 50 cards for $9.99. A thank you card is much more effective than a follow-up email. And there is nothing wrong with doing both. It will have a huge impact on the cybersecurity professional and most likely the first time it has ever happened to them.
Resume services are nothing new, but can be surprisingly effective for relatively little money. We created our Resume Service, which we call Talent Scout, to serve clients who can’t afford a full search placement and that have the internal talent acquisition team who can interview and extend an offer.
Talent Scout takes one of the most difficult stages in the hiring process off your plate by identifying five candidates who are qualified and interested in your opportunity. We make sure each cybersecurity professional’s resume that we send is someone who is qualified and interested in what your company offers. We take the laborious process of identifying interesting candidates away from you and present cyber professionals for you to interview and close.
If your company keeps losing cybersecurity talent to bigger, better funded companies, you still have options. There are many cybersecurity professionals who seek smaller companies, close-knit work environments, and feeling like an important member of the team, not just a number. To secure qualified cyber pros, focus on the unique benefits your company offers, both financial and culturally. And don’t be afraid to ask for help when important cyber roles are going unfilled. The cost of securing some help today could save you the major cost of a data breach down the road.
If you’re looking for more tips on how to find skilled cyber pros, make sure to subscribe to our blog, or reach out to us. We’re happy to answer your cybersecurity hiring questions.
It’s no secret that cybersecurity has a diversity problem. While it is well-documented that inclusion and diversity are benefits to a company and the bottom line, there are some people who are skeptical of diversity’s true impact or may feel left out of the conversation because they are part of the overwhelming white male majority. Company leadership 
must get all employees on board for any program to be successful. Making inclusion a part of the company’s culture is a good first step to ensure all employees feel valued. Below you’ll find other culture shifts companies can make as well.
In the video below, “A CISOs Journey To Building Diverse Teams,” EVP and Chief Information Security Officer at Zions Bancorporation, David Stirling says he saw a lack of diversity on the tech side of banking and that it was clear it was causing performance problems.
“The team was not diverse and not a great representation of different backgrounds and different viewpoints,” said Stirling. “The team was not performing well, not against any individual member of the management team, we just weren’t achieving the goals and regulatory requirements for our banks.”
Stirling said he recognized there was an opportunity to start thinking about things differently than what the cybersecurity team to that point had been doing and tapping some talent he had worked with in the past.
“At the time, I wasn’t conscious of the reason why these women leaders are successful is because there’s diversity of backgrounds, there's diversity of thought,” he said. “I just knew them as really highly capable leaders that did not have a cybersecurity background.”
Stirling said once these leaders were brought in, “immediately we began to see some things that needed some changing and when we got some of the female managers on my team in my office they said, ‘Hey we need to change the way we’re thinking about some things.’”
By not including other voices and having a homogeneous team, “we didn’t understand the power we were leaving on the table,” said Stirling.
Diversity of thought requires people to admit they don’t know everything. For seasoned cyber pros who have been at the job for years, it can be challenging to their ego to have someone from outside the department, or even the organization, call to question the way things are done.
Stirling said he had a wake-up call working with the former chief technical officer at his company, who was a champion of diversity.
“I had to be humble and recognize some of the activities and approaches I had previously had were not helpful, not in the sense I was working against what needed to be done but I was not proactive and thinking of things the way they should be done,” said Stirling.
With cybersecurity professionals in such high demand, Stirling says, “this isn’t about replacing people.”
“This isn’t about one or the other, but developing teams with diversity of thought to make them the highest performing team they can be,” he says.
How many times have you heard something like this?
“I value diversity training, but our department just hasn’t got the time.”
“I know we should try to be more inclusive.”
“Obviously inclusion is a priority here.”
Words like, but, try, and obviously are dismissive. They are not the language of leadership or people who want to take action. Other words like, should, and fine can hold a department or an entire organization back from being truly inclusive.
No one wants to feel like they are not a priority. Opt instead for clean, active language when discussing inclusion and diversity. It sends a clear signal to all employees that having respect and empathy for everyone is required.
“Unless you make diversity a priority, it won’t help you improve your teams,” says Stirling.
Whether you’re a start-up or a Fortune 500 company, cybersecurity consulting is a good way to assess the effectiveness of your cybersecurity operations. Having another set of eyes on your security systems, looking for ways attackers could infiltrate, and creating a strategy for addressing any security gaps can save your business time and the disruption of a security breach.
Cybersecurity consulting has another less well-known feature that is arguably more valuable than identifying potential threats: insights on cybersecurity staffing. A cyber team is only as good as the people within it, so hiring is a crucial aspect of keeping your company and customer data secure. By tapping a cybersecurity consultant, you can gain expert knowledge on the industry, where to find skilled cyber pros, and how to market your company to top talent.
When vetting cybersecurity consulting firms, here are some qualifications you should be looking for.
You may think you know what you need, but a skilled cybersecurity consultant can help you drill down into the specific aspects of your needs. By understanding your objectives, the consultant can identify skills gaps and provide a staffing headcount based on current and future initiatives. For example, your company might be evaluating security information and event management tools. A good cybersecurity consultant can offer advice on the availability of certain product skill sets and their respective labor cost.
A cybersecurity consultant should be someone who is able to provide the latest information about solutions and products especially those that are becoming more popular, those that are new to the market and other trends. This could include career and employee development trends and new training resources available.
You are never going to build or keep a great cybersecurity team if you aren’t offering enough compensation. You need a cybersecurity staffing consultant who will be blunt about your salaries and compensation packages. Your company may not be able to offer the same salary as a larger company, but a cybersecurity staffing consultant can help you develop other types of compensation, such as ample paid time off, work-from-home options, and an inclusive company culture that will attract professionals.
At CyberSN, our cybersecurity staffing consultants see a lot of compensation data because companies and professionals give us this data every day through our job search platform KnowMore. One thing we’ve seen is that it’s not just about the money. Professionals are looking for better work-life balance, especially since the lines between work and home have become so blurred. Training opportunities and the ability to work remotely permanently are two of the top requested perks we’re now seeing.
Part of the challenge of building out the right cyber team is that job titles, roles, and responsibilities vary from company to company. Having a cyber consultant who knows the industry, terms, and job titles vastly improves the results of your recruiting efforts.
We identified this problem at CyberSN and developed a common cybersecurity language, not just for those in the information security industry, but for those who hire, too. This included identifying different facets of the industry and defining 45 cybersecurity job titles and more than 100 subtitles.
Here are a few questions you should ask before engaging with a consulting firm on your infosec operations.
Do they work primarily for large corporations or is this a firm that specializes in start-ups? A firm may claim to be generalists, but cyber needs vary depending on the company’s size and industry, whether that’s e-commerce, banking, or health care. Make sure you hire a consultant that understands your industry.
Before working with a firm, it helps to know who you will be working with, their area of expertise, and how many hours they will be available. Are you looking for 24/7 availability or someone to develop a strategy for improving diversity? Whatever your need, ask for specifics about the level of expertise you will be provided.
Companies are striving to create inclusive workplaces, especially when race and gender are such a part of the national conversation in the United States. Whatever your cybersecurity needs, diversity is likely to be part of the conversation. When your team is made up of people with different backgrounds and world views, it will help improve your ability to identify threats from around the globe. Discuss diversity training as well as hiring practices to ensure you are creating a welcoming environment for all employees.
As a woman-owned company, diversity and inclusion are important in all we do, which is why more than half of our placements are diversity hires.
This may seem obvious, but if you’re looking for expertise in cybersecurity, make sure the team you get has experience working in the industry and understands both the employer’s and employee’s side of the job.
Ask your cybersecurity consulting firm what you’re getting from them and hold them accountable throughout for that deliverable. CyberSN, for example, offers hiring strategies for companies struggling to fill cyber roles. After working with one cybersecurity industry expert and one cybersecurity hiring expert, the company will have a clear strategy for recruiting and hiring cyber pros that fit their needs and within the company.
No one wants to hire another consultant who swoops in, offers unrealistic advice, and is only concerned about the paycheck. Before you sign a contract with a cybersecurity consulting firm, clearly define what you’re looking for from the relationship. Make sure the firm is willing to help set goals and create a realistic strategy that works for your type of company. Finally, hiring a firm that understands that it’s not just about the tech. Developing the human side of a cybersecurity team can help protect your company, as well.
Cybersecurity jobs are notoriously difficult to fill. According to a study by Burning Glass Technologies, cybersecurity positions take 20% longer to fill than typical IT roles, at an average of 50 days. For every open position, the study found companies only have an average of two people in the applicant pool to choose from.
Cybersecurity recruiting is challenging for many reasons, but few companies have attempted to get to the root of the problem and find a better solution. It’s what makes CyberSN an outlier in the cybersecurity recruiting industry. We’re the only company that specializes in just cybersecurity and we’re the only company that guarantees filling a job in under 39 days.
How is it that CyberSN is the only game in town? Here’s the story.
CyberSN was born from conversations founder and CEO Deidre Diamond was having with her friends in the cybersecurity industry. Some were telling her they were struggling to find jobs. At the same time, she was hearing from others about a shortage of cyber professionals. Diamond saw this disconnect as an opportunity to reach an untapped market—there must be a faster, easier way to match cybersecurity professionals looking for a job upgrade and companies in need of skilled cyber talent.
Since the job search and recruiting process went online, both job seekers and companies have turned to keywords and automation to make the process easier. While this has cut the time required to find a job for most people, the result in specialized industries, like cybersecurity, has been a failure.
Diamond found some companies were cutting and pasting attributes from past job descriptions, regardless of what’s needed, to create nonsensical franken-jobs that savvy, experienced cyber pros see through immediately.
“These are highly wanted professionals,” said Diamond. “They’re not going to read that!”
Then there were the HR recruiters who don't understand what a job description means, making it hard to seek out skilled people for the job. Add to that cybersecurity professionals who are serious about their privacy online and stay away from LinkedIn and it was a wonder companies and cyber pros ever found each other.
“What hit me square in the face is that when content became free, it also became meaningless,” said Diamond. “Job descriptions became meaningless and resumes were always meaningless—you can put anything on a resume.”
With bad job descriptions and bad resumes, “It’s matching garbage content to garbage content,” she said. Plus, there’s the enormous cost companies must incur just to hire, and the mental energy it takes to apply, prepare, and interview for a job.
“There is an element of job searching that’s so bad it's causing mental distress. It’s amazing that in the year 2020 we can’t match people.”
Diamond wanted to know, how do you fix it?
Sometimes solving a problem takes coming at it from the outside. Diamond didn’t come up through the cybersecurity industry, but instead in sales and management in the tech industry. After graduating with a degree in criminal justice, Diamond considered a career in law or in social work, but after seeking career advice, took an entry-level position with Motion Recruitment, a tech recruiting firm headed by two serial entrepreneurs. There, she was on a professional growth track that would take her into senior leadership. After 13 years in tech recruiting and helping take the company from $2 million to $89 million in sales as the vice president of sales, she became vice president of sales at the security software company Rapid 7, and then on to serve as CEO at Percussion Software.
Having led a company, Deidre began thinking about building her own company and took some time away to develop her ideas. It was during this time Diamond was at Black Hat, running into people she knew and hearing from just about everyone that they were looking for something new—cybersecurity professionals who were looking for a career change and companies looking to hire.
“You talk to cybersecurity professionals and they’d say, ‘I can’t get an interview that's the correct interview for me,’” said Diamond. Others said they wanted a new job but were working so much they didn’t have the time to look.
Diamond launched CyberSN in 2014 as the solution to this pervasive staffing problem. Tapping her industry connections in tech hubs on the East and West Coast, Diamond grew her staff from one to a full, professional team specializing in matching skilled talent to jobs they love.
What cybersecurity recruiting quickly taught Diamond is that the current model for recruiting cyber talent was broken too. Working on contingency when filling cyber roles was not practical and difficult to scale based on the 90- to 100-day timeframe it took to fill some roles. If CyberSN could speed up this process, she could make it more profitable, Diamond thought.
“I am used to growing and I wanted to build an army,” said Diamond. “I was willing to invest and take a risk.”
First she started with her connections in the industry. She and her team had more direct access to cyber professionals who are very private and often hard to track down online. Then she took a hard look at the job descriptions companies were writing and realized that needed to be streamlined too.
The most substantial lead the company made was in 2016 when she brought in a team with vast experience in the cybersecurity industry to build a platform that would help CyberSN’s cybersecurity recruiters fill positions faster. The proprietary platform that would eventually be launched to the public as KnowMore gave CyberSN an advantage no other company had—a way to more efficiently match skills and experience with a company’s needs by using a common task-based language.
“That’s when we really changed the game in terms of cost of sale,” said Diamond “We were able to make matches in 30 days instead of 100 days.”
As a woman in the tech industry, she understands the challenges many women face, from hostile work environments to a lack of investment from venture capitalists. For Diamond, diversity is key to addressing these issues. CyberSN is not just about filling jobs, but helping companies to develop women and diverse talent. She also founded Secure Diversity, a nonprofit which aims to empower all genders, and specifically women, to find career opportunities in cybersecurity. As a result, companies come to CyberSN because they know they will have access to a diverse pool of talented cybersecurity professionals.
“The people who come to us really care about getting better at hiring and want to see a more diverse workforce,” said Diamond.
Diamond said she and all of CyberSN are committed to continuing to transform the job searching and matching landscape. Whether it’s finding more efficiencies or creating strategic partnerships, the company plans to grow and build on their reputation for being number one in the industry for identifying and placing diverse cyber professionals.
To learn more about CyberSN and the menu of services they offer for finding, matching, and hiring cybersecurity professionals, contact us today.≥
When you have one or more cybersecurity positions to fill, it’s only a matter of time before the pressure will start to mount to get someone in the role ASAP. You know you can’t just throw anyone in the role. When you consider that the top data breaches in 2018 affected more than 100 million people, finding skilled, experienced, trustworthy talent makes getting cybersecurity recruitment right that much more important.
Having a positive company culture and being active on social media are ways to raise the profile of your company and help with cybersecurity recruitment, but they won’t get you more resumes in your inbox like the right job description and a solid network of connections will. We’ve mined the expertise of our recruitment team to put together this list of cybersecurity recruitment tips to help you find better talent in less time.
Chances are the best and brightest in cybersecurity are already working at another company. It’s why most cybersecurity professionals will tell you they are contacted by recruiters on a near daily basis. To find the right candidate for your cybersecurity post, you will have to be more aggressive than managers hiring in other fields.
If you have a position that’s been open longer than six months and your traditional recruitment avenues have produced nothing, you need to look somewhere else. Are you attending local industry meetups? Do you know what local cybersecurity professionals are reading? Where are they chatting online? To find new talent you’re going to need to do some good old fashioned networking.
While this may seem like a challenge, for many companies it can be an opportunity to increase diversity. Breaking outside of your regular recruiting network and connecting with groups like Secure Diversity introduces you to candidates from different backgrounds who are likely to bring balance to your company’s experience set. For example, a report by Cybersecurity Ventures estimates women made up 20% of the cybersecurity workforce in 2019, so it’s clear there is still a lot of work companies can do to increase diversity in this field.
One of the biggest mistakes companies make when it comes to cybersecurity hiring is immediately eliminating candidates without the required degree. Any hiring manager will tell you a great candidate has so much more than the required college degree, yet we see plenty of companies get hung up on this. Many companies are finding that experience, trustworthiness, and a range of skills are more important.
Focusing on candidates with an eagerness to learn and develop will open a new pool of great talent that’s likely to be more interested if your company offers them the opportunity to grow. Highlighting professional development opportunities and the value of growth as part of the company culture will entice motivated and talented job seekers to not only apply, but once hired, be likely to stay longer too.
One of the toughest challenges in cybersecurity recruitment is getting the job description right. Often, a company may not even have the right job title, going unnoticed by dozens of great candidates who are searching for other titles.
If you have a job posting that’s been languishing unfilled for months, it’s time to take an honest look at what you’re putting out there to candidates. It may have one or more red flags that turn off promising talent. Start at the beginning with whoever wrote it. Was the description cut and pasted from other cybersecurity job descriptions? Is it asking the candidate to work the job of two or more people? If so, you’ll need to loop back with HR and come up with a better job description if you want to see new resumes come in.
Speaking of HR, human resources can be a pain point for hiring managers and candidates alike. While they are working hard to check all the boxes, it can slow the process down, leaving candidates wondering if your company is really serious about filling the post. With an estimated 3.5 million cybersecurity positions expected to go unfilled by 2021, you will need to act in a timely fashion when a good candidate applies.
Sometimes, you just don’t have the bandwidth to hunt down quality talent. Making connections and attending networking events takes time. Hiring a recruiter who can invest the resources into finding the right candidate can save your company time in the long run. Look for a recruiting firm that specializes in cybersecurity. Recruiters who don’t speak the language of cybersecurity and aren’t well-versed in the skillset you’re looking for won’t yield the same results a cybersecurity recruitment firm will.
Another way to shift your search into high gear is using the tool KnowMore. This talent matching platform is a resource for both job seekers and employers, allowing you to browse candidates, search by role, and even start a conversation directly with the candidate.
Acing cybersecurity recruitment begins with acknowledging that it’s different than filling other jobs. The specialized skill set and high level of trust required makes finding the right talent more difficult. By adopting these approaches, however, you can start to attract better talent faster.
At a time when working remotely is challenging existing security practices, cybersecurity and information security staffing remains a priority for many companies. Hiring freezes are being lifted or never even applied to essential cybersecurity positions. As hiring managers look to fill their teams at this critical time, they report that there doesn’t seem to be enough cybersecurity professionals to go around and are struggling to find qualified people.
CyberSN has been solely focused on the information security and cybersecurity industry since 2014. Founder and CEO Deidre Diamond saw a disconnect between how companies were approaching cyber talent and what skilled cyber pros were looking for. The mission of CyberSN is to take a different approach to fix a broken system and offer a range of services that match companies with the right infosec professional.
While most companies approach hiring the same way they’ve been doing it for the past decade or more, scrapping the old system to try something new has paid off—we can fill cybersecurity positions in under 39 days, compared to the many months it can take recruiters and internal human resources teams. Here’s how we did it.
Too often companies think they can throw a job description on LinkedIn, Monster, and Indeed and the resumes will roll in. Unfortunately, information security professionals aren’t always on these channels because they are suspicious of their ability to protect personal information. So then, where can you look?
What if there was a job board that was only for cybersecurity professionals? It’s a question we asked ourselves after hearing from companies about their struggle to staff their cybersecurity teams using traditional channels.
Using these requirements as a guide, we created the KnowMore job search platform. Today, it has profiles from thousands of information security professionals who are seeking work. Some are actively looking for a job, while others may be passively looking for a different opportunity, such as relocating or more pay.
We know how critical it is for companies to fill their cyber teams, especially today with so many emerging threats. To help companies connect with qualified cyber professionals, we recently launched KnowMore Community Edition as a free service, allowing them to not only search, but also post jobs for free.
On KnowMore Community Edition, each professional fills out a profile based on the skills they have to offer. The profile also includes those “deal-breaker” aspects of the job that can derail hiring late in the process, like desired salary and work-life balance benefits. The profiles are confidential, stripping away the fluff that comes with a traditional resume to the most important metrics.
When you find a profile that sparks your interest, you reach out through KnowMore. The person behind the profile can opt to keep the conversation going, drop the anonymity, and connect via email or phone.
What if we told you there are information security professionals out there actively looking and the reason your company is struggling to hire them is because they look at your job postings and don’t like what they see?
The unfortunate truth is that many companies don’t know how to write a job description for cyber. They cut and paste requirements and responsibilities from old job descriptions that may not even fit the role. Other times they throw every possible dream attribute into the description as if they were looking for some unicorn cyber pro. When qualified people look at these kinds of job descriptions, they react with a hard pass.
We started looking for an efficient way for companies to build a better job description and stop disqualifying themselves the second they post an open role. The job description builder tool in our KnowMore platform asks questions about the role you are trying to fill and the skills needed to succeed. In under 10 minutes, you can build a job description that’s straightforward and speaks directly to cyber professionals using their language. The method gets companies beyond the buzzwords and breaks them free of the cut-and-paste job descriptions that are holding them back.
Because many information security professionals stay clear of social media and mega job search sites because of concerns about privacy, companies are forced to get innovative when it comes to cyber staffing. Attending industry events, building a network in the industry, keeping up-to-date on emerging threats, and knowing how to “speak the language” are the best ways to recruit talented people.
But what if you don’t have the time for that?
In developing CyberSN’s menu of services, we saw that companies need insider knowledge in the cyber industry to recruit, but that few had someone internally who could offer that. In response, we developed Talent Scout, a staffing service that does the searching for you and provides a list of vetted candidates.
For companies that have a strong internal hiring process, but are struggling to identify interested cyber professionals, using Talent Scout can really expedite the information security staffing process.
The goal of any company should be to hire people who are not only qualified, but also love their job. It’s our goal too. But there are some factors that prevent companies from achieving it when it comes to information security staffing:
Both of these problems indicate something broken within your cybersecurity hiring process. If this is the case, your company is not alone. Turning to outside help can not only help you fill the position, but also shift your hiring process so that you’re more successful in the future.
CyberSN developed our Engaged Staffing service to help cyber professionals find jobs they love and to make the talent search for companies easier. We’ve refined the process since 2014 and are now able to deliver professionals to you ready for in-person interviews in under 39 days. By getting to know your company and its needs, we can find skilled cyber professionals who also understand your company and are eager to work there.
Because cyber is a job seeker’s market, we also show your company how to present itself in the best light, from helping write a better job description to making a job offer.
For companies with a well-established hiring process in place, it can be difficult to make changes, let alone hire an outside recruiter. But there are ways to shift the information security process to get better results.
Seeking expert advice is the fastest way to improve hiring outcomes. A better understanding of the cybersecurity industry, cyber culture, and salary expectations give companies the advantage.
But how do you get that knowledge?
CyberSN’s expertise is one of our top features, relying on our team’s experience working in the industry. We saw that companies wanted to mine that knowledge to improve hiring at their own companies, so we made it a part of our services.
Our Strategy Consultation provides you with insights on building better job descriptions, right-sizing compensation packages, developing organizational charts, and understanding not just your company’s cyber needs, but also job seeker expectations in the workplace. A consultation includes talking with two of our subject matter experts—one specializing in cybersecurity and the other in cybersecurity staffing—about the problem areas in your current hiring process. You’ll walk away with a new hiring strategy targeted specifically at filling cyber teams.
As the only company focused solely on cybersecurity staffing, we know there are problems with the job search and hiring process that need addressing, but at the end of the day, it all comes down to people. Matching qualifications, certifications, and requirements is something anyone can do, but finding a professional with the right skills for the role, as well as the interest to invest themselves in your company, that takes a willingness to understand what motivates people in the industry. If your company is struggling to thoroughly address the challenges in information security staffing, it must be willing to do things differently.
If you want to know more about our innovative approach and the secrets to finding successful matches, reach out and talk to us.
Friends,
Since I was a young girl I have felt a sense of responsibility to care for others, a responsibility to always help when people are scared, sad or stressed. Today I feel this even greater, as our world and our country faces a major healthcare crisis and as our economy is negatively affected; I am compelled like you to help. Thankfully myself, my team, and those I love have not gotten sick. Those of us who have this luck must do more and so we will.
We are all concerned, we are all affected; and we must stay informed. My team can help support us all to stay informed on the cybersecurity job market. By sharing what CyberSN sees in the cybersecurity job market from week to week we can lower our anxiety together 🙂 Knowledge is power. CyberSN can support the cybersecurity community by offering solutions to the new job challenges we will experience. Today is my first weekly share of knowledge and solutions. CyberSN is here to help. Please read on to learn how and share with our community.
As you read my assessment of the state of the cybersecurity job market, it's good to understand where my data comes from. CyberSN is a national full-service cybersecurity staffing and technology company. We have a high concentration of staffing leaders specifically in New England and the Bay Area. In our almost six years of business we have only staffed cybersecurity roles, no IT, no SW developers. We are the largest solely focused direct hire cybersecurity staffing firm in the US. We speak only cybersecurity.
Over the last four weeks myself and the entire CyberSN team have felt your stress, for your stress is our stress and vice versa. By way of business we are connected by jobs and jobs are the foundation of how we support ourselves and our families. In an economically challenged market, many jobs are at risk and everyone is concerned. At the same time the cybersecurity space was already short 500,000 professionals in the US before the COVID-19 crisis. In theory, this means that there should be no problems for cyber professionals to find work and yet there is more to this story. Unfortunately, our current job searching and matching system is broken, I have spoken about this vulnerability for years. You can see my talk from the RSA Conference 2020 to learn more about our broken job searching system. Now and moving forward through this economic challenge we will feel the impact of this broken job searching system even more. Today amongst all the unknown, we must think strategically about what we are doing and understand the risks upon us. Here is what we are seeing in the market, the problems and solutions included 🙂
As of today April 2, 2020:
70% of businesses put all jobs on hold two weeks ago and these roles are still on hold. These firms are putting all roles on hold, not just cybersecurity positions. Most cyber leaders feel the hold will last two to four more weeks and yet there has been no concrete timeline from those they report to. In addition, companies that are pre-IPO or directly affected by the health crisis directly such as manufacturing, travel, hotels, airlines, restaurants, and staffing services have put all roles on hold indefinitely and beginning layoffs or furloughs. We have not seen cybersecurity professionals being laid off at these firms. We have not seen these layoffs for cybersecurity professionals amount to greater than 1% as of yet.
30% of the market is moving forward, interviewing, hiring and onboarding cybersecurity professionals. These organizations understand that their cybersecurity teams are already overloaded and putting roles on hold would do more harm than good. The challenge for these organizations is the candidate pool is scared to make a move during the health crisis, further diminishing the available pool of talent.
Companies are pushing start dates for new hires that were scheduled for late March or April. We have not seen offers being rescinded from our clients and we have heard from 2% of the market that this has happened to them. Much of the start date push is due to the work from home mandate for non-essential industries. Many companies are not in the cloud and find the remote onboarding process to be too difficult.
Employment Eligibility Verification (Form I-9) seems to be a big challenge since law is that I-9 has to be verified in person. Good news, on March 20, the Department of Homeland Security provided some assistance for I-9 verification by announcing temporary COVID-19 provisions that permit employers to inspect the Section 2 documents remotely, through a video call, email or fax, to onboard remote employees. This knowledge should help leaders through this challenge so they can move forward and onboard remotely.
Exhausted cybersecurity professionals are working even more during the crisis. They have no relief in sight. Their firms have been looking to hire people year over year with little success. Now their already overworked cyber teams are doing more work. What these companies are lacking is a budget to pay for an external recruiting service.
This was a challenge way before the health crisis and now our fellow colleagues feel this pain even more. Already, recruiting departments don’t have the skill to find and match qualified and interested cyber professionals to jobs. This is because they don’t speak cybersecurity and they don’t have access to cybersecurity professionals. As this case study conducted by Chenxi Wang reports, “cybersecurity roles remain unfilled on average eight months; until an outside recruiting firm is brought in”.
Cyber professionals are getting burned out quicker due to working around the clock during this crisis. This bothers me greatly at a time like this when stress is high at home and work. I want to make sure that all cyber professionals affected by this crisis will find well-matched jobs quickly. To do this and help those leaders that don’t have a budget to use an outside staffing resource like CyberSN, I am offering our services at our cost for new job searches.
We are a privately held firm with no outside investments. We care deeply about the health and well-being of our community. I am grateful that we can make this offer. This offering will allow organizations who truly want to fill their roles the ability to do so and at the same time make sure no cyber professional goes unemployed for long. There is no greater stress than that of unemployment. I suspect we will see layoffs and we will feel greater pain. Together we will succeed. I will keep sharing what we are seeing as things change rapidly. Love and safety to you all.
Sincerely,
Deidre
Have you heard about the workforce shortage in cybersecurity? Skilled cyber professionals are hard to find and desirable jobs at great companies are left unfilled for months. At least that’s what most tech staffing agencies will tell you. This mindset has infected too many companies, their HR departments, and the staffing agencies they hire, leaving cyber departments understaffed and companies at greater risk.
There is truth to the tight cyber labor market. The latest (ISC)2 report says global IT skills shortages have surpassed 4 million openings. But the lack of professionals is not the only reason companies are struggling to fill cybersecurity roles. The challenge has as much to do with the people doing the hiring as it does the people available for hire.
“I’m calling B.S. on the common belief that it’s a lack of security skills that’s causing these issues,” CyberSN President Mark Aiello wrote in Forbes. “From my professional experience, when I witness security people losing their jobs unexpectedly due to layoffs, restructuring or the like, it can take six months or more for C-level candidates to find a new position.”
In a market where cybersecurity expertise is in high demand, this doesn’t make any sense.
“These folks should be scooped up faster than an unencrypted database full of credit card numbers,” wrote Aiello.
The disconnect between hiring managers and skilled security professionals is at the core of most cybersecurity staffing challenges. The best way to bridge that disconnect is to work with a tech staffing agency that “speaks cyber” and understands the common problems that can derail the cyber hiring process to successfully fill your open positions.
Cybersecurity professionals are passionate about their work tracking down threats. They also know that most people have no idea what their job entails on a day-to-day basis. If you’re posting a job description that wasn’t written by someone within the cyber team, cybersecurity professionals can spot it from a mile away.
Bad job descriptions are not HR’s fault. Most people in human resources lack knowledge of cybersecurity roles and culture, so they use vague language or tech buzzwords that mean different things to different people. The result is a job description that’s nothing more than a long list of technical competencies, educational requirements, certifications, and job titles. When listed as iron-clad requirements, they unfortunately eliminate many talented candidates.
A cybersecurity staffing firm can quickly identify red flags within a job description and work with companies to define requirements, roles, and responsibilities that not only make sense to people in the cybersecurity industry, but also portray the job accurately.
Many IT or tech staffing agencies use the same tactics recruiters in other industries use, especially LinkedIn. They rely on generic IT searches to find cybersecurity specialists, not realizing there is a significant difference in knowledge base and skill set.
When it comes to finding great people, it can be difficult. Cybersecurity professionals are skeptical of social media and job search applications and their ability to protect personal information. When asked how to avoid risk when using social media, Ran Canetti, a Boston University College of Arts & Sciences professor of computer science and director of the BU Center for Reliable Information Systems and Cybersecurity said, the best solution is to not use them at all.
“This might cost a small price, but it’s more than worth it,” Canetti said.
If cyber professionals are not on LinkedIn or job search sites, recruiters who rely on these tools will never find them.
An agency that specializes in cybersecurity staffing knows the players throughout the industry, who is happy in their job and who is not. The recruiters put in the time networking, going to conferences and events, and making connections to develop a rich pool of connections they can tap when trying to fill positions for clients.
With 45 different different cybersecurity job categories, many more job titles, and no industry-accepted definition for any of them, general recruiters are already at a disadvantage before they get past the first line of the job description. Tech staffing agencies that lack cybersecurity industry know-how may not be able to identify talented people right for the role, but who have a slightly different job title elsewhere.
“Many companies get so hung up on finding the perfect candidate that they miss so many qualified individuals who might tick off five, seven or even eight out of the 10 skills listed as requirements for a position,” said Aiello. “In the time it takes to find these unicorn security professionals, a company could have hit the ground running by training someone who was 75% of the way there.”
Your company wants to fill open cybersecurity positions with less effort and in less time. If your internal team needs help and you want to take the search to a staffing agency, it will save your company time, effort and a lot of headaches if you choose a firm that knows the industry and can identify candidates that will fulfill your company’s most essential cybersecurity needs.
Many of the challenges firms face when filling cybersecurity positions can be traced back to the job description. Cybersecurity job descriptions are notoriously difficult to write, yet they’re often the first impression a potential hire has of what it’s like to work for your company. With a lack of industry-accepted terms for jobs and roles, writing a clear and comprehensive job description can feel like stumbling in the dark.
The tight cybersecurity job market and well-publicized skills gap certainly make cybersecurity hiring more difficult, however, there are small steps companies can make to improve job descriptions and hiring success.
Say for instance your company is looking for a security engineer. Here are some of the subcategories that land within that title.
You can see the difficult situation many managers and HR departments find themselves in when crafting a cybersecurity job description. If you can’t settle on whether you need a security architect, cloud security architect, or information security architect how are you going to find a candidate?
When deciding on a job title, do some research within the local cyber community. What other titles are companies using for similar jobs and responsibilities? Is your company committed to having unique job titles? It might be time to compromise and use a job title that more accurately portrays the role.
Ascribing to a common language is the foundation of all human relationships. To reach the best candidates and easily communicate your position requires you use the language people within the cyber community are speaking. You’d be surprised how many HR recruiters and hiring managers have no idea what some of the terms in their cybersecurity job descriptions mean, even though they wrote them!
Experienced cyber professionals also know enough to steer clear of poorly conceived job descriptions, especially those in which job requirements don’t track to the title or are a laundry list of job requirements, clearly indicating the new hire will be asked to do two or more jobs. Knowing what you are asking for and having an understanding of the terms being used in the job description will elevate your cybersecurity job description and show your company is serious about cyber.
With so many open positions in today’s job market, the best candidates are oftentimes people who are already employed, but open to a change in employment. These passive job seekers are skilled, but also savvy. If they are going to make the effort to change jobs, there must be benefits, such as higher pay, more remote work from home, or a shorter commute. Here are some ways you can quickly communicate why your job is better than theirs.
We get it. It’s not always easy to ask for help, but when a position has gone unfilled for six, seven, eight months on end, the problem might require outside expertise.
Staffing agencies are a common solution for companies who need to fill a position fast, but this has its drawbacks. Recruiters may return a list of candidates we would categorize as “warm bodies.” Instead of truly talented cybersecurity personnel, they show you resumes from people who are under-qualified or work in an unrelated area of cyber. Many staffing agencies are generalists and have a lack of understanding of the industry. Using a firm without expertise in cybersecurity won’t get you good candidates either.
Look for a history of experience filling cybersecurity positions in your industry. These agencies not only understand the language, but also have developed connections that allow them to locate talented passive job seekers. Understanding the current cybersecurity landscape, which companies are flourishing, who’s happy and who is not is essential.
Another advantage agencies that specialize in cybersecurity bring are tools that help HR personnel and hiring managers find the right match without a recruiter. Programs like CyberSN’s cybersecurity jobs platform offer tools and templates to build job descriptions specifically targeted toward people in the cybersecurity industry for free.
Bottom line: an agency that has expertise in cyber can communicate your job more effectively, resulting in a better slate of candidates and ultimately filling that position faster.
While the scramble to recruit and retain smart cybersecurity professionals is universal, some companies struggle more than others. If you ever wonder how some competitors managed to perennially field solid cybersecurity teams while your organization can hardly even find enough candidates for your open jobs, it might be time to evaluate the way you market to and interact with cyber job seekers. CyberSN recently spoke with a number of recent applicants and employers on what engages employees most effectively. Things like a decent compensation package are table stakes for drawing great candidates. However, there are often other simple touches that can make all the difference. Here are five tips for attracting cybersecurity professionals to your roles.
It should go without saying, common courtesy can go a long way towards keeping the lines of communication open with good candidates. For example, if you’re recruiting currently employed candidates, try to be flexible about scheduling interviews. And whatever you do, minimize cancelations on your end.
“Meeting during the day is already a challenge because you have to find a way to schedule time off from your current job,” said a Security Engineer who wishes to remain anonymous. “It’s particularly difficult when a potential employer cancels at the last minute, which happens anywhere from 25% to 40% of the time in my experience. For a couple of companies, this happened with, I just declined to reschedule.”
If you’re a hiring manager working with a company with a lot of bureaucracy and red tape to jump through during the interview process, consider either personally reaching out or having a recruiter reach out to prep candidates for what to expect.
“Having insights about the company from the recruiter made a difference,” Robert Burns, Sr. Consultant at Booz Allen Hamilton explained. “Just a little bit of information about who I was meeting with ahead of time, so I could prepare and have a better understanding of what I’d be talking about with different individuals.”
Compensation is obviously important, and so are work-life balance benefits like flex time. But so are relocation benefits. It might seem obvious that the best way to open up a bigger pool of candidates is to widen geographic boundaries. Surprisingly, few companies actually do this. We’re not talking about a huge investment – just $10-15k will make a huge impact.
“Even though there’s a huge gap in the field, it’s very difficult to find organizations that will pay you or give you the flexibility to cross from coast to coast,” says Burns, who worked with CyberSN to get him relocated to a work location that worked for him.
When interviewing, you can’t get hung up on years of experience or even certifications. You need to learn to find candidates who have the right raw materials for training by asking the right interview questions. Make sure you are interviewing for someone’s ability to do the job. Find out what they have been doing and not how for how many years they have been doing it. Years do not equate to capability. Also, make sure your posting avoids using any red flags for job seekers!
“In interviews, we would ask questions around curiosity. Trying to hone in on how an individual thinks can be important,” says Dan Garcia, Sr. Security Engineer at Datto. “Asking questions like, ‘What is the last thing you took apart and why?’ Just trying to get at their intellect. From that, we found some pretty great candidates that had the right mindset.”
Finally, look for ways to be creative in your outreach. Cybersecurity is a creative field, and smart candidates respond to clever employers. Run or participate in events like capture the flag and tabletop exercises. Go to the same places that cyber pros go.
“Datto once took out a billboard where we Base64 encoded the career site URL, and we had a candidate apply to be a software engineer from that,” says Ryan Weeks, Chief Information Security Officer. “He now leads our application security pen-testing team.”
Listening closely to the experience of candidates and gathering feedback from employers gives insight into what mistakes are being made that are easily addressed. What’s working (and not working) in your cybersecurity talent experiences? Did we forget any tips for attracting cyber professionals?
The inability for companies to attract a diverse range of candidates is an underlying current to today’s broader cybersecurity staffing crisis. In fact, close to half of security insiders today believe that the underrepresentation of women and minorities stands as a major factor contributing to the current shortage of skilled security workers.
Anti-discrimination laws and cultural norms have largely pushed out the most overt cases of discrimination to the periphery of the industry. However, even with obvious bias isolated to the edge cases, what we’ve seen left behind are traces of unconscious bias that nevertheless hamper the industry. Unconscious bias has a way of creeping into even the organizations most gung-ho for diversity, keeping their cybersecurity teams from bringing in new kinds of people and their fresh perspectives for problem-solving.
One recent placement I worked on demonstrated to me exactly what this kind of bias looks like in action—and it was from a friend who I know to be fair and thoughtful. I was helping this executive fill a role to which he’d hoped to bring some diversity. As such, my team had provided an extra helping of women and minorities to a well-qualified candidate list. Needless to say, I was surprised to hear he ended up hiring a non-diverse candidate for the position.
As I got him to rewind the process for me, he told me that when the women on the list were asked why they were interested in cybersecurity, they didn’t bring enough ‘passion’ to the answer. While the man’s answer had more to do with personally seeing the problems in the industry that he wanted to fix, the women tended to relate stories about family members having their identities stolen and how that spurred an interest in the industry that protects people from those experiences. For the hiring manager, the way the man answered resonated as more ‘passionate.’ But looking at it from an outside perspective, it looked more like the man simply provided an answer that most closely matched my friend’s own worldview of professional enthusiasm. What he failed to see is that the sources of passion and work ethic can vary greatly by background.
What he ended up with is another non-diverse candidate, rather than a person with a wealth of new views that could have helped to round out his team. And this is really the crux of the diversity problem we face in the cybersecurity industry. The whole point of bringing in more women and minorities into teams isn’t to meet some quota. It’s to nurture a team-building mindset that attracts a range of people with totally different backgrounds who can bring fresh ways of tackling problems. This establishes a team dynamic where you’ve got a multifaceted way of attacking things. This is huge in security, which is so dependent on creative problem solvers.
In order to root out unconscious bias, we need to start listening for the answers we’re expecting from candidates and also the equally good answers that challenge our expectations. And achieving a bias-free workplace doesn’t end at the offer letter—not by a long shot. We’ve also got to think about how unconscious bias keeps us from retaining those underrepresented folks. As leaders, we need to take a hard look at the kinds of team-building exercises we do and about the kind of work atmosphere we promote. Let me know your ideas, advice, tips, or tricks to help further unbiased hiring. I’d love to hear from you.
When Gary Hayslip, the CISO for Webroot, Co-Author of The CISO Desk Reference Guide, and a highly valued and trusted leader in the security industry asked for my input on his article, I told him I would be more than happy to share my thoughts. I have a lot to say on this subject after 19 years in the recruiting profession, 14 of those years running my own firm, and the last 2.5 years exclusively focused on cyber! No one has this type of time on their hands, so I will break this down into several articles over the next couple of months!
There are so many moving parts to this issue, and as Bill Bonney, Gary’s Co-Author of the CISO Desk Reference Guide, so eloquently and accurately breaks down in his response to Gary’s piece, How We Want Recruiting and Hiring Managers to Behave, this is a problem that needs to be addressed by recruiters, hiring organizations and all the stakeholders involved in the hiring process, and job seekers together.
I appreciate Gary and Bill recognizing CyberSN as a company that is dedicated to solving the challenges associated with hiring security professionals and the frustrations they experience on the job search front. We are on a mission to dramatically decrease the frustration, time, and cost associated with job searching for IT Security and Cyber Sales professionals. You can read more about our Founder & CEO, Deidre Diamond’s Mission and Vision here.
Deidre and I met at the RSA Conference in 2015 when I was still running Indigo Partners, and we connected instantly. Rather than seeing each other as competitors in this small cyber recruiting niche, we bonded in discovering how perplexed and disheartened we each were by our very own recruiting profession and the bad, but deserving rap, that our industry has earned as a result of the very behavior Gary discusses in his article, which is what led us to found our own firms in the first place, and ultimately unite.
The commoditized, keyword search approach to recruiting, that I believe emerged in recruiting in the ‘90s as a result of the job boards’ arrivals, was already a problem when we were each placing IT and software professionals; it’s just further exacerbated in InfoSec as Gary, Bill, and so many of you have experienced in this noisy marketplace.
This is unfortunate for the job seekers who get bombarded by LinkedIn requests, emails, and calls about unrelated, mismatched jobs. It wastes their time and leads them no closer to identifying their next opportunity. It’s bad for the hiring organization, who engages several agencies expecting candidates to be properly vetted, but ends up creating more work for themselves by fielding untargeted, sub-par resumes from multiple sources that don’t get them any closer to filling their jobs. It’s a colossal waste of money, time, and energy that companies are expecting to avoid by turning to an external firm in the first place.
Contingency search is an outdated, broken model that needs to be re-examined by both hiring companies and recruiting agencies to determine the true cost of doing business this way for both parties. You can read an article I wrote about the lunacy of contingent search “Would You Work for Free?” here.
On the surface contingency search seems to make sense, most especially for the hiring organization. Give the open position to several agencies and may the best man or woman win. There is perceived little risk to the company, who only pays a fee to the recruiter if their candidate gets hired.
The hiring organization thinks more is better, meaning, they believe they are maximizing coverage of their job and increasing the probability of a successful hire, when in reality, it’s the exact opposite. The more agencies a hiring organization gives the opening to, the less the contingent recruiter works on it because of the inherent risk involved, thus the unskilled, low-cost provider behavior that ensues. The feeding frenzy (or as my security friend Chris Olive calls it, “The Hunger Games of Recruiting”) kicks in as soon as they receive the job order. The risk and cost is too high for most contingent firms to invest the time, energy and resources to conduct a search the way a hiring organization truly needs it to be executed.
While the contingent recruiter is often competing against other agencies that vary widely in skill, process and integrity, they are also competing against their internal recruiters, hiring managers’ networks, employee referrals, company website job posting, and external paid job board postings. This is all in the hopes they will beat the odds that are stacked against them to “earn” their fee and get paid for the quite hard and time consuming work involved with sourcing, engaging attracting, and securing exceptional talent, WHEN it’s done properly.
And the ultimate hope, of course, is that the company will NOT end up not having to pay a fee due to their own sourcing efforts, even though they really appreciate the efforts of the “good” contingent recruiters who actually do due their due diligence and do the job the way it’s meant to be done.
It puts both the “good” and “bad” recruiters in a position of assuming all the risk and working literally for free with companies while demanding that the specialized, experienced and adept recruiters lower their fees to the same below-market fees that the aforementioned under-skilled, under-performing and sometimes unethical recruiters agree to!
Contingency search doesn’t make sense for the highly-skilled, professional, seasoned recruiters who have spent their entire careers building genuine long-term relationships with their clients and candidates making true matches. All recruiters are not created equally, as we have all experienced, and companies have to stop lumping them into the same bucket, expecting to pay the same price across the board for their services. The old adage, you get what you pay for, certainly applies here.
Just because the recruiting industry and hiring organizations have always done things a certain way doesn’t mean that’s the most efficient or effective way to do business, as we have all painfully experienced over the years. A paradigm shift is required for how companies go about securing security talent and how recruiting firms operate in order to remain profitable and relevant, and we at CyberSN are in the process of breaking the rules of our industry in order to fix what’s broken and make job search simpler.
In my next post, I will share how our “Engaged Model” is a no-brainer if you have a critical opening that needs to be filled quickly and efficiently and the budget to pay an external niche recruiter. If you are mentally and physically prepared to pay an agency fee, then engaging one firm who specializes in the area you are hiring for just makes good business sense.
“The real cost of your jobs remaining open” series on the subject of cyber staffing and recruiting challenges is also forthcoming. We will peek behind the curtain to see how companies create their own roadblocks with their current recruiting strategies and how to remove the barriers that are getting in the way of hiring the best security talent. Hint: It is not based on the cyber talent shortage!
