NEWS + ADVICE
Hiring Against All Odds in the Cyber Security Workforce
Recruiting successful hires can be challenging in any industry, but it’s especially taxing when there’s a shortage of candidates to consider. The pipeline for cyber security talent falls in this predicament. Employers understand cyber security is critical and the stakes to secure and defend are high. Thus the demand is ever increasing, but the supply leaves us wanting.
The current state of the market makes it not only difficult to hire cyber talent, but also costly for employers. Shortcomings in the supply needed to fill cyber security roles have far reaching implications for us all. This merits the need for a deeper understanding of the workforce and a plan to help build the next generation of cyber professionals.
Challenges of the Landscape
If you’ve spent any time recruiting in this field, you’ve likely experienced the difficulties associated with the notorious cyber security talent shortage firsthand. But why does it take so long to fill cyber positions? Why isn’t there enough talent? Burning Glass Technologies’ recent report* on the state of cyber security hiring offers answers to these questions and quantifies the shortage you face.
Through six years of data tracking and examination, Burning Glass Technologies found, “for each cyber security opening, there was a pool of only 2.3 employed cyber security workers for employers to recruit.” In comparison, “there are 5.8 employed workers per job opening across the economy in general.”
Luckily cyber security higher education programs have increased in recent years. However, the influx of graduates has not been able to catch up with the increases in job openings, as the report* notes that cyber job postings have “grown 94% since 2013.” To put this in perspective, cyber security job postings have increased more than three times faster than all IT positions—and they take longer to fill.
Until we unclog the talent pipeline, employers will have to pay the high price tags that come with a scarce resource. And with inflated cyber security salaries, smaller companies have a disadvantage in the fight for talent, as “Burning Glass’ analysis of posted salary data shows that Fortune 500 companies can—and do—pay more than small- and medium-sized businesses.” The smaller companies that can’t win the bidding wars for talent find themselves exposed to the risk of cyber attacks.
With a shortage of people to hire, some companies have turned to automation for tasks that are repetitive in nature. However, this isn’t the sole solution we can rely on to address the problem. In fact, the increased cost associated with automation compared to time saved is often a wash. The bottom line is, we need skilled people. But how can we train people fast enough to keep up with the demand of the market?
A Clog in the Pipeline
Part of the issue we face is the demand itself—for experience and a long list of required skills and certifications. We want to hire people that have done the job. People with a proven track record, that we can drop in the role and say go. While we have people graduating from cyber programs, we don’t have many places for them to go. And in order for them to get the experience that we all demand, they first need to get a job that provides opportunity to grow their skills and become great core cyber professionals.
In essence, we’re clogging the pipeline with our expectations. We need to be willing to help cultivate talent on the job if we want to expand the pool we’re recruiting from. At minimum, employers need to re-examine their job postings. What skills are needs versus wants? Does the role in question need to require a CISSP certification? Data on CyberSeek.org shows that there are 77,492 job openings requesting CISSP certification and only 75,983 people that actually hold that certification. If it’s not a necessary requirement, consider removing it from your job postings.
Will Markow, Manager of Client Strategy and Analytics at Burning Glass Technologies says, “if you are asking for the proverbial purple squirrel, somebody with a CISSP, 10 years of cyber security experience, automation related skills, and everything else in the kitchen sink thrown into the job description, then you’re never going to find that no matter how hard you recruit.” You need to build your job postings while keeping in mind the people that actually exist. This can help us unclog the pipeline, but how can we further widen the pool?
Building vs Buying Talent
While cyber security is a specialty, IT roles are more closely aligned than you might imagine. In many cases IT jobs include cyber security functions or tasks. While these types of IT positions are not core cyber jobs, they are cyber-enabled. And “these ‘cyber-enabled’ jobs form the majority (56%) of all cyber security-related openings.” Thus if we expand our mindset to include these cyber-enabled workers, we stand to greatly increase our talent pool. Of course, they will need more skills and training to be able to move into core cyber functions, but you can provide incentives and training to get them over that hurdle.
If we commit to on-the-job learning and create more introductory roles for IT professionals and entry-level cyber security job seekers, we can shape the next generation of cyber security practitioners. There’s not enough trained talent to simply buy with competitive salaries. We need to work alongside training providers to close the skills gap and take part in creating the workforce we demand.
If you have cyber-enabled professionals in your workplace, consider transitioning them into the core cyber roles you need to fill. Motivate them to obtain the training and skillset the need to be able to move into those jobs. You can provide benefits like tuition reimbursement or flex time to encourage their continued learning. Not only will it help their career advance, but it will also help you gain the workforce you need that money can’t always buy.
As you set out to tackle recruiting in the cyber security community, remember to create your job descriptions wisely. Remove requirements for experience, skills, and certifications that are not true necessities. And build talent rather than buying it, by training your employees and helping them build the skills they need to advance into those harder to fill roles. By providing such opportunities, employers stand to build the workforce they require.