Jeff Combs, a cybersecurity recruiter and career coach, likes to joke that thanks to the security skills gap, he’s an overnight sensation — it only took about 15 years. Combs began assisting firms with their search for security professionals in the late 1990s, a time when the industry was still fairly new, and no one had ever uttered the phrase “skills gap.”

Now, it’s a challenge to keep pace with the demand for the cybersecurity professionals he recruits and places in jobs. In just over a decade, the security industry has grown significantly, and the need for skilled professionals who understand and have experience in cybersecurity has exploded along with it.

How to Creatively Close the Information Security Skills Gap

Hiring managers have lamented this so-called skills gap for the past several years, claiming that finding the right fit for their security team has become extremely difficult as the number of open positions is far greater than the number of people seeking — and qualified for — security jobs. With a serious dearth of skilled security professionals available to hire, some organizations are getting creative in their search. Here are four tips from two recruiters who face this challenge every day.

1. Have a Good Story to Tell Applicants

“I don’t think there’s a silver bullet,” Combs said. “It requires a systematic approach. The odds of getting an interview are high, but many organizations don’t know what they are looking for. So, if you are trying to attract candidates, it’s important to present an opportunity in a way that’s meaningful. Have a compelling opportunity that provides professional growth, and that is competitive in compensation.”

This approach means organizations need to get creative with the story they tell about their vision and mission, Combs said. With so many choices, security professionals are looking for more than a paycheck, he stressed.

“Those who have a story around what they are doing and why — and who it affects — are going to have a much better time retaining talent than someone who doesn’t,” Combs said.

And don’t wait until applicants have come knocking at your door looking for work. At SecurityScorecard, a provider of risk management software, spreading a message about its work culture and mission is part of a concerted social media campaign, said Shannon Barnett, the company’s director of talent acquisition.

“We’re using a lot of great initiatives here for hiring. Social media, for example, is one of the main things we are using now to attract talent. We’re letting people know what we are doing and why they would want to come work here,” Barnett said.

2. Solve the Skills Gap From Within

Some companies faced with a lack of experienced, skilled professionals are hiring from within, said Combs. While the employees they tap may not be as experienced in security as they’d initially hoped when seeking to fill the role, being flexible has other advantages.

“If you can convert someone that is already part of your company and bring them on to security, you’re not only giving someone an opportunity for professional growth, you’re also leveraging institutional knowledge,” Combs explained. “It develops loyalty and an esprit de corps. It shows you are willing to invest in people and take a more methodical approach to developing talent.”

3. Create Your Own Professional Development Program

At SecurityScorecard, hiring for security positions doesn’t start with the role in mind, but rather the person. Do they have the aptitude to grow into a security-focused role and learn the tools necessary for security success? Barnett believes that’s where the hiring journey begins. After that, developing talent for security roles is part of the employment experience.

“The concept of hiring for potential is not new to me,” said Barnett, who has used similar initiatives in previous talent acquisition roles. “We’re creating an organization that people want to come work for, regardless of what they do. In our hiring process, the question is: How can we attract and interview people who don’t have a security background but have tremendous potential?”

4. Revise Your Interview Process

In a competitive market for skilled candidates, Combs suggested it doesn’t hurt to take a dose of reality when it comes to your expectations for hiring. Begin by taking a hard look at your interview process.

“Most organizations have an interview process that is too long, with a lot of redundancy, and it’s low-touch,” Combs said. “They rely so much on technology for applications, but you can’t do that in security. It’s too sterile. If you want to be successful, then you need recruitment with real people who move quickly to communicate.”

Combs suggests testing your interview process so you know what the process is like as an outsider. The timeline should be a consideration, too. Investing time in finding the right person is OK, but it should be reasonable, Combs said.

“As long as you drag your feet, the candidate is going to have other options and ultimately may choose to go elsewhere. And in this market, they can,” Combs said.

Read the complete IBM report: Addressing the Skills Gap with a New Collar Approach

More from CISO

Poor Communication During a Data Breach Can Cost You — Here’s How to Avoid It

5 min read - No one needs to tell you that data breaches are costly. That data has been quantified and the numbers are staggering. In fact, the IBM Security Cost of a Data Breach estimates that the average cost of a data breach in 2022 was $4.35 million, with 83% of organizations experiencing one or more security incidents. But what’s talked about less often (and we think should be talked about more) is how communication — both good and bad — factors into…

5 min read

Ransomware Renaissance 2023: The Definitive Guide to Stay Safer

2 min read - Ransomware is experiencing a renaissance in 2023, with some cybersecurity firms reporting over 400 attacks in the month of March alone. And it shouldn’t be a surprise: the 2023 X-Force Threat Intelligence Index found backdoor deployments — malware providing remote access — as the top attacker action in 2022, and aptly predicted 2022’s backdoor failures would become 2023’s ransomware crisis. Compounding the problem is the industrialization of the cybercrime ecosystem, enabling adversaries to complete more attacks, faster. Over the last…

2 min read

Do You Really Need a CISO?

2 min read - Cybersecurity has never been more challenging or vital. Every organization needs strong leadership on cybersecurity policy, procurement and execution — such as a CISO, or chief information security officer. A CISO is a senior executive in charge of an organization’s information, cyber and technology security. CISOs need a complete understanding of cybersecurity as well as the business, the board, the C-suite and how to speak in the language of senior leadership. It’s a changing role in a changing world. But…

2 min read

What “Beginner” Skills do Security Leaders Need to Refresh?

4 min read - The chief information security officer (CISO) was once a highly technical role primarily focused on security. But now, the role is evolving. Modern security leaders must work across divisions to secure technology and help meet business objectives. To stay relevant, the CISO must have a broad range of skills to maintain adequate security and collaborate with teams of varying technical expertise. Learning is essential to simply keep pace in security. In a CISO Series podcast, Skillsoft CISO Okey Obudulu recently said,…

4 min read