June 28, 2018 By Joan Goodchild 3 min read

Jeff Combs, a cybersecurity recruiter and career coach, likes to joke that thanks to the security skills gap, he’s an overnight sensation — it only took about 15 years. Combs began assisting firms with their search for security professionals in the late 1990s, a time when the industry was still fairly new, and no one had ever uttered the phrase “skills gap.”

Now, it’s a challenge to keep pace with the demand for the cybersecurity professionals he recruits and places in jobs. In just over a decade, the security industry has grown significantly, and the need for skilled professionals who understand and have experience in cybersecurity has exploded along with it.

How to Creatively Close the Information Security Skills Gap

Hiring managers have lamented this so-called skills gap for the past several years, claiming that finding the right fit for their security team has become extremely difficult as the number of open positions is far greater than the number of people seeking — and qualified for — security jobs. With a serious dearth of skilled security professionals available to hire, some organizations are getting creative in their search. Here are four tips from two recruiters who face this challenge every day.

1. Have a Good Story to Tell Applicants

“I don’t think there’s a silver bullet,” Combs said. “It requires a systematic approach. The odds of getting an interview are high, but many organizations don’t know what they are looking for. So, if you are trying to attract candidates, it’s important to present an opportunity in a way that’s meaningful. Have a compelling opportunity that provides professional growth, and that is competitive in compensation.”

This approach means organizations need to get creative with the story they tell about their vision and mission, Combs said. With so many choices, security professionals are looking for more than a paycheck, he stressed.

“Those who have a story around what they are doing and why — and who it affects — are going to have a much better time retaining talent than someone who doesn’t,” Combs said.

And don’t wait until applicants have come knocking at your door looking for work. At SecurityScorecard, a provider of risk management software, spreading a message about its work culture and mission is part of a concerted social media campaign, said Shannon Barnett, the company’s director of talent acquisition.

“We’re using a lot of great initiatives here for hiring. Social media, for example, is one of the main things we are using now to attract talent. We’re letting people know what we are doing and why they would want to come work here,” Barnett said.

2. Solve the Skills Gap From Within

Some companies faced with a lack of experienced, skilled professionals are hiring from within, said Combs. While the employees they tap may not be as experienced in security as they’d initially hoped when seeking to fill the role, being flexible has other advantages.

“If you can convert someone that is already part of your company and bring them on to security, you’re not only giving someone an opportunity for professional growth, you’re also leveraging institutional knowledge,” Combs explained. “It develops loyalty and an esprit de corps. It shows you are willing to invest in people and take a more methodical approach to developing talent.”

3. Create Your Own Professional Development Program

At SecurityScorecard, hiring for security positions doesn’t start with the role in mind, but rather the person. Do they have the aptitude to grow into a security-focused role and learn the tools necessary for security success? Barnett believes that’s where the hiring journey begins. After that, developing talent for security roles is part of the employment experience.

“The concept of hiring for potential is not new to me,” said Barnett, who has used similar initiatives in previous talent acquisition roles. “We’re creating an organization that people want to come work for, regardless of what they do. In our hiring process, the question is: How can we attract and interview people who don’t have a security background but have tremendous potential?”

4. Revise Your Interview Process

In a competitive market for skilled candidates, Combs suggested it doesn’t hurt to take a dose of reality when it comes to your expectations for hiring. Begin by taking a hard look at your interview process.

“Most organizations have an interview process that is too long, with a lot of redundancy, and it’s low-touch,” Combs said. “They rely so much on technology for applications, but you can’t do that in security. It’s too sterile. If you want to be successful, then you need recruitment with real people who move quickly to communicate.”

Combs suggests testing your interview process so you know what the process is like as an outsider. The timeline should be a consideration, too. Investing time in finding the right person is OK, but it should be reasonable, Combs said.

“As long as you drag your feet, the candidate is going to have other options and ultimately may choose to go elsewhere. And in this market, they can,” Combs said.

Read the complete IBM report: Addressing the Skills Gap with a New Collar Approach

More from CISO

Overheard at RSA Conference 2024: Top trends cybersecurity experts are talking about

4 min read - At a brunch roundtable, one of the many informal events held during the RSA Conference 2024 (RSAC), the conversation turned to the most popular trends and themes at this year’s events. There was no disagreement in what people presenting sessions or companies on the Expo show floor were talking about: RSAC 2024 is all about artificial intelligence (or as one CISO said, “It’s not RSAC; it’s RSAI”). The chatter around AI shouldn’t have been a surprise to anyone who attended…

Why security orchestration, automation and response (SOAR) is fundamental to a security platform

3 min read - Security teams today are facing increased challenges due to the remote and hybrid workforce expansion in the wake of COVID-19. Teams that were already struggling with too many tools and too much data are finding it even more difficult to collaborate and communicate as employees have moved to a virtual security operations center (SOC) model while addressing an increasing number of threats.  Disconnected teams accelerate the need for an open and connected platform approach to security . Adopting this type of…

The evolution of a CISO: How the role has changed

3 min read - In many organizations, the Chief Information Security Officer (CISO) focuses mainly — and sometimes exclusively — on cybersecurity. However, with today’s sophisticated threats and evolving threat landscape, businesses are shifting many roles’ responsibilities, and expanding the CISO’s role is at the forefront of those changes. According to Gartner, regulatory pressure and attack surface expansion will result in 45% of CISOs’ remits expanding beyond cybersecurity by 2027.With the scope of a CISO’s responsibilities changing so quickly, how will the role adapt…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today