Jeff Combs, a cybersecurity recruiter and career coach, likes to joke that thanks to the security skills gap, he’s an overnight sensation — it only took about 15 years. Combs began assisting firms with their search for security professionals in the late 1990s, a time when the industry was still fairly new, and no one had ever uttered the phrase “skills gap.”
Now, it’s a challenge to keep pace with the demand for the cybersecurity professionals he recruits and places in jobs. In just over a decade, the security industry has grown significantly, and the need for skilled professionals who understand and have experience in cybersecurity has exploded along with it.
How to Creatively Close the Information Security Skills Gap
Hiring managers have lamented this so-called skills gap for the past several years, claiming that finding the right fit for their security team has become extremely difficult as the number of open positions is far greater than the number of people seeking — and qualified for — security jobs. With a serious dearth of skilled security professionals available to hire, some organizations are getting creative in their search. Here are four tips from two recruiters who face this challenge every day.
1. Have a Good Story to Tell Applicants
“I don’t think there’s a silver bullet,” Combs said. “It requires a systematic approach. The odds of getting an interview are high, but many organizations don’t know what they are looking for. So, if you are trying to attract candidates, it’s important to present an opportunity in a way that’s meaningful. Have a compelling opportunity that provides professional growth, and that is competitive in compensation.”
This approach means organizations need to get creative with the story they tell about their vision and mission, Combs said. With so many choices, security professionals are looking for more than a paycheck, he stressed.
“Those who have a story around what they are doing and why — and who it affects — are going to have a much better time retaining talent than someone who doesn’t,” Combs said.
And don’t wait until applicants have come knocking at your door looking for work. At SecurityScorecard, a provider of risk management software, spreading a message about its work culture and mission is part of a concerted social media campaign, said Shannon Barnett, the company’s director of talent acquisition.
“We’re using a lot of great initiatives here for hiring. Social media, for example, is one of the main things we are using now to attract talent. We’re letting people know what we are doing and why they would want to come work here,” Barnett said.
2. Solve the Skills Gap From Within
Some companies faced with a lack of experienced, skilled professionals are hiring from within, said Combs. While the employees they tap may not be as experienced in security as they’d initially hoped when seeking to fill the role, being flexible has other advantages.
“If you can convert someone that is already part of your company and bring them on to security, you’re not only giving someone an opportunity for professional growth, you’re also leveraging institutional knowledge,” Combs explained. “It develops loyalty and an esprit de corps. It shows you are willing to invest in people and take a more methodical approach to developing talent.”
3. Create Your Own Professional Development Program
At SecurityScorecard, hiring for security positions doesn’t start with the role in mind, but rather the person. Do they have the aptitude to grow into a security-focused role and learn the tools necessary for security success? Barnett believes that’s where the hiring journey begins. After that, developing talent for security roles is part of the employment experience.
“The concept of hiring for potential is not new to me,” said Barnett, who has used similar initiatives in previous talent acquisition roles. “We’re creating an organization that people want to come work for, regardless of what they do. In our hiring process, the question is: How can we attract and interview people who don’t have a security background but have tremendous potential?”
4. Revise Your Interview Process
In a competitive market for skilled candidates, Combs suggested it doesn’t hurt to take a dose of reality when it comes to your expectations for hiring. Begin by taking a hard look at your interview process.
“Most organizations have an interview process that is too long, with a lot of redundancy, and it’s low-touch,” Combs said. “They rely so much on technology for applications, but you can’t do that in security. It’s too sterile. If you want to be successful, then you need recruitment with real people who move quickly to communicate.”
Combs suggests testing your interview process so you know what the process is like as an outsider. The timeline should be a consideration, too. Investing time in finding the right person is OK, but it should be reasonable, Combs said.
“As long as you drag your feet, the candidate is going to have other options and ultimately may choose to go elsewhere. And in this market, they can,” Combs said.