June 28, 2018 By Joan Goodchild 3 min read

Jeff Combs, a cybersecurity recruiter and career coach, likes to joke that thanks to the security skills gap, he’s an overnight sensation — it only took about 15 years. Combs began assisting firms with their search for security professionals in the late 1990s, a time when the industry was still fairly new, and no one had ever uttered the phrase “skills gap.”

Now, it’s a challenge to keep pace with the demand for the cybersecurity professionals he recruits and places in jobs. In just over a decade, the security industry has grown significantly, and the need for skilled professionals who understand and have experience in cybersecurity has exploded along with it.

How to Creatively Close the Information Security Skills Gap

Hiring managers have lamented this so-called skills gap for the past several years, claiming that finding the right fit for their security team has become extremely difficult as the number of open positions is far greater than the number of people seeking — and qualified for — security jobs. With a serious dearth of skilled security professionals available to hire, some organizations are getting creative in their search. Here are four tips from two recruiters who face this challenge every day.

1. Have a Good Story to Tell Applicants

“I don’t think there’s a silver bullet,” Combs said. “It requires a systematic approach. The odds of getting an interview are high, but many organizations don’t know what they are looking for. So, if you are trying to attract candidates, it’s important to present an opportunity in a way that’s meaningful. Have a compelling opportunity that provides professional growth, and that is competitive in compensation.”

This approach means organizations need to get creative with the story they tell about their vision and mission, Combs said. With so many choices, security professionals are looking for more than a paycheck, he stressed.

“Those who have a story around what they are doing and why — and who it affects — are going to have a much better time retaining talent than someone who doesn’t,” Combs said.

And don’t wait until applicants have come knocking at your door looking for work. At SecurityScorecard, a provider of risk management software, spreading a message about its work culture and mission is part of a concerted social media campaign, said Shannon Barnett, the company’s director of talent acquisition.

“We’re using a lot of great initiatives here for hiring. Social media, for example, is one of the main things we are using now to attract talent. We’re letting people know what we are doing and why they would want to come work here,” Barnett said.

2. Solve the Skills Gap From Within

Some companies faced with a lack of experienced, skilled professionals are hiring from within, said Combs. While the employees they tap may not be as experienced in security as they’d initially hoped when seeking to fill the role, being flexible has other advantages.

“If you can convert someone that is already part of your company and bring them on to security, you’re not only giving someone an opportunity for professional growth, you’re also leveraging institutional knowledge,” Combs explained. “It develops loyalty and an esprit de corps. It shows you are willing to invest in people and take a more methodical approach to developing talent.”

3. Create Your Own Professional Development Program

At SecurityScorecard, hiring for security positions doesn’t start with the role in mind, but rather the person. Do they have the aptitude to grow into a security-focused role and learn the tools necessary for security success? Barnett believes that’s where the hiring journey begins. After that, developing talent for security roles is part of the employment experience.

“The concept of hiring for potential is not new to me,” said Barnett, who has used similar initiatives in previous talent acquisition roles. “We’re creating an organization that people want to come work for, regardless of what they do. In our hiring process, the question is: How can we attract and interview people who don’t have a security background but have tremendous potential?”

4. Revise Your Interview Process

In a competitive market for skilled candidates, Combs suggested it doesn’t hurt to take a dose of reality when it comes to your expectations for hiring. Begin by taking a hard look at your interview process.

“Most organizations have an interview process that is too long, with a lot of redundancy, and it’s low-touch,” Combs said. “They rely so much on technology for applications, but you can’t do that in security. It’s too sterile. If you want to be successful, then you need recruitment with real people who move quickly to communicate.”

Combs suggests testing your interview process so you know what the process is like as an outsider. The timeline should be a consideration, too. Investing time in finding the right person is OK, but it should be reasonable, Combs said.

“As long as you drag your feet, the candidate is going to have other options and ultimately may choose to go elsewhere. And in this market, they can,” Combs said.

Read the complete IBM report: Addressing the Skills Gap with a New Collar Approach

More from CISO

X-Force Threat Intelligence Index 2024 reveals stolen credentials as top risk, with AI attacks on the horizon

4 min read - Every year, IBM X-Force analysts assess the data collected across all our security disciplines to create the IBM X-Force Threat Intelligence Index, our annual report that plots changes in the cyber threat landscape to reveal trends and help clients proactively put security measures in place. Among the many noteworthy findings in the 2024 edition of the X-Force report, three major trends stand out that we’re advising security professionals and CISOs to observe: A sharp increase in abuse of valid accounts…

Boardroom cyber expertise comes under scrutiny

3 min read - Why are companies concerned about cybersecurity? Some of the main drivers are data protection, compliance, risk management and ensuring business continuity. None of these are minor issues. Then why do board members frequently keep their distance when it comes to cyber concerns?A report released last year showed that just 5% of CISOs reported directly to the CEO. This was actually down from 8% in 2022 and 11% in 2021. But even if board members don’t want to get too close…

The CISO’s guide to accelerating quantum-safe readiness

3 min read - Quantum computing presents both opportunities and challenges for the modern enterprise. While quantum computers are expected to help solve some of the world’s most complex problems, they also pose a risk to traditional cryptographic systems, particularly public-key encryption. To ensure their organization’s data remains secure now and in the future, chief information security officers (CISOs) should educate themselves about quantum computing, proactively address the coming quantum risks to cybersecurity and work to establish cryptographic agility in their enterprise.A future cryptographically…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today