Retaining cybersecurity talent can be difficult. Along with our previous tips, how can you attract great workers?

Difficulties and positive changes

The recent ISACA State of Cybersecurity 2022 survey provides some key markers:

  • Unfilled positions are on the rise (not good)
  • Existing teams are understaffed (not good)
  • Budgets are (finally) increasing (good)
  • University degree mandates for entry-level jobs are dropping (good).

Let’s focus on the last point about loosening requirements. This is a positive development for a few reasons. We noted before that the ‘checkbox’ exercise is a unicorn search. Hiring managers: move on. Recruiting departments: loosen the rules. When the workforce gap is in the millions, there are no ‘pick and choose’ privileges. You may be passing on some great talent.

It’s a ‘new’ discipline with growth potential

Cybersecurity, as a discipline, is a relatively new field. It started between 10 and 20 years ago depending on where you define the starting point. (Some will say “information security” started much longer ago than that, and they have a case.) Artificial intelligence, alert monitoring and response orchestration, just to name a few, are relatively new fields. Cloud computing solutions are still in demand and 5G/edge computing solutions are running up behind at high speed (pun intended).

What does all this mean?

It means business growth and talent growth potential. Most candidates under review likely do not have all the skills or credentials listed. Instead, they have the desire to learn, are adaptable and are comfortable with discomfort. In other words, skip on the unicorn search and instead ask the candidate:

  • Do they have soft skills?
  • Do they have business acumen?
  • Do they have the desire to learn?
  • Do they have transferable skills?
  • Do they have technical proficiency or signs they can pick it up easily?
  • Are they adaptable?
  • Are they okay with a little bit of chaos as they pick up the skills?

Hiring staff and recruiters, give yourself a reality check in all of this, too. Are you looking for something that does not really exist? Roles can take six months to fill. In a hot job market, get comfortable with gray-zone requirements.

Culture and the bait and switch

Candidates have a lot of open-source information today (news and industry feeds, expert and job blogs, forums and social media). They’ll do homework on the workplace. Regardless of what existing employees say, if open-source chatter is saying otherwise, well, “Security operations center, we have a problem.”

Here are some issues to consider.

If a culture of cybersecurity, or security in general, does not exist, potential candidates may pass. The job may appear great, but if they sense they are walking into a kill box with no cover fire, you may get ghosted.

That’s just one more reason why the chief information security officer must be multi-talented and drive culture and programmatic change. C-Suite support, of course, always helps. It’s much easier to draw in talent when candidates feel like they have cover fire from way on up.

Next is the bait and switch issue. Be honest about what the job entails, what the tasks are and what the career path looks like. Be upfront about any potential chaos. If you are honest, the candidate may be up to the challenge. But if the candidate accepts and finds expectations are completely out of whack with reality, you may be issuing a requisition sooner than you think. It’s a breach of trust that is hard to come back from. Such honesty also has the added bonus of increasing the odds of retention and maintaining institutional knowledge, something that really can be valuable.

In closing, expectations have changed. In a job seeker’s market, those hiring will be forced to adapt. Have an open mind, be creative and be honest. You never know. Instead of seeking a unicorn, you may stumble on one in places you didn’t expect.

More from Risk Management

What’s behind unchecked CVE proliferation, and what to do about it

4 min read - The volume of Common Vulnerabilities and Exposures (CVEs) has reached staggering levels, placing immense pressure on organizations' cyber defenses. According to SecurityScorecard, there were 29,000 vulnerabilities recorded in 2023, and by mid-2024, nearly 27,500 had already been identified.Meanwhile, Coalition's 2024 Cyber Threat Index forecasts that the total number of CVEs for 2024 will hit 34,888—a 25% increase compared to the previous year. This upward trend presents a significant challenge for organizations trying to manage vulnerabilities and mitigate potential exploits.What’s behind…

Addressing growing concerns about cybersecurity in manufacturing

4 min read - Manufacturing has become increasingly reliant on modern technology, including industrial control systems (ICS), Internet of Things (IoT) devices and operational technology (OT). While these innovations boost productivity and streamline operations, they’ve vastly expanded the cyberattack surface.According to the 2024 IBM Cost of a Data Breach report, the average total cost of a data breach in the industrial sector was $5.56 million. This reflects an 18% increase for the sector compared to 2023.Apparently, the data being stored in industrial control systems is…

Cybersecurity Awareness Month: Horror stories

4 min read - When it comes to cybersecurity, the question is when, not if, an organization will suffer a cyber incident. Even the most sophisticated security tools can’t withstand the biggest threat: human behavior.October is Cybersecurity Awareness Month, the time of year when we celebrate all things scary. So it seemed appropriate to ask cybersecurity professionals to share some of their most memorable and haunting cyber incidents. (Names and companies are anonymous to avoid any negative impact. Suffering a cyber incident is bad…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today