Retaining cybersecurity talent can be difficult. Along with our previous tips, how can you attract great workers?

Difficulties and positive changes

The recent ISACA State of Cybersecurity 2022 survey provides some key markers:

  • Unfilled positions are on the rise (not good)
  • Existing teams are understaffed (not good)
  • Budgets are (finally) increasing (good)
  • University degree mandates for entry-level jobs are dropping (good).

Let’s focus on the last point about loosening requirements. This is a positive development for a few reasons. We noted before that the ‘checkbox’ exercise is a unicorn search. Hiring managers: move on. Recruiting departments: loosen the rules. When the workforce gap is in the millions, there are no ‘pick and choose’ privileges. You may be passing on some great talent.

It’s a ‘new’ discipline with growth potential

Cybersecurity, as a discipline, is a relatively new field. It started between 10 and 20 years ago depending on where you define the starting point. (Some will say “information security” started much longer ago than that, and they have a case.) Artificial intelligence, alert monitoring and response orchestration, just to name a few, are relatively new fields. Cloud computing solutions are still in demand and 5G/edge computing solutions are running up behind at high speed (pun intended).

What does all this mean?

It means business growth and talent growth potential. Most candidates under review likely do not have all the skills or credentials listed. Instead, they have the desire to learn, are adaptable and are comfortable with discomfort. In other words, skip on the unicorn search and instead ask the candidate:

  • Do they have soft skills?
  • Do they have business acumen?
  • Do they have the desire to learn?
  • Do they have transferable skills?
  • Do they have technical proficiency or signs they can pick it up easily?
  • Are they adaptable?
  • Are they okay with a little bit of chaos as they pick up the skills?

Hiring staff and recruiters, give yourself a reality check in all of this, too. Are you looking for something that does not really exist? Roles can take six months to fill. In a hot job market, get comfortable with gray-zone requirements.

Culture and the bait and switch

Candidates have a lot of open-source information today (news and industry feeds, expert and job blogs, forums and social media). They’ll do homework on the workplace. Regardless of what existing employees say, if open-source chatter is saying otherwise, well, “Security operations center, we have a problem.”

Here are some issues to consider.

If a culture of cybersecurity, or security in general, does not exist, potential candidates may pass. The job may appear great, but if they sense they are walking into a kill box with no cover fire, you may get ghosted.

That’s just one more reason why the chief information security officer must be multi-talented and drive culture and programmatic change. C-Suite support, of course, always helps. It’s much easier to draw in talent when candidates feel like they have cover fire from way on up.

Next is the bait and switch issue. Be honest about what the job entails, what the tasks are and what the career path looks like. Be upfront about any potential chaos. If you are honest, the candidate may be up to the challenge. But if the candidate accepts and finds expectations are completely out of whack with reality, you may be issuing a requisition sooner than you think. It’s a breach of trust that is hard to come back from. Such honesty also has the added bonus of increasing the odds of retention and maintaining institutional knowledge, something that really can be valuable.

In closing, expectations have changed. In a job seeker’s market, those hiring will be forced to adapt. Have an open mind, be creative and be honest. You never know. Instead of seeking a unicorn, you may stumble on one in places you didn’t expect.

More from Risk Management

2024 roundup: Top data breach stories and industry trends

3 min read - With 2025 on the horizon, it’s important to reflect on the developments and various setbacks that happened in cybersecurity this past year. While there have been many improvements in security technologies and growing awareness of emerging cybersecurity threats, 2024 was also a hard reminder that the ongoing fight against cyber criminals is far from over.We've summarized this past year's top five data breach stories and industry trends, with key takeaways from each that organizations should note going into the following…

Black Friday chaos: The return of Gozi malware

4 min read - On November 29th, 2024, Black Friday, shoppers flooded online stores to grab the best deals of the year. But while consumers were busy filling their carts, cyber criminals were also seizing the opportunity to exploit the shopping frenzy. Our system detected a significant surge in Gozi malware activity, targeting financial institutions across North America. The Black Friday connection Black Friday creates an ideal environment for cyber criminals to thrive. The combination of skyrocketing transaction volumes, a surge in online activity…

How TikTok is reframing cybersecurity efforts

4 min read - You might think of TikTok as the place to go to find out new recipes and laugh at silly videos. And as a cybersecurity professional, TikTok’s potential data security issues are also likely to come to mind. However, in recent years, TikTok has worked to promote cybersecurity through its channels and programs. To highlight its efforts, TikTok celebrated Cybersecurity Month by promoting its cybersecurity focus and sharing cybersecurity TikTok creators.Global Bug Bounty program with HackerOneDuring Cybersecurity Month, the social media…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today