Retaining cybersecurity talent can be difficult. Along with our previous tips, how can you attract great workers?  

Difficulties and Positive Changes 

 The recent ISACA State of Cybersecurity 2022 survey provides some key markers:

  • Unfilled positions are on the rise (not good)
  • Existing teams are understaffed (not good)
  • Budgets are (finally) increasing (good)
  • University degree mandates for entry-level jobs are dropping (good).

 Let’s focus on the last point about loosening requirements. This is a positive development for a few reasons. We noted before that the ‘checkbox’ exercise is a unicorn search. Hiring managers: move on. Recruiting departments: loosen the rules. When the workforce gap is in the millions, there are no ‘pick and choose’ privileges. You may be passing on some great talent.

It’s a ‘New’ Discipline With Growth Potential

Cybersecurity, as a discipline, is a relatively new field. It started between 10 and 20 years ago depending on where you define the starting point. (Some will say “information security” started much longer ago than that, and they have a case.) Artificial intelligence, alert monitoring and response orchestration, just to name a few, are relatively new fields. Cloud computing solutions are still in demand and 5G/edge computing solutions are running up behind at high speed (pun intended).

What does all this mean?

It means business growth and talent growth potential. Most candidates under review likely do not have all the skills or credentials listed. Instead, they have the desire to learn, are adaptable and are comfortable with discomfort. In other words, skip on the unicorn search and instead ask the candidate:

  • Do they have soft skills?
  • Do they have business acumen?
  • Do they have the desire to learn?
  • Do they have transferable skills?
  • Do they have technical proficiency or signs they can pick it up easily?
  • Are they adaptable?
  • Are they okay with a little bit of chaos as they pick up the skills?

Hiring staff and recruiters, give yourself a reality check in all of this, too. Are you looking for something that does not really exist? Roles can take six months to fill. In a hot job market, get comfortable with gray-zone requirements.

Culture and the Bait and Switch

Candidates have a lot of open-source information today (news and industry feeds, expert and job blogs, forums and social media). They’ll do homework on the workplace. Regardless of what existing employees say, if open-source chatter is saying otherwise, well, “Security operations center, we have a problem.”

Here are some issues to consider.

If a culture of cybersecurity, or security in general, does not exist, potential candidates may pass. The job may appear great, but if they sense they are walking into a kill box with no cover fire, you may get ghosted.

That’s just one more reason why the chief information security officer must be multi-talented and drive culture and programmatic change. C-Suite support, of course, always helps. It’s much easier to draw in talent when candidates feel like they have cover fire from way on up. 

Next is the bait and switch issue. Be honest about what the job entails, what the tasks are and what the career path looks like. Be upfront about any potential chaos. If you are honest, the candidate may be up to the challenge. But if the candidate accepts and finds expectations are completely out of whack with reality, you may be issuing a requisition sooner than you think. It’s a breach of trust that is hard to come back from. Such honesty also has the added bonus of increasing the odds of retention and maintaining institutional knowledge, something that really can be valuable. 

In closing, expectations have changed. In a job seeker’s market, those hiring will be forced to adapt. Have an open mind, be creative and be honest. You never know. Instead of seeking a unicorn, you may stumble on one in places you didn’t expect.

More from CISO

Empowering cybersecurity leadership: Strategies for effective Board engagement

4 min read - With the increased regulation surrounding cyberattacks, more and more executives are seeing these attacks for what they are - serious threats to business operations, profitability and business survivability. But what about the Board of Directors? Are they getting all the information they need? Are they aware of your organization’s cybersecurity initiatives? Do they understand why those initiatives matter? Maybe not. According to Harvard Business Review, only 47% of board members regularly engage with their CISO. There appears to be a…

The evolution of 20 years of cybersecurity awareness

3 min read - Since 2004, the White House and Congress have designated October National Cybersecurity Awareness Month. This year marks the 20th anniversary of this effort to raise awareness about the importance of cybersecurity and online safety. How have cybersecurity and malware evolved over the last two decades? What types of threat management tools surfaced and when? The Cybersecurity Awareness Month themes over the years give us a clue. 2004 - 2009: Inaugural year and beyond This early period emphasized general cybersecurity hygiene,…

C-suite weighs in on generative AI and security

3 min read - Generative AI (GenAI) is poised to deliver significant benefits to enterprises and their ability to readily respond to and effectively defend against cyber threats. But AI that is not itself secured may introduce a whole new set of threats to businesses. Today IBM’s Institute for Business Value published “The CEO's guide to generative AI: Cybersecurity," part of a larger series providing guidance for senior leaders planning to adopt generative AI models and tools. The materials highlight key considerations for CEOs…

Bringing threat intelligence and adversary insights to the forefront: X-Force Research Hub

3 min read - Today defenders are dealing with both a threat landscape that’s constantly changing and attacks that have stood the test of time. Innovation and best practices co-exist in the criminal world, and one mustn’t distract us from the other. IBM X-Force is continuously observing new attack vectors and novel malware in the wild, as adversaries seek to evade detection innovations. But we also know that tried and true tactics — from phishing and exploiting known vulnerabilities to using compromised credentials and…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today