Retaining cybersecurity talent can be difficult. Along with our previous tips, how can you attract great workers?  

Difficulties and Positive Changes 

 The recent ISACA State of Cybersecurity 2022 survey provides some key markers:

  • Unfilled positions are on the rise (not good)
  • Existing teams are understaffed (not good)
  • Budgets are (finally) increasing (good)
  • University degree mandates for entry-level jobs are dropping (good).

 Let’s focus on the last point about loosening requirements. This is a positive development for a few reasons. We noted before that the ‘checkbox’ exercise is a unicorn search. Hiring managers: move on. Recruiting departments: loosen the rules. When the workforce gap is in the millions, there are no ‘pick and choose’ privileges. You may be passing on some great talent.

It’s a ‘New’ Discipline With Growth Potential

Cybersecurity, as a discipline, is a relatively new field. It started between 10 and 20 years ago depending on where you define the starting point. (Some will say “information security” started much longer ago than that, and they have a case.) Artificial intelligence, alert monitoring and response orchestration, just to name a few, are relatively new fields. Cloud computing solutions are still in demand and 5G/edge computing solutions are running up behind at high speed (pun intended).

What does all this mean?

It means business growth and talent growth potential. Most candidates under review likely do not have all the skills or credentials listed. Instead, they have the desire to learn, are adaptable and are comfortable with discomfort. In other words, skip on the unicorn search and instead ask the candidate:

  • Do they have soft skills?
  • Do they have business acumen?
  • Do they have the desire to learn?
  • Do they have transferable skills?
  • Do they have technical proficiency or signs they can pick it up easily?
  • Are they adaptable?
  • Are they okay with a little bit of chaos as they pick up the skills?

Hiring staff and recruiters, give yourself a reality check in all of this, too. Are you looking for something that does not really exist? Roles can take six months to fill. In a hot job market, get comfortable with gray-zone requirements.

Culture and the Bait and Switch

Candidates have a lot of open-source information today (news and industry feeds, expert and job blogs, forums and social media). They’ll do homework on the workplace. Regardless of what existing employees say, if open-source chatter is saying otherwise, well, “Security operations center, we have a problem.”

Here are some issues to consider.

If a culture of cybersecurity, or security in general, does not exist, potential candidates may pass. The job may appear great, but if they sense they are walking into a kill box with no cover fire, you may get ghosted.

That’s just one more reason why the chief information security officer must be multi-talented and drive culture and programmatic change. C-Suite support, of course, always helps. It’s much easier to draw in talent when candidates feel like they have cover fire from way on up. 

Next is the bait and switch issue. Be honest about what the job entails, what the tasks are and what the career path looks like. Be upfront about any potential chaos. If you are honest, the candidate may be up to the challenge. But if the candidate accepts and finds expectations are completely out of whack with reality, you may be issuing a requisition sooner than you think. It’s a breach of trust that is hard to come back from. Such honesty also has the added bonus of increasing the odds of retention and maintaining institutional knowledge, something that really can be valuable. 

In closing, expectations have changed. In a job seeker’s market, those hiring will be forced to adapt. Have an open mind, be creative and be honest. You never know. Instead of seeking a unicorn, you may stumble on one in places you didn’t expect.

More from CISO

Bridging the 3.4 Million Workforce Gap in Cybersecurity

As new cybersecurity threats continue to loom, the industry is running short of workers to face them. The 2022 (ISC)2 Cybersecurity Workforce Study identified a 3.4 million worldwide cybersecurity worker gap; the total existing workforce is estimated at 4.7 million. Yet despite adding workers this past year, that gap continued to widen.Nearly 12,000 participants in that study felt that additional staff would have a hugely positive impact on their ability to perform their duties. More hires would boost proper risk…

CEO, CIO or CFO: Who Should Your CISO Report To?

As we move deeper into a digitally dependent future, the growing concern of data breaches and other cyber threats has led to the rise of the Chief Information Security Officer (CISO). This position is essential in almost every company that relies on digital information. They are responsible for developing and implementing strategies to harden the organization's defenses against cyberattacks. However, while many organizations don't question the value of a CISO, there should be more debate over who this important role…

Everyone Wants to Build a Cyber Range: Should You?

In the last few years, IBM X-Force has seen an unprecedented increase in requests to build cyber ranges. By cyber ranges, we mean facilities or online spaces that enable team training and exercises of cyberattack responses. Companies understand the need to drill their plans based on real-world conditions and using real tools, attacks and procedures. What’s driving this increased demand? The increase in remote and hybrid work models emerging from the COVID-19 pandemic has elevated the priority to collaborate and…

Why Quantum Computing Capabilities Are Creating Security Vulnerabilities Today

Quantum computing capabilities are already impacting your organization. While data encryption and operational disruption have long troubled Chief Information Security Officers (CISOs), the threat posed by emerging quantum computing capabilities is far more profound and immediate. Indeed, quantum computing poses an existential risk to the classical encryption protocols that enable virtually all digital transactions. Over the next several years, widespread data encryption mechanisms, such as public-key cryptography (PKC), could become vulnerable. Any classically encrypted communication could be wiretapped and is…