Retaining cybersecurity talent can be difficult. Along with our previous tips, how can you attract great workers?

Difficulties and positive changes

The recent ISACA State of Cybersecurity 2022 survey provides some key markers:

  • Unfilled positions are on the rise (not good)
  • Existing teams are understaffed (not good)
  • Budgets are (finally) increasing (good)
  • University degree mandates for entry-level jobs are dropping (good).

Let’s focus on the last point about loosening requirements. This is a positive development for a few reasons. We noted before that the ‘checkbox’ exercise is a unicorn search. Hiring managers: move on. Recruiting departments: loosen the rules. When the workforce gap is in the millions, there are no ‘pick and choose’ privileges. You may be passing on some great talent.

It’s a ‘new’ discipline with growth potential

Cybersecurity, as a discipline, is a relatively new field. It started between 10 and 20 years ago depending on where you define the starting point. (Some will say “information security” started much longer ago than that, and they have a case.) Artificial intelligence, alert monitoring and response orchestration, just to name a few, are relatively new fields. Cloud computing solutions are still in demand and 5G/edge computing solutions are running up behind at high speed (pun intended).

What does all this mean?

It means business growth and talent growth potential. Most candidates under review likely do not have all the skills or credentials listed. Instead, they have the desire to learn, are adaptable and are comfortable with discomfort. In other words, skip on the unicorn search and instead ask the candidate:

  • Do they have soft skills?
  • Do they have business acumen?
  • Do they have the desire to learn?
  • Do they have transferable skills?
  • Do they have technical proficiency or signs they can pick it up easily?
  • Are they adaptable?
  • Are they okay with a little bit of chaos as they pick up the skills?

Hiring staff and recruiters, give yourself a reality check in all of this, too. Are you looking for something that does not really exist? Roles can take six months to fill. In a hot job market, get comfortable with gray-zone requirements.

Culture and the bait and switch

Candidates have a lot of open-source information today (news and industry feeds, expert and job blogs, forums and social media). They’ll do homework on the workplace. Regardless of what existing employees say, if open-source chatter is saying otherwise, well, “Security operations center, we have a problem.”

Here are some issues to consider.

If a culture of cybersecurity, or security in general, does not exist, potential candidates may pass. The job may appear great, but if they sense they are walking into a kill box with no cover fire, you may get ghosted.

That’s just one more reason why the chief information security officer must be multi-talented and drive culture and programmatic change. C-Suite support, of course, always helps. It’s much easier to draw in talent when candidates feel like they have cover fire from way on up.

Next is the bait and switch issue. Be honest about what the job entails, what the tasks are and what the career path looks like. Be upfront about any potential chaos. If you are honest, the candidate may be up to the challenge. But if the candidate accepts and finds expectations are completely out of whack with reality, you may be issuing a requisition sooner than you think. It’s a breach of trust that is hard to come back from. Such honesty also has the added bonus of increasing the odds of retention and maintaining institutional knowledge, something that really can be valuable.

In closing, expectations have changed. In a job seeker’s market, those hiring will be forced to adapt. Have an open mind, be creative and be honest. You never know. Instead of seeking a unicorn, you may stumble on one in places you didn’t expect.

More from Risk Management

Remote access risks on the rise with CVE-2024-1708 and CVE-2024-1709

4 min read - On February 19, ConnectWise reported two vulnerabilities in its ScreenConnect product, CVE-2024-1708 and 1709. The first is an authentication bypass vulnerability, and the second is a path traversal vulnerability. Both made it possible for attackers to bypass authentication processes and execute remote code.While ConnectWise initially reported that the vulnerabilities had proof-of-concept but hadn’t been spotted in the wild, reports from customers quickly made it clear that hackers were actively exploring both flaws. As a result, the company created patches for…

Researchers develop malicious AI ‘worm’ targeting generative AI systems

2 min read - Researchers have created a new, never-seen-before kind of malware they call the "Morris II" worm, which uses popular AI services to spread itself, infect new systems and steal data. The name references the original Morris computer worm that wreaked havoc on the internet in 1988.The worm demonstrates the potential dangers of AI security threats and creates a new urgency around securing AI models.New worm utilizes adversarial self-replicating promptThe researchers from Cornell Tech, the Israel Institute of Technology and Intuit, used what’s…

What should Security Operations teams take away from the IBM X-Force 2024 Threat Intelligence Index?

3 min read - The IBM X-Force 2024 Threat Intelligence Index has been released. The headlines are in and among them are the fact that a global identity crisis is emerging. X-Force noted a 71% increase year-to-year in attacks using valid credentials.In this blog post, I’ll explore three cybersecurity recommendations from the Threat Intelligence Index, and define a checklist your Security Operations Center (SOC) should consider as you help your organization manage identity risk.The report identified six action items:Remove identity silosReduce the risk of…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today