How Do You Find Cybersecurity Talent?
Frank Downs, Senior manager, Cyber/Information Security, ISACA
The old adage that good help is hard to find proves its staying power on a regular basis. Whether you are a new homeowner trying to find help moving, or a hiring professional seeking the right fit for your organization, identifying and vetting individual aptitude to perform proves difficult.
This is especially true for organizations in need of cybersecurity professionals. In today’s world of constant cyber barrages, where inside information is covetously defended and sought, finding the right people to protect an organization’s intellectual property, trade secrets and personally identifiable information is difficult. Additionally, thanks to cybersecurity’s nascent stages of development, very few individuals are truly ‘turnkey’ ready to take on today’s challenges. While some organizations have attempted to remedy this deficiency with knowledge-based certifications and designations, they are misleading band-aids that cannot cover the greater malady. To address the issue of the cybersecurity talent deficit, organizations must leverage true skill assessment mechanisms.
While the lack of cybersecurity talent frustrates many hiring organizations, others blame faulty metrics or simply deny the problem’s existence. However, in its global State of Cyber Security 2017 research, ISACA learned that while 59% of enterprises receive at least five applications for each open cybersecurity position, most of the applicants are unqualified for the roles. This results in most vacancies remaining unfilled for at least three months, with 26% of the job openings remaining unfilled for at least six months.
Personally, I have experienced this frustrating reality first-hand in hiring cybersecurity professionals. Oftentimes I have sat across the table from a potential hire who is eager to jump into the world of cybersecurity and even has the certifications to prove his or her abilities. After an encouraging interview, full of buzzwords and current event references, I would recommend the individual to our human resource representatives. Yet, once the individual was hired and integrated into the team, I would quickly learn that knowing the word ‘packet’ was the extent of their understanding of the tiny data transmitters.
"Most vacancies remain unfilled for at least three months"
If one were to simply consider statistics and singular personal experiences, they would quickly become disheartened at the prospect of discovering and hiring cybersecurity talent. However, there is hope for remedying this current daunting state.
Another adage springs to mind: ‘there’s no substitute for experience’. When asked to identify the most important attribute of a qualified applicant, most respondents indicated they valued practical, hands-on experience. This makes a lot of sense, but can be difficult to measure. Yet, mechanisms are emerging, such as ISACA’s cybersecurity skills assessment tool, which measures applicants’ ability by placing them in live networked environments undergoing real attacks and exploitations. The ability of an applicant is measured through his or her approach to the attacks. Using this data, organizations make more informed decisions about applicants.
Assessment tools are but one way in which the cybersecurity talent gap is being addressed. Personal endorsements and attestations of ability also continue to provide worth. Thus, not all hope is lost for the hiring professional seeking cybersecurity talent. Through leveraging the dual mechanisms of personal professional endorsements and skill assessment tools, organizations can address cybersecurity needs for themselves and for the industry overall.
Andy Cripps, Operations Director, Quicksilva
Quicksilva is a systems integration and managed service provider (SME) which primarily operates in health and social care. This is a highly regulated sector, and rightly so, because the data involved is very sensitive. As a result, our employees need to have excellent cyber-skills, whether they are developers, IT engineers or IT security experts.
I doubt this will come as a surprise, but as Quicksilva has evolved as a company, we have found that our need for technical experts exceeds our need for traditional skillsets. We need people to have excellent skills relevant to their role, but also to have strong cyber-skills, an interest in how our business works and excellent communication skills. I suppose the point is that all these attributes link together to ensure the employee understands the value of the information the organization holds, and the potential impact if that information is unavailable/disclosed. Crucially, the IT professional needs to be able to communicate issues and risks clearly and effectively up, down and across the company.
We found that the computer science graduates we had taken on needed a lot of training as it became apparent that their degrees lacked practical coverage in a number of key areas important to us, including cybersecurity. So we engaged with the Tech Partnership to support their aim of promoting wider coverage in degree content to better prepare graduates for the workplace. The Tech Partnership delivers this through tech degree apprenticeships.
There are a number of degrees available, but of interest to us was the Digital and Technology Solutions BSc at the University of Winchester in the UK. The course roadmap for software engineers is built around a core of computer science modules, but crucially it includes cybersecurity, network security and protecting intellectual property. Our experience has been extremely positive, as the apprentices have quickly become productive. The content and delivery of the course is evident as they are asking our leaders serious questions about how we protect our systems and information.
"Computer science graduates we had taken on needed a lot of training"
I’m also aware of a number of universities seeking to have their degrees accredited by the National Cyber Security Centre (NCSC). At the time of writing only two universities offer NCSC accredited BSc courses, but as this number grows, it will help to develop cyber-skills in the market.
Based on my experience, I would encourage any organization to invest in a degree apprentice program. It is important though that you don’t leave the university to do all the work; get the apprentices engaged in a program tailored to your organization and mentor them. These are people you will really want to retain.
Back at Quicksilva, learning never stops. All of our tech people have access to a well-known online learning portal, and have time in work to study. This has delivered certifications such as CISM, Security , MCPD, MSCE and people are currently working towards CISSP, CEH and CISA. We think this is important for the success of our business and in helping us to retain our talent.
Ed Tucker, current European CISO of the Year
The cyber-skills gap is real. OK, it’s probably not quite the chasm that’s being portrayed, but make no bones about it, the availability of actual expertise is scant. A quick glance at LinkedIn may show a veritable plethora of cybersecurity experts. Once you scratch the surface however, you will find that most of those ‘experts’ simply don’t have any expertise.
If you’re looking to recruit people into cyber roles, and (understandably) want all the bells and whistles in terms of skills and experience, that will actually leave you with an even smaller pool in which to fish. What’s more, you’ll have to pay serious dollar to secure it.
That does presuppose that you are looking for the right skills in the first place. So many cyber role advertisements are badly worded and looking for the age-old certs of CISSP and CISM. No disrespect to either, they have their place, but they are not what I personally look for when recruiting.
When hiring, I want practical skills and hands-on knowledge that has been honed over time. You can learn a lot about an organization from the wording of their job adverts and the skills and certifications they require. Sadly, most reveal lack of maturity in the hiring organization. My biggest advice in this space is for organizations to go and speak to actual experts to find out what they should be looking for and why.
With the abundant lack of skills, what is the solution? Well, the skills are available. Not necessarily all in one go, but they are there. There are decent volumes of good technologists; professionals who fundamentally understand how computers − physical or virtual − really work and how they communicate properly. A good foundation of technical know-how is easier to layer the nuances of cybersecurity upon than someone without technical competence.
"Once you scratch the you will find that most of those ‘experts’ simply don’t have any expertise
I also advise bringing in burgeoning talent to mold into future professionals. Here I would caution against being too restrictive. If you just look at graduates, then you’ll miss the people, like me, who never went to university. Recognize that these people take time to develop. They have a far wider learning gap and require much more pastoral care, but they are very much worth investing in.
Finally, you need to provide the right environment and meaningful work where individuals will grow, both in practical experience, but also conjoined with a proper training regime. You will also need to recognize that you will lose people along the way, as anyone with the right skills will become very marketable. Meaningful work, recognition and of course the right pay and rewards goes a long way to securing your talent for longer, but many will leave in time.
There is no silver bullet and there are many pitfalls along the way. However, if you do your homework and extend the scope of your recruitment pool, then you can reap rewards in the long run.