As the cybersecurity skills gap continues to plague the industry, it has never been more important for organizations to have a sound understanding of how to attract and retain the best staff. Michael Hill reports
The cybersecurity skills gap is one of the most commonly-discussed topics across the industry today. The simple fact is that, in an ever-evolving and demanding digital environment, there just aren’t enough individuals filling the plethora of security roles that are currently unfilled.
Research from firms like (ISC)2 predicts a deficit of 1.5 million unfulfilled jobs in cyber globally by 2020; undeniable proof that the industry will suffer greatly if the issue isn’t tackled head-on.
“The skills shortage applies right across the security industry – in both the vendor and end-user domains,” explains Simon Hember, group business development director at Acumin Consulting. “There are certain technical skill sets where demand massively outstrips supply, such as web application security specialists, accredited penetration testers and enterprise security architects.”
Government and education bodies do seem to be getting the message, with more being done to help cultivate a higher level of cybersecurity awareness in the young than ever before, but this is only half the battle.
Just as much an issue is exactly how organizations go about attracting, hiring and retaining the sort of talent they need. With so many companies desperately searching for new security professionals, there is an unprecedented level of competitive tension which can drive up candidate expectations and contract rates, lead to poor hiring processes, and result in rushed, ill-informed decisions. This can make it extremely difficult for organizations to recruit quality staff, and even harder to keep hold of them if they’re not fully prepared to take on the various challenges and intricacies that surround the employment process.
So what are the key fundamentals that enterprises need to consider to make sure to they attract the best staff?
Put Yourself in Control
Firstly, companies need to put themselves in the strongest possible position when they are looking to bring in new recruits, and in today’s employment culture, a great place to start is by forming a solid relationship with dedicated recruiters.
“Always speak to a specialist agency or consultant who can offer sound advice to help mitigate against the possible pitfalls of under or over hiring for the role, getting the compensation level right, ensuring the job description is appropriate for the role and the recruitment process is sufficiently rigorous. Getting it wrong can be very costly and so it pays to take good advice,” adds Hember.
One of the most common reasons for losing out on talent tends to be a lack of control in the initial process of looking for a candidate, and a breakdown in communication between the candidates and employer. Working with a dedicated specialist means that applicants are engaged in a consultative process where concerns and risks are communicated both ways.
What Do Security Pros Want?
The next, and perhaps most important, thing to gain an understanding of is exactly what security professionals are looking for in a role. After all, you could sit down and interview the perfect candidate for the job, whose ability or potential is what you’re looking for, but if what you have to offer doesn’t appeal to them, they could slip through your fingers – and this often comes down to more than just financial gains.
“Of course salary does play a part,” Ollie Hart, Fujitsu’s head of enterprise & cybersecurity, UK and Ireland, tells Infosecurity. “Experts in the field are extremely valuable and know it, so they will look to go to companies who recognize that and offer competitive packages.
“That said, to attract the best industry talent, companies need to showcase themselves as an organization with a lot of opportunity for training, growth and development. People are looking for careers with longevity and progression rather than short-term contracts, and so companies need to demonstrate that they can provide that.”
The reputation of a company comes into play too, Hart continues, with the most attractive organizations having a good reputation as an employer, coupled with a team with strong capabilities and opportunities.
Dr Adrian Davis, managing Director CISSP, EMEA, at (ISC)2, echoes these sentiments. He adds that the deciding factor in attracting staff is influence. Security professionals want to know they are making a difference; that they are successful, contributing to success and that they are appreciated, he says.
“If cybersecurity individuals do not feel valued, believe they are there to be blamed or fired when things go wrong, or that their opinions are not taken into account, then they will not stay long.”
The best organizations don’t treat cybersecurity professionals any different than other employees, Davis continues. They ensure those professionals are tightly linked to the business and its operations, and reward expertise and business contributions.
“This means that all employees should have influence across the organization in the areas where they are needed, not just those at a senior level.”
When the Grass is Greener
This brings us onto the subject of staff retention. For CISOs, losing good employees is painful, especially when time and effort has been invested in them. The reality is, however, that people are often on the lookout for their next role, particularly if they believe the grass is greener on the other side.
“It’s a hot market and therefore people do move around to ‘capitalize’ on their skills and progress their careers,” Hember says. “We tend to find that even amongst the most passive of candidates over the last couple of years, that few are truly ‘off-market’. Companies are now doing much more to gain employee buy-in and retain their services.”
Organizations need to remember that it’s not enough to focus solely on attracting people in with promises of what the role will offer, they have to constantly take steps to give them a reason to stay and limit the ‘revolving door’ of staff that seems to impact so many businesses. The key here is making the job and the company stimulating enough to maintain employees, and offering something unique and challenging is a great way to reduce churn.
“When someone feels that they have exhausted all they can gain from a company, they will begin to look elsewhere for the next new and exciting challenge, so offering staff the exposure to wider areas within cybersecurity is really important to keep things fresh and interesting,” advises Hart.
“Companies could also offer their staff options for further academic study and qualifications – it’s a fast moving industry so companies need to ensure that they are keeping their teams up to date and excited about what they are doing.”
Think Outside the Box
Finally, companies need to be willing to think beyond the obvious when it comes to hiring staff. The industry is evolving at an incredible speed, so businesses must be just as forward-thinking and innovative when it comes to recruitment. Speaking to Infosecurity, independent consultant Dr Jessica Barker explains that a big part of this comes down to willingness to sometimes look past what somebody has to offer on paper and consider the wider picture of what they can bring to the table as an individual.
“Recruiting people with the right attitude, mindset and potential is really important. Rather than hiring people based purely on certifications, look at what they do outside of work, what their work ethic is like, whether they're a team player. If they have these qualities and the desire and potential to be trained-up, that might be a better investment than someone who has lots of certifications,” advises Barker.
This is an opinion shared by David Baker, chief security officer at Okta, who says that some of the best security talent he has hired didn’t necessarily have a formal education but had the determination to find things out for themselves and become their own teachers.
“It takes a person with a lot of creativity to really do that. I like to think of security professionals as ‘unique snowflakes’ – they’re often very creative people because what they do is actually a very creative endeavor; how do you figure out how to break things that are not designed to be broken?
“How you translate that creativity into a curriculum I think is where we are lacking as an industry right now, that’s something we haven’t figured out yet,” he argues.
In the long run, adds Davis, companies need to look for a broader range of skills, not just a narrow technical focus. Understand you have to recruit junior-level employees (and train them). The bottom line is, opportunities must be provided in order for the next generation to grow and develop.
There’s simply no escaping the fact that the cybersecurity skills gaps is currently rife, and it’s not something that the industry can circumvent, nor is it a problem that will go away overnight. However, we are starting to see a change with more companies working with academia to show young talent how interesting and rewarding cybersecurity can be, in addition to providing opportunities to develop an interest in the cyber landscape. It’s now vital that businesses reinforce this by also evaluating their own strategies for attracting, hiring and retaining staff to ensure the process is kept relevant, inventive and ultimately allows them to build the very best security teams for the long-term.