The recruiting methods being used in the cybersecurity industry are so dire that they pose a national security threat.
In an exclusive interview with Infosecurity Magazine at the (ISC)² Security Congress in Orlando, Florida, the founder and CEO of cybersecurity research and staffing firm CyberSN and of BrainBabe, Deidre Diamond, described recruitment in cybersecurity as "a crisis in a crisis in a crisis."
Diamond said: "The way we look for jobs is broken. Our professionals aren’t happy. They don’t love their jobs, but because job searching is so bad, they settle and stick around longer in those jobs.
"Having unhappy employees is an insider threat. I believe it’s a national security issue."
According to Diamond, the difficulties stem from a general ignorance of the scope and variety of jobs available in cybersecurity, coupled with the absence of a shared terminology to describe the many skill sets at play within the industry. Also, chronic under-investment by businesses in their cybersecurity means many cybersecurity professionals are doing three jobs in one.
"Cybersecurity isn’t one job; it’s 35 different job categories and 111 titles," said Diamond.
"On top of the changing and growing roles in cybersecurity, we don’t have the common language it takes to figure out the job, or to figure out what the professional really knows. We don’t know how to sell cybersecurity correctly to anybody, never mind to diverse candidates."
To mitigate the problem, Diamond invested in building question-and-answer technology that allows recruitment to be carried out in a different, skills-based way.
Describing the recruitment method practiced by her company, Diamond said: "Resumes don’t matter, and job descriptions don’t matter. We start from scratch, and we ask our own questions, then we build somebody’s profile and we build a job description."
Candidates give a baseline job title they have held and are then asked to list the tasks and projects they have been working on, detailing their functional roles and what percentage of their time is taken up by each role. They are then matched to jobs based on what functional roles are required, taking into account other factors such as salary, location, and remote working options.
Breaking down a job to show the percentage of time spent on each function can widen the number of opportunities open to candidates who might be put off by a job spec that relies on words alone.
Diamond said: "Somebody doing 50% of their time being an analyst and 50% of their time doing incident response could still be interested in an 80:20 split, or in a 40:40 plus something new like malware. That could still be a fit, because malware is really only 20% of the job, and humans are smart and they can learn. When the job is presented correctly, we can make those matches."