Zero percent. That’s the unemployment rate among cybersecurity professionals.
It’s a phenomenal number aside a reported 1.7% rate in the broader IT industry, and the overall national rate in the U.S., which is hovering around 4%.
While a recent salary survey put the median salaries in security between $100,000 and $127,000, that report says those figures haven’t climbed much in a few years. Even so, some recruiters in the industry say it’s not uncommon for candidates to respond to an offer letter by asking for more money.
It can take upwards of six months to fill an entry-level vacancy while finding more senior talent is even more competitive. Enterprises are more or less relegated to poaching talent from cross-town rivals. It’s a process that makes some hiring managers uncomfortable.
“It is strange having to sell your organization to get good security candidates,” according to one discussion group hosted by the SANS Institute, which provides research, training, and certifications in the space, among other services.
Compelling Reasons for Cybersecurity Applicants
Selling a security organization to potential job candidates is just the beginning. Jonathan Katz, a professor and the director of the Maryland Cybersecurity Center, suggests employers struggling to find talent, examine the reasons why a candidate should enlist with any organization.
“It starts by offering potential employees a compelling reason to be there, whether that involves appropriate compensation and benefits, or opportunities for professional advancement, or even just a fun and challenging work environment,” he said in an email interview with Bricata.
Even when companies already have those characteristics to offer prospective employees, security organizations should consider carefully whether or not the perfect candidate exists.
“It is also very difficult for companies to find potential employees with the exact skill set required,” said Mr. Katz. “For that reason, companies should seriously consider employee training, either in-house or through a nearby university or other education program.”
Creative Alternatives for Security Talent Acquisition
The talent acquisitions problem can be even more challenging within more precise disciplines of cybersecurity. For example, we believe intrusion detection and prevention (IDS/IPS) is experiencing renewed interest as organizations turn to threat hunting as part of a layered security posture to ward off data breaches. In a sector that is seeing new innovation for the first time in nearly 20 years, we suspect talent will be at a premium.
Security organizations need to be as adaptive and creative in their talent acquisition, as they are in solving security problems for their employers. Below are some creative alternatives we’ve seen make headlines.
1) Re-evaluate your position descriptions.
Which of the following sound more intriguing: “Senior Cybersecurity Analyst” or “Threat Hunter?”
A quick look at a current position description on any cybersecurity job board will display a long list of vacancies filled the usually corporate jargon – which all sounds the same.
It seems obvious in hindsight, but it’s often overlooked, which may be why Matt Stamper, a research director at Gartner brought it up at the Gartner Security & Risk Assessment Summit in National Harbor, MD., this past summer. He asks rhetorically if the descriptions are enticing and accurate according to the publicly available account of the conference published by the research firm.
“This is also a good time to take a look at your company culture to see if it might attract or deter the type of candidates you’re ultimately seeking. If the culture is lacking, it doesn’t necessarily mean you need to overhaul the company. But adjusting the job listings and presentation to make the team look innovative and fresh can result in better candidates.”
2) Look for willingness to learn.
IBM calls the program “new collar” jobs. The program prioritizes “skills, knowledge, and willingness to learn over degrees and the career fields that gave people their initial work experience,” according to Marc van Zadelhoff, the general manager for IBM Security, in a piece for Havard Business Review (HBR).
“Some characteristics of a successful cybersecurity professional simply can’t be taught in a classroom: unbridled curiosity, passion for problem-solving, strong ethics, and an understanding of risks,” he writes.
See these related posts:
Salary Survey: What’s a CISO Worth in 2017?
3 Use Cases in Network Security for Threat Hunting
How to Tackle the Problem of Cyber Security Alert Deluge
3) Homegrown and relatable skills.
It’d be nice to have the perfect candidate walk through the door with all the requisite certifications, but that’s just not happening today. This has senior security leaders looking for alternative ways to fill the talent pipeline.
During a session at an RSA Conference – the best defense is a good offense – Aflac CISO Tim Callahan identified two alternative ways to find talent. He suggested “re-purposing” employees from other IT specializations and seeking out relatable skills in other business functional areas.
For example, he said network engineers often have the aptitude for security and they already understand the IT environment and culture. Similarly, a data scientist from another shop could be as good as, or even a better candidate, for a role in security analytics than native security staff.
4) Focus on diversity.
Diversity is an issue that has dogged the technology community at large and cyber security is no exception. For example, women make up just 11% of the global information security workforce according to reporting by Alison DeNisco for the Tech Republic. She cites data from the Women’s Society of Cyberjutsu that also finds women make up just 1% of its leadership.
In the aforementioned piece for HBR, Mr. van Zadelhoff notes the accounting industry faced a similar shortage of certified public accountants (CPAs) in the 1950s. The industry teamed with associations and academics to grow ranks from just 500 female CPAs then – to more than 800,000 today.
There’s simply no reason in 2017, the cybersecurity community can’t model this effort to solve a couple of genuine business problems. We’d be remiss if we didn’t add, we all do well to focus on diversity beyond gender too.
5) Military veterans – and not just the technologists.
The vocabulary used in cybersecurity circles is borrowed heavily from military terminology, which means uniformed personnel have a language and training that lends itself to cybersecurity. Descriptions of cybersecurity incidents often read like a chapter from a tactical handbook – C2, reconnaissance, obfuscation, breach, assault, exploitation, and exfiltration.
However, there’s more to it than just familiarity with the lexicon. As Mr. Callahan, the CISO from Aflac, who also previously served in uniform pointed out, military veterans are both trainable and come with the instincts to protect sensitive information.
A related commentary published to the RSA Conference website says former military types tend to like working for other former military types. Writer Tony Kontzer suggests, “Organizations should make it a priority to hire a few military types to fill executive roles, hence making themselves more attractive to this critical talent pool.”
Talent Shortage Shows No Signs of Slowing
If talent hunting is hard today, it’s only likely to get harder tomorrow. The cybersecurity employment projections are bleak.
For example, a comprehensive study conducted in 2017 suggested a “cybersecurity workforce gap” of some 1.8 million jobs over the next five years. There are several other studies with similar forecasts.
If your organization is behind in developing the programs to fulfill the cybersecurity talent needs of tomorrow, there’s no time like the present. As an old Chinese proverb suggests, the best time to plant a tree was yesterday; the next best time is right now.
[vc_separator type=’small’ position=’left’ color=’#689fb3′ thickness=’2′ up=’5′ down=’5′]
If you enjoy this post, you might also like: Security Leadership: 5 Habits of Highly Effective CISOs
Photo: Pixabay (CC0 1.0)