Recruiting for top cyber talent has been a challenge since the dawn of the cyber security industry. As the requirements for organizations to secure themselves against a myriad of security concerns continues to grow, so does the growing requirements to fill new and existing cyber roles. This worldwide problem is exacerbated by dearth of “perceived” worldwide cyber security talent. However, many within the industry and recruiting for roles in the industry can utilize this unique challenge and turn this problem into creative and successful solutions to bridging the gap of cyber talent. Luckily, those who are hiring for cyber security roles have the individual power to help turn the tide and bring uniquely qualified candidates to organizations.
Understanding what is causing candidates not to present themselves to an organization starts from the very beginning of recruitment. Four main problems creating an artificial blockade to potential candidates include:
- Steppingstone hands-on experience is lacking for many trying to get into the industry
- Job descriptions over exaggerate the requirements for the role
- Interviews can be too much of an art than a science
- Tech teams and HR have not forged on bridging the talent gap together
Steppingstone Hands-on Experience is Lacking for Many Trying to Get into the Industry
Many individuals trying to get a head start into the cyber security industry hit a major headwind the minute they start applying for a role. They look back at their resume and say to themselves, “I do not have the required hands on experience for this role”.
Unfortunately, while that candidate may have the right ingredients to be successful at the role they are applying to, they will pause on applying to the role due to a perceived lack of experience for the position. This dilemma stops so many qualified candidates from ever stepping foot into this amazing industry. There are a few different ways one could tackle this barrier to enlarge the pipeline of qualified candidates into stepping-stone roles to flourish into something special in the industry:
- Develop a rotation for candidates to sit with non cyber security focused technical team such as network operations, Windows and Linux operations, and IT help desk in the beginning of their tenure to gain hands on experience. This allows candidates to build key foundational knowledge of functional units they may be responsible for protecting and responding to throughout their career.
- Follow Google’s 80/20 policy which allows an individual to spend 20% of their time on creative side projects. Not only does that allow the candidate to flex their creative muscles, but it also gives them wonderful opportunity to partner with other functional areas to gain experience they would have never had the chance to even think about prior. It will also afford them the chance to network with those outside of cyber security and build contacts throughout the company that could help them be successful in the organization throughout their tenure.
- Allow employees to work on stretch goals. For example, let someone work on an automation solution so they can grow a small amount of programming skills. Employees will appreciate senior management’s backing on their endeavors to be a better version of themselves too.
Job Descriptions Over-Exaggerate the Requirements for the Role
When organizations know they have an open requisition to fill, some make the mistake of using a canned job description from the past or taking one from the internet and copying and pasting much of the detail. However, those trying to enter the industry see job descriptions and get scared off from even applying in the first place. An example of an entry level job description I found through a quick search:
“A minimum of three years of experience in the field of Cyber Security and Information Risk Management
Bachelor's degree in an appropriate field from an accredited college/university
Cybersecurity related certification (e.g., CISSP, CISM, CISA, GCIH, GPEN) a plus
Working knowledge of NIST 800-171 and the Cybersecurity Maturity Model Certification
Familiarity with other compliance frameworks such as FedRAMP, FISMA, SOC, ISO, HIPAA, HITRUST, etc.
Working knowledge of database technologies such as SQL
3 years of working and hands on networking knowledge”
In fact, many with experience in the industry may not have all the “requirements” for this entry level role. Does that mean an entry level application would be unsuccessful at this role? Maybe instead of analyzing that question, we instead ask if the job description for the role is appropriate. Next time you are charged with review a job description of a role, think about:
- Will large list of certificates could scare off qualified candidates?
- Look closely at the “years of experience” required for each line item
- Differentiate between a “required skill and “nice to have”
- What soft skills can make an entry level candidate shine?
Unfortunately, stringent job descriptions like the example above may be good for Application Tracking Systems, but it may not be the best way to bring in your best future cyber talent. It may inadvertently stop top candidates from ever applying to your organization because they automatically do not think they are qualified enough. Sadly, if they do not apply, you will not be able to interview them to really get to know a hidden well qualified candidate. Some of the key hard skill components to be successful at a role have the potential to be taught while on the job.
Interviews Can Be Too Much of an Art Than a Science
Ask 100 people how they interview a candidate, you will get 100 different answers. Everyone has their own style of interviewing, but when it comes to entry level positions or those trying to forge their path in the cyber security industry, trying to figure out the right mixture of questions to assess a candidate can be tricky. After interviewing hundreds of candidates for roles, including entry level roles, honing in on the candidate’s soft skills can be a huge win to find someone who will quickly excel in the industry. Some high-level soft skills to assess an entry level candidate on can include:
I always enjoy interviewing a candidate to find out how they were able to get through a sticky situation each at school or in the office. Hearing the way they tell the story can say a lot about a candidate as it showcases their communication skills without it being a direct soft skill based question. Additionally, understanding the thought process of how the candidate was able to win over the situation will likely translate well into how they will get past complex situations at the office. A key tenet to remember:
“Cyber security is filled with the complex, but many times the crux of the answer is found by asking the best directed questions to best directed people or systems and not taking what is on the surface as the final answer. “
In addition, finding someone who has taken steps to practice their craft outside of normal working hours can turn into a superstar in your cyber team. They continually dig for the best answers when they are not transparent. Also, the tools in their toolbox are constantly being sharpened by being exposed to a diverse set of problems and an even more diverse set of solutions.
Tech Teams and HR Have Not Forged on Bridging the Talent Gap Together
What is enjoyable about trying to close the talent gap is no one is alone on this journey. Cyber security teams and HR teams have a unique opportunity to work together and be creative on future roles. Many affinity groups are working tirelessly to help fill the gap. Both candidates and cyber professionals can partner with them to help build the future pipeline and also to find candidates who are making every effort to make a positive splash in the industry. In addition, utilize the free resources SANS has created to help in your cyber security and HR partnered journey
Developed by SANS, Cyber Aces is a free, online course that teaches the core concepts needed to assess and protect information security systems. | |
SANS instructors produce thousands of free content-rich resources for the information security community annually. These resources are aimed to provide the latest in research and technology available to help support awareness and growth across a wide range of IT and OT security considerations. | |
| SANS Summits | Summits bring together cyber security practitioners and leading experts
to share and discuss case studies, lessons learned, new tools, and
innovative strategies to improve cyber security and overcome challenges
in a particular focus area or industry. Many SANS Summits are now FREE! |
| Tech Tuesdays | Dive into the material and get hands-on experience with tools and techniques that you can apply immediately. |
| SANS Reading Room | The SANS Reading Room features over 3,120 original computer security white papers in 111 different categories as of March 2021, and is continually added to regularly. |
While the cyber security industry has experienced incredible growth both in requirements and expertise over the years, talent development is still playing catchup. Luckily, those in the cyber security field historically thrive in situations where the answer to a problem is not always clear. Answering the problem by developing talent beyond the standard approaches will pay dividends to both your organization and the growth of the whole industry.
Many want to come to our field, but just do not know how to. Open the door for them.
Rest of the HR + Cybersecurity Series
1. Listen to the corresponding webcast here.
2. Read the rest of the Blog series here:
- Knowing Your Applicants: How to Stay Current to Best Assess Your Cyber Applicants
- Not in Cyber Security? No Problem! Creative Ways to Gain Experience With No Experience
- Slow the Revolving Door of Talent: Creative Ways to Keep Your Cybersecurity Talent in Your Organization
- Transition to Cyber Security From a Non-Cyber Role: Creative Ways to Impress to Land Your Dream Cyber Role
About the Author
Kevin Garvey is the US IT Security Manager for an international bank responsible for overseeing incident response, vulnerability management, cyber threat intelligence, as well as the security operations center (SOC). Previously, he worked at New York Power Authority, JP Morgan and WarnerMedia (formerly Time Warner). Kevin has always had a passion to hunt down the adversary and has loved tackling the risk and threat challenges his responsibilities have thrown at him. Kevin teaches SANS MGT512: Security Leadership Essentials for Managers. Read Kevin's full profile here.
