Everyone knows there’s a looming cybersecurity talent shortage; that qualified professionals are harder and harder to come by even as cybercriminals continue to gain ground. What you may not know, however, is that addressing that shortage within your own organization is easier than you’d expect. It all starts with your hiring process.
According to research by several major cybersecurity firms, the growing cybersecurity skills gap will reach one million positions by 2020. One million vacant jobs with nobody to fill them. Hundreds of thousands of organizations forced to face an increasingly-hostile threat landscape without the necessary defenses.
Cybersecurity’s looming talent shortage has officially crossed the line from challenge to catastrophe. And in spite of this, most businesses seem to lack any real concept of how to address it. In their eyes, there simply aren’t enough qualified individuals.
Here’s the thing – that’s only partially true. While it’s certainly accurate to say that there aren’t enough people specifically seeking out security degrees and certifications, assuming this means talent is impossible to find is highly inaccurate. Experience and expertise may well be in short supply, but talent is not.
Whether or not your own business suffers overmuch from the skills shortage ultimately boils down to your hiring process. Where you look, how you reach out to prospective hires, and how you bring new staff into your organization. Let’s talk about what you can do to be better.
Work towards greater diversity
Earlier this year, a report from the InfoSec Institute revealed that women make up a paltry 11% of the cybersecurity workforce. The problem, according to the analyst firm, is twofold. First, cybersecurity has a horrendous PR problem – chances are good that unless you work in IT, the first images that come to mind when someone mentions a hacker or a sysadmin are anything but flattering.
Worse is the fact that women in IT still make considerably less than their male counterparts – there’s as much as a 20% gap in pay. These two factors together mean most women are understandably disinterested in pursuing a career in cybersecurity. Why should they make the effort to break into an industry that’s so hostile to them?
Persons of color do not fare much better, with only 23% of minority cybersecurity personnel holding leadership positions compared to 30% of Caucasians. That may not seem like such a large gap, until you consider the fact that 62% of POCs hold a Master’s degree or higher, compared to only 50% of their Caucasian peers. The former is also paid less than the latter.
At this point, you’re probably thinking that this challenge is a little more big-picture than your organization can deal with alone. You aren’t exactly wrong in that assessment. The large-scale social changes necessary to make the cybersecurity space more welcoming to anyone who isn’t a white male aren’t going to happen overnight.
That isn’t to say there’s nothing your business can do in the meantime to promote more diversity, though:
- Partner with organizations responsible for the creation and promotion of diversity initiatives, such as the Woman’s Society of Cyberjutsu.
- Work with nearby post-secondary institutions to promote mentorship programs aimed at bringing fresh faces into the cybersecurity space.
- Create internal initiatives aimed at addressing discrimination within your organization’s own culture. Education should be your first step, as should confronting any prejudices you yourself may hold.
- Seek out local career fairs targeted specifically towards women and minorities.
- Create a landing page on your website dedicated to inclusivity and diversity. Here, you can share success stories from those your organization has recruited, and talk openly about what your organization is doing to make cybersecurity as a whole more diverse and less discriminatory.
Expand your hiring pool
Beyond working to increase diversity within your organization (and the industry as a whole), another important step to addressing your organization’s talent shortage is to rethink where you’re looking when seeking new cybersecurity professionals. Online job boards and technical institutions are all well and good, but you can go further.
For instance, have you considered hiring someone with a music degree? What about someone who works in mathematics or accounting? These are all fields whose skillsets overlap with cybersecurity to a surprising extent, yet many businesses completely overlook them when seeking to fill positions in IT.
They forget that cybersecurity expertise can be learned or taught. That what’s more valuable is for new hires to possess the proper traits. Consider – knowledge aside, what makes for a good security professional?
- A methodical, detail-oriented mind
- The ability to think logically and analytically, but also approach problems creatively
- The ability to communicate and collaborate with colleagues across a wide range of disciplines
- A willingness to learn
- Passion where cybersecurity is concerned
Consider focusing your hiring drives on people who’ve the right traits.
Finally, it’s also worth considering that you need not hire someone who’s completely new to your organization. Let’s say, for instance, one of your staff members seems to have an exceptional degree of knowledge about security, or a deep interest in technology. Why not give them an opportunity for advancement to a new position instead of spending time, money, and effort trying to convince someone to choose your business over the countless organizations courting them?
Improve your job listings
One of the most frequent mistakes I see businesses make when hiring new cybersecurity talent lies with their job listings.
Some demand so many skills only a unicorn could possess the right qualifications. Others read like they were written by a first-grader. And some focus entirely on what the employee should bring to the organization – not on what the organization can offer the employee.
The thing about cybersecurity is that it is not currently a recruiter-friendly market. Men and women who possess the right qualifications to hold a security job generally have their pick of the litter when it comes to choosing an employer. That means that if you aren’t putting your best foot forward with your job listings, a lot of people are going to ignore them.
If it helps, you might look at it this way – posting a poorly-written or overly-demanding job listing is like going to a trade show in cargo shorts and sandals without bothering to shower. Sure, you might find a few people who’ll talk to you. But you’ll just as likely be asked politely yet firmly to leave.
To improve your job listings, consider the following steps:
- Hire a copywriter, or find someone within your own organization that possesses a good command of English.
- Consider what makes your business unique, and what makes your organization a good place to work. In addition to the required qualifications, focus on that.
- Find a voice for your listing – inject some personality into it, rather than being overly dry and boring.
The skills shortage need not cripple you
Like it or not, there is a talent shortage in cybersecurity. But whether or not that skills gap is catastrophic or inconvenient for your business is entirely up to you. You might be surprised at how readily you’ll find people to fill the vacancies in your IT department with just a few tweaks to your hiring process – and a broadening of your own perspective.