As threats escalate and enterprise cybersecurity teams struggle to build teams that can handle mounting volumes of work, the hue and cry over the cybersecurity skills shortage continues to grow more urgent by the year.
In fact, a study released earlier this year from Enterprise Strategy Group (ESG) shows that over the past four years, the percentage of IT leaders who complained about a problematic shortage of cybersecurity skills has more than doubled. Security skills, according to ESG, are the shortest in supply, ahead of IT architecture and planning, and server and virtualization administration, which were numbers two and three, respectively.
If organizations are to survive this skills crunch, they're going to need to get creative about how they build their teams. According to many longtime security experts, this means rethinking the basics. Fundamental to the process is for organizations to be both disciplined and open-minded as they recruit, retrain, and retain staffers.
Here's what the experts say it will take to leverage these three R's.
Organizations often get so hung up with checking off a laundry list of resume prerequisites — either specific security certifications, technology proficiencies, exact numbers of years in the industry, or all of the above — that they eliminate excellent candidates from the pool before they've even started recruited.
"It's important to think outside the box and be open-minded when recruiting security talent. Throw stereotypes out the window and focus on understanding the types of people you are looking to hire," says Jennifer Sunshine Steffens, CEO of IOActive. "They may not have degrees or certifications, they may not have years of experience in security, and they may not wear hoodies."
As Steffens and others explain, security is more of a way of life and a mode of thinking, so recruitment should be about filtering by personality types and mentalities more so than by checklists. Security recruiters who focus more on picking people who can round out a team rather than filling an exact role will see greater success down the line, says David Emerson, CISO for Cyxteram. This is particularly important considering that the pace of change is going to make those checklist items obsolete in a few years anyway. The more important thing is finding someone who can grow with the team.
"The person you need now is not necessarily the person you need one year from now, or three years from now, so make sure your hires have enduring characteristics, such as dedication and a penchant for collaborative problem solving, not merely point-in-time qualities or trendy resume points," Emerson warns.
Organizations should be similarly creative about where and how they run recruitment drives, Steffens adds.
"In cybersecurity, we've found some of the best talent by looking outside the industry 'norms.' Sure, recruitment at college fairs and offering internship programs will yield great candidates, but with 2 million jobs openings, the talent must come in nontraditional ways," she says. "At IOActive, recruiting is part of our everyday lives. We travel around the world attending conferences, hosting events, and visiting hackerspaces to find the right talent."
Finally, if you absolutely must fill a specific list of resume metrics, then you'll need to ensure that what you offer a candidate is on track with market realities.
"[Organizations] will need to open their wallets and clearly define their cultural identity to win the affections of those who are already established as leaders in the field," says Jared Coseglia, CEO of TRU Staffing Partners, a recruiter specializing in cybersecurity.
Hiring based on potential is important, but to get the most out of all that latent ability you'll need to actually give employees the opportunity to make good on it. Training is crucial to helping existing staff keep up with current trends and develop those promising new recruits.
"Companies that don't provide the space and the time for their security staff to keep their skills sharp are setting themselves up to fail," says Ryan Barrett, vice president of security for Intermedia. "Companies with successful security teams give them the time to conduct internal evaluations and regularly send them to security conferences for fresh perspectives and hands-on training."
Training can also be a huge tool for reducing cybersecurity recruitment spending when it is used to retrain or cross-train smart people who already work for the organization in different roles outside of security. According to Coseglia, this can be a very clever way to bridge gaps that can't be filled by external recruitment.
"Pull professionals who know your culture and know your data from tertiary departments and reinvest in them rather than rely exclusively on external hires," he says. "For example, many corporations and consulting firms are transitioning tech savvy e-discovery or forensic investigation professionals into cyber-centric roles. These individuals often have the technical, business savvy, customer service, and/or project management skills needed to step in and provide leadership once trained on specific areas of cybersecurity."
One of the biggest mistakes organizations make is undervaluing the potential that existing IT employees could have to become excellent cybersecurity staffers, agrees Frank Downs, senior manager of Cyber Information Security Practices at ISACA.
"Many of these people long to stay relevant within the organization but are not provided the funding or the mechanisms to cross-train," Downs says. "Many IT professionals want to become cybersecurity relevant. For the cost of some additional education, organizations can have someone who is familiar with the corporate rules and culture [that are] directly applicable to the cybersecurity needs."
Finally, organizations need to remember that simply filling a role is just the start to solid cybersecurity team-building. Even more important is ensuring that those roles remained filled for as long as possible.
This doesn't happen magically. Security managers must develop a sound retention strategy if they want to remain fully staffed in such a competitive market.
"As long as demand for experienced professionals remains high and supply low, a good retention strategy is crucial," says Tom Gilheany, portfolio manager of security training and certifications for Cisco Services. "Retention isn't necessarily driven by higher salaries alone. Research has shown that other factors play a surprisingly strong role when it comes to employee retention."
This means offering employees career and skills development programs and providing a clear path for growth in their roles and responsibilities.
"You can't hire and retain top cybersecurity professionals without presenting them with growth opportunities and a career path," says Drew Nielsen, CISO of Druva. "Hiring managers also have to consider and improve on company culture to attract top talent."
Coseglia agrees that culture is the secret sauce for hanging on to the best and brightest.
"Culture is key to the top echelon of cyber professionals," he says. "Culture can mean different things to different organizations. Some cultures offer advanced challenges, and the nature of their work becomes an enticement, while others offer cultural lifestyle differentiations."
So whether it is giving staff the opportunity to hack into blockchain technology or the artificial intelligence of driverless cars, or it is giving them more flexibility to work from home to achieve a work/life balance, employers must up their game in making their companies a place where security pros want to set down roots.