Employers prefer routines, but information security hiring has changed enough in recent years that sticking to established processes is no longer enough to attract top-tier candidates. Cybersecurity professionals are in such heavy demand that enterprises have to do more than just toss in a few goodies to sweeten the job description. Employers need to change how they play the recruiting game if they are going to hire and retain talent capable of securing their organizations against the ever-rising tide of threats.
Before doing anything else, employers need to get a firm grip on what is at risk and what they need in order to defend it. Stop guessing and start assessing what skills are actually needed for the job. Failure to do so puts the "help wanted ad" at a disadvantage, especially when compared with the more than 53,000 cybersecurity jobs currently posted on the newly launched CyberSN Marketplace.
"Asking for 10 years of experience for entry-level jobs does nothing more than send the message that you don’t understand the role," says Sammy Migues, a principal scientist at Synopsys Software Integrity Group. "You’re saying that you want the person to do the work of three people. Or you want to have a way to arbitrarily drop candidates you don’t like. Create realistic job descriptions if you want realistic applicants submitting realistic resumes."
Accurate skills assessment also lets hiring managers broaden the search to include talented individuals who may not currently be working in cybersecurity. The demand for security professionals means expanding the pool of people working in the industry, and not just constantly poaching them from other companies.
"The tech industry needs to stop considering itself special, where employee candidates must have followed very specific paths through education and certifications to be worthy of a given position," says Migues. "The soft skills, for example, that are mandatory for many cybersecurity jobs – up to and including the CISO level – are way better indicators of future success for many cybersecurity jobs than whether the candidate has memorized command line sequences in five flavors of Unix."
So how does a hiring manager decide what skills to look for in a candidate for an information security role?
Consider using a tool like the Cyber Aptitude and Talent Assessment (CATA) to identify necessary skills. The University of Maryland’s (UMD) Applied Research Laboratory for Intelligence and Security (ARLIS) Center tested CATA and found it accurately predicts candidate success. The Department of Defense (DoD) reportedly uses CATA to test US Special Operations Command, US Navy, West Point, and US Air Force participants to identify potential cybersecurity talent in key areas including “critical thinking, exhaustiveness of approach and practices, initiating behaviors, real-time effectiveness, and responding behaviors.”
Here are some tips for organizations to consider in order to attract cyber-warriors to join your team – after they have a realistic grasp of the skills required and a better job description.
1. Higher pay, better benefits: These are the table stakes. Pony up and don’t be stingy.
2. Stock options plus an upgrade: If stock options are part of the compensation package, offer access to a skilled accountant, too. Far too many people end up paying much higher taxes because some accountant reported their stock options incorrectly. There’s no joy in a benefit that costs more in taxes. If providing accountant services is not possible, consider increasing base pay or other benefits instead of offering stock options.
“While a generous equity package can be important for more senior team members, stock options definitely aren’t as high on this list as they used to be,” says Rajan Koo, chief customer officer at DTEX. "Given the current COVID climate and the uncertainty of what the future may bring, a flexible work environment is key, and cash in hand is king."
3. A “ride or die” credo: One CISO affirms three things in the company credo every day for the security team: “I believe. I belong. I matter.” Getting security professionals completely engaged in the battle against adversaries – to have their heads, hearts, and souls in the game – means making absolutely sure they believe in the company, feel they belong on the team, and feel they matter as human beings.
4. Missions that matter: Cybersecurity professionals want to be challenged.
“We hate feeling stagnant and are very curious by nature,” says Chris Hass, director of information security and research at Automox. Someone who is making the same rounds every day is just a security guard walking the premises, not a cybersecurity professional protecting virtual and physical assets.
5. Freedom to roll: Look for opportunities to cut the red tape and break the bureaucracy.
“As a network and cybersecurity pro, what I value the most in an employer is independence and control over the work I do. I work best under minimal supervision, and my current job gives me the independence to try new things, find my own path, make mistakes, and correct them,” says Eric McGee, a senior network engineer at TRGDatacenters.
McGee also appreciates the ability to control his workflow and workload.
"The ideal security job is one that comes with high wages, ample room and budget to experiment, increased benefits, and flexible work schedules where the pro can dictate their workflow and workload,” he says.
6. Don’t stuff new duties into old company roles: “Jobs are being created today that didn’t exist before – cloud, IoT, Dark Web investigators, threat hunters,” says Dave Tyson, president and CSO of Apollo Information Systems. "It’s a brave, new world, but for many, the ideal cybersecurity job is in an environment where there is low bureaucracy and no corporate pain."
7. R&R as needed: There’s a thin line between feeling needed and feeling abused. Be sure to offer plenty of downtime for security teams to rest and recover from the intensity of their jobs.
A recent Information Systems Security Association (ISSA) report, "The Life and Times of Cybersecurity Professionals 2021," found the cybersecurity skills crisis has worsened over the past five years. VMWare’s 7th annual "Global Incident Response Threat Report" attributes the crisis to burnout. Specifically, the report found that 51% of surveyed security professionals experienced extreme stress or burnout during the past year, and 65% said they have considered leaving their job because of it.
8. Access to ample resources: No matter how talented, a security professional can’t protect a company with the technology and a budget amounting to not much more than a nickel and a spoon. Make the investments. Give them the tools. Give them a voice in what tools you invest in. Ample resources are critical to saving the day.
9. Create opportunities to level up. Despite generous employment packages and bonuses, no employee will stay forever if the job feels like a dead end. "Development is the other side of the coin," says Verizon’s CISO, Nasrin Rezai.
Verizon offers clear career paths as both a recruitment and retention tool. It provides access to curated online development courses organized into topical pathways to help self-directed learners design their own development plans, as well as intensive skill-building and leadership training programs, including dedicated programs for women and employees with diverse backgrounds. Verizon also offers tailored training tied to security career paths and sponsorship for professional certifications within the security organization, Rezai says.
Ultimately, the best talent is looking for a complete package, one that includes competitive salaries, top-tier benefits, equity opportunities, a flexible work-life balance, and the ability to innovate, says Andrea Russell, a senior manager of global talent acquisition at Saviynt.
"It's about providing a full package, not one single benefit that jumps out. Companies that do this will continue to attract and retain the best of the best," Russell says.