While on the hunt for cybersecurity talent, Domini Clark is finding that the more things change, the more things stay the same.
"The irony is that as highly technical as the cyber talent pool is, the best way to actually reach the people you need to reach is to go 'old school," says Clark, who leads technical executive search firm Blackmere Consulting, which specializes in recruitment for cybersecurity positions.
In a job seekers' market, in which infosec positions are red-hot and candidates have their pick of opportunities, Clark has been having more success lately by working more traditional methods of tracking down talent – research, connections, networking, and in-person meetings.
And so she now works to reach candidates face-to-face, through events, meetings, and other real-life opportunities to engage with talent.
Clark is one of many recruiters looking to diversify strategies for finding security employees in an ongoing skills gap impacting the industry. According to the InfoSec Institute, the shortage of cybersecurity professionals has grown to nearly 3 million globally, with approximately 498,000 openings in North America alone. This is happening in tandem with increased spending and prioritization of security in businesses around the globe. Gartner forecasts worldwide spending on information security products and services will reach more than $124 billion in 2019, an increase of 8.7% from the previous year.
With employers so desperately in need of help with security initiatives and seeking an edge to get workers interested in what they have to offer, what are some creative alternatives to resume-sifting to find the help you need?
Develop and Work Personal Connections
Beyond showing up, Clark believes the power lies in actually getting to know people — even if it starts in a virtual forum — by reaching out and asking for a conversation before even gauging the talent's interest in a position. Get involved in community and industry groups and start working those relationships, she advises.
"With all of the recruiting tools available to find, screen, and communicate with talent, nothing beats actual connections," she says. "The days of 'post-and-pray' are gone. Not to mention, cyber talent tends to be overwhelmed with surface reach-outs by recruiters [who] don't understand the industry or their specific skill set in relation to the opportunity. Community involvement, and credible networking may be old school, but human interaction goes a long way in engaging with hard-to-find talent."
Clark says she relies more frequently on forming those personal connections and relationships versus low-touch keyword searches and cold emails. Her goal, she says, is to create a solid reputation for Blackmere and a trusted network that talent will keep coming back to when looking for work and that employers will want to tap when they need help.
Try Local Colleges and Universities
IBM Security's Academic Outreach program focuses on partnering with educational and research institutions to develop cybersecurity talent and close the skills gap. It offers training opportunities, scholarships for cybersecurity study, and sponsor hacking contest for teens.
Heather Ricciuto, who leads the program, says the goal is to both identify talent and raise awareness of the various security career paths—an understanding she says is severely lacking among young people.
"The biggest issue in security hiring that I have observed is the general lack of cybersecurity career awareness amongst students of all ages," Ricciuto says. "In general, students do not know what a cybersecurity professional does. Those who believe they have some understanding typically have a misconception of the profession at large, based on what they see on television and the big screen. Academic outreach plays a big role in building awareness amongst students, faculty, and parents."
For regional HR recruiters seeking security talents, a local school may also have programs in place or may even willing to form a partnership to create security education opportunities.
Tap New Recruiting Technology
CyberSN's Deidre Diamond, founder and CEO, and Mark Aiello, president, think the employer–employee matching process should be more like using a dating site.
CyberSN, a talent acquisition firm focused on cybersecurity professionals, debuted its KnowMore platform at Black Hat in August to sync up what they said is a pool of qualified talent who simply aren't being matched to the right opportunities.
"In our opinion, the No. 1 fundamental problem is that companies are relying on the old traditional hiring methods: draft a job description, which is usually garbage, post this garbage on a job site, and then complain when all the responses are garbage," Aiello says.
This is compounded by recruiters who rarely understand cybersecurity well enough to draft a job description that makes sense to the cyber professionals who read it, he adds. KnowMore uses a common language between the talent seeker and the job seeker in order to build both job and talent profiles. CyberSN likens the language to what is used on dating sites like Match.com and eHarmony.
"As Match.com and eHarmony have taught us, quality matching of fewer candidates is the best recipe for success," Aiello says.
KnowMore also makes matches based on projects and tasks of the job, as well as the professional’s experience, base salary expectations, desired location, educational background, citizenship requirements, and career progression pathways.
Reconsider the Criteria for Hiring
In an ideal world, hiring managers would have their pick of educated and experienced job candidates. But in a pinch, it is time to consider hiring people who simply have a foundation for success in security despite not having the precise education, credentials, and experience the company wants.
In a blog post, information security expert and writer Daniel Miessler said the cybersecurity hiring gap is due to a lack of entry-level positions. And companies are missing out on people with raw talent and a bit of experience that would make them a great hire for a security role simply because they may lack credentials. He advocates instead for hiring managers to focus on practical skills when considering talent instead of a standard checklist of job must-haves.
IBM Security's Ricciuto echoes Miessler's sentiments. She says those recruiting and hiring for security roles also need to expand their viewpoints on what makes a qualified candidate for different types of security jobs and reach beyond the normal candidate pools.
"There are many different types of skills and abilities needed in the security industry, so expanding hiring and recruitment efforts to reach a wider variety of talent and removing barriers for getting these candidates through the hiring process is also key," she says.
Zane Lackey, chief security officer at Signal Sciences and former CISO of Etsy, espouses looking inward to develop new security talent and building a program of "security champions" throughout the organization.
"If you can't scale security through direct hiring, you've got to find another way. Developing your existing employees into security champions can help close that skills gap," wrote Lackey in a blog post.
One aspect of this strategy is to make an effort to embed security skills within other teams in the organization, such as product and development teams. This creates a more nimble and responsive structure throughout the businesses with a more pervasive understanding of risk.
But the second, even more critical, step in this plan is to find internal candidates who want to develop security skills. Lackey did this at Etsy by offering voluntary security training—a lunch-and-learn on how to attack your own application. The class allowed the organization to pull in a self-selected group of people who found security interesting.
"They came away with both raised consciousness about the risks they might be creating for the company and practical ways to reduce them," Lackey said. "Instead of trying to train everyone at a low level and not making much of an impact, our security team focused on the people who were naturally interested in security and helping them develop real skills."
One Size Does Not Fit All
Each organization will have its own differing needs for the security team, and no one strategy will work for finding the talent needed to fill critical infosec roles. But it's clear organizations need to get creative, put in the time, and try new tactics in order to build out their security program today.