Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Edge Articles

02:15 PM
Joan Goodchild
Joan Goodchild
Edge Features

Rethinking Cybersecurity Hiring: Dumping Resumes & Other 'Garbage'

In a market that favors the job seeker, what are some alternatives to resume-sifting that will identify the talent you need?

While on the hunt for cybersecurity talent, Domini Clark is finding that the more things change, the more things stay the same.

"The irony is that as highly technical as the cyber talent pool is, the best way to actually reach the people you need to reach is to go 'old school," says Clark, who leads technical executive search firm Blackmere Consulting, which specializes in recruitment for cybersecurity positions.

In a job seekers' market, in which infosec positions are red-hot and candidates have their pick of opportunities, Clark has been having more success lately by working more traditional methods of tracking down talent – research, connections, networking, and in-person meetings.

And so she now works to reach candidates face-to-face, through events, meetings, and other real-life opportunities to engage with talent. 

Clark is one of many recruiters looking to diversify strategies for finding security employees in an ongoing skills gap impacting the industry. According to the InfoSec Institute, the shortage of cybersecurity professionals has grown to nearly 3 million globally, with approximately 498,000 openings in North America alone. This is happening in tandem with increased spending and prioritization of security in businesses around the globe. Gartner forecasts worldwide spending on information security products and services will reach more than $124 billion in 2019, an increase of 8.7% from the previous year.

With employers so desperately in need of help with security initiatives and seeking an edge to get workers interested in what they have to offer, what are some creative alternatives to resume-sifting to find the help you need?

Develop and Work Personal Connections
Beyond showing up, Clark believes the power lies in actually getting to know people — even if it starts in a virtual forum — by reaching out and asking for a conversation before even gauging the talent's interest in a position. Get involved in community and industry groups and start working those relationships, she advises.

"With all of the recruiting tools available to find, screen, and communicate with talent, nothing beats actual connections," she says. "The days of 'post-and-pray' are gone. Not to mention, cyber talent tends to be overwhelmed with surface reach-outs by recruiters [who] don't understand the industry or their specific skill set in relation to the opportunity. Community involvement, and credible networking may be old school, but human interaction goes a long way in engaging with hard-to-find talent."

Clark says she relies more frequently on forming those personal connections and relationships versus low-touch keyword searches and cold emails. Her goal, she says, is to create a solid reputation for Blackmere and a trusted network that talent will keep coming back to when looking for work and that employers will want to tap when they need help.

Try Local Colleges and Universities
IBM Security's Academic Outreach program focuses on partnering with educational and research institutions to develop cybersecurity talent and close the skills gap. It offers training opportunities, scholarships for cybersecurity study, and sponsor hacking contest for teens.

Heather Ricciuto, who leads the program, says the goal is to both identify talent and raise awareness of the various security career paths—an understanding she says is severely lacking among young people.

"The biggest issue in security hiring that I have observed is the general lack of cybersecurity career awareness amongst students of all ages," Ricciuto says. "In general, students do not know what a cybersecurity professional does. Those who believe they have some understanding typically have a misconception of the profession at large, based on what they see on television and the big screen. Academic outreach plays a big role in building awareness amongst students, faculty, and parents."

For regional HR recruiters seeking security talents, a local school may also have programs in place or may even willing to form a partnership to create security education opportunities.

Tap New Recruiting Technology
CyberSN's Deidre Diamond, founder and CEO, and Mark Aiello, president, think the employer–employee matching process should be more like using a dating site.

CyberSN, a talent acquisition firm focused on cybersecurity professionals, debuted its KnowMore platform at Black Hat in August to sync up what they said is a pool of qualified talent who simply aren't being matched to the right opportunities.

"In our opinion, the No. 1 fundamental problem is that companies are relying on the old traditional hiring methods: draft a job description, which is usually garbage, post this garbage on a job site, and then complain when all the responses are garbage," Aiello says.

This is compounded by recruiters who rarely understand cybersecurity well enough to draft a job description that makes sense to the cyber professionals who read it, he adds. KnowMore uses a common language between the talent seeker and the job seeker in order to build both job and talent profiles. CyberSN likens the language to what is used on dating sites like Match.com and eHarmony.

"As Match.com and eHarmony have taught us, quality matching of fewer candidates is the best recipe for success," Aiello says.

KnowMore also makes matches based on projects and tasks of the job, as well as the professional’s experience, base salary expectations, desired location, educational background, citizenship requirements, and career progression pathways.

Reconsider the Criteria for Hiring
In an ideal world, hiring managers would have their pick of educated and experienced job candidates. But in a pinch, it is time to consider hiring people who simply have a foundation for success in security despite not having the precise education, credentials, and experience the company wants.

In a blog post, information security expert and writer Daniel Miessler said the cybersecurity hiring gap is due to a lack of entry-level positions. And companies are missing out on people with raw talent and a bit of experience that would make them a great hire for a security role simply because they may lack credentials. He advocates instead for hiring managers to focus on practical skills when considering talent instead of a standard checklist of job must-haves.

IBM Security's Ricciuto echoes Miessler's sentiments. She says those recruiting and hiring for security roles also need to expand their viewpoints on what makes a qualified candidate for different types of security jobs and reach beyond the normal candidate pools.

"There are many different types of skills and abilities needed in the security industry, so expanding hiring and recruitment efforts to reach a wider variety of talent and removing barriers for getting these candidates through the hiring process is also key," she says.

Look In-House
Zane Lackey, chief security officer at Signal Sciences and former CISO of Etsy, espouses looking inward to develop new security talent and building a program of "security champions" throughout the organization.

"If you can't scale security through direct hiring, you've got to find another way. Developing your existing employees into security champions can help close that skills gap," wrote Lackey in a blog post.

One aspect of this strategy is to make an effort to embed security skills within other teams in the organization, such as product and development teams. This creates a more nimble and responsive structure throughout the businesses with a more pervasive understanding of risk.

But the second, even more critical, step in this plan is to find internal candidates who want to develop security skills. Lackey did this at Etsy by offering voluntary security training—a lunch-and-learn on how to attack your own application. The class allowed the organization to pull in a self-selected group of people who found security interesting.

"They came away with both raised consciousness about the risks they might be creating for the company and practical ways to reduce them," Lackey said. "Instead of trying to train everyone at a low level and not making much of an impact, our security team focused on the people who were naturally interested in security and helping them develop real skills."

One Size Does Not Fit All
Each organization will have its own differing needs for the security team, and no one strategy will work for finding the talent needed to fill critical infosec roles. But it's clear organizations need to get creative, put in the time, and try new tactics in order to build out their security program today.

Related Content:


Joan Goodchild is a veteran journalist, editor, and writer who has been covering security for more than a decade. She has written for several publications and previously served as editor-in-chief for CSO Online. View Full Bio


Recommended Reading:

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
User Rank: Ninja
10/13/2019 | 8:36:43 PM
Re: Interesting comment about Garbage

I could not agree with you more Bradley, it sounds like you are not just talking about it but you have dealt with the real world. My buddy has went through the same thing you have gone through wiht a security company located in VA (he found a security bug and issues, point it out and later they walked him to the door, not because he was trying to help, but "how dare he" identify problems in our security solution. 

In addition, we identified the same problem with a security assessment at the US Dept.of Navy, they received a raving score for their security setup and implementation, but again, a friend of mine in Bethesda found issues with the network from HP OpenView scans. He reported the issues to our site in DC and we made changes based on some registry entries, easily done. But when he reported the same thing to the members in Bethesda, they asked him to shutdown the system, leave the lights on and paid him to leave the location.

There are a number of other instances, it is not really going to change anything, it has to come from the top down. It cannot be leadership covering up the truth, they have to embrace it so positive change can come. Sometimes it means bringing light to people (negative incertain instance) and their incompetence, but so be it. It is a political game but in the end, we are all better for it.

User Rank: Moderator
10/13/2019 | 7:41:39 PM
Re: Interesting comment about Garbage
I have heard technical managers say that they have never received a usable candidate through Human Resources or the various job boards.   The outside firms have wined and dined the managers and told them they can get them all the workers they need with great qualifications quickly and they can pick the cheapest.

Middle level managers want employees who won't disagree with them and won't make waves.  The problem is that the type of employee who can actually do the job won't lie and claim that the system is fine when it really needs several months of work.  My experience was that managers want people who will say it's good enough and shove it out to the customer immediately.  That's how you get so many failed projects.

IBM said that it didn't want older engineers because they couldn't accept the new techniques.  The problem is that they know that the so-called "modern methodologies" like Agile, Extreme Programming, DevOps, and Six Sigma don't work unless the people have an obsession with things working.

They also know that when managers say that they'll take the blame if the decision goes wrong, they are lying.  They'll use you as the scapegoat the moment the customer complains.

Setting up the employees as competitors may work in sales but it doesn't work in any type of engineering.  The survivors aren't the best workers, but the ones who are the best at passing the blame onto others.

You may think that I'm exagerating.  I was hired to find the bugs in a program and was dismissed because I found the bugs in files I wasn't supposed to look at.  (The files written by the manager.)

You have to figure on one to two years of salary to replace a good employee.  Of course, on that basis, you probably shouldn't lay them off.

DevSecOps is a joke.  The premise is that anything passing the test suite is suitable for implementation.  The problem is that security flaws are usually based on things that won't be in the test suite.  You can test if something will meet a set of specifications, but writing a complete set of specifications is very difficult and is an art in itself.  You can't use tests to verify that the system won't do things it isn't supposed to do.  You can't test in quality or security.  Try using Google to search can't test in quality.
User Rank: Ninja
10/7/2019 | 9:25:13 AM
Interesting comment about Garbage

CyberSN, a talent acquisition firm focused on cybersecurity professionals, debuted its KnowMore platform at Black Hat in August to sync up what they said is a pool of qualified talent who simply aren't being matched to the right opportunities.

"In our opinion, the No. 1 fundamental problem is that companies are relying on the old traditional hiring methods: draft a job description, which is usually garbage, post this garbage on a job site, and then complain when all the responses are garbage," Aiello says.

Interesting statements but the other thing that is missing is that employers still have racial tendencies and biases against people of color. Often times they look at hiring their friends or within to find out that those people don't have the propensity to do this level of work.

Lets be real about it, there are numerous people out here who can do this, but they have been looked over because they did not have 10-15 yrs of experience, or they say, we will get back to you (and never do) or out of the 10-15 things they are asking for, if the person is not certified in one area but has certifications in similar areas, they are still passed over or they are waiting on a friend to end a project so they can bring them on.

This is the reality people go through and have to deal with on a regular, it is sad that even in 2019, things are still this way, just look at the news. Indian, chinese, hispanic or black companies are going after government business but are often shunned (even if the group is from the US) not because they can't do the work, but because the garbage that is sitting at the other end of the desk, can't do the work him or herself (they are just talking heads), but they try to legitimize themselves because someone gave them the position.

So it does not suprise me that we have a shortage, it maybe because employers have on blinders that are keeping them from finding talent who may be sitting right in front of them.

All Links Are Safe ... Right?

Source: Mimecast

What security-related videos have made you laugh? Let us know! Add them to the Comments section or email us at [email protected].

Name That Toon: Sign of the Tides
Flash Poll