Even as the global cybersecurity skills gap continues to widen, many organizations still cling to the idea that if they hold out long enough, they will be able to find rock-star veterans to fill out their security team rosters. A new survey shows that cybersecurity hiring managers are less likely to take a chance on promising entry-level candidates than they are to hire veteran staffers or those with at least a year of experience.
This hesitance of many organizations to train up newbies into the industry highlights a huge opportunity that many hiring managers have in improving the state of their cybersecurity workforce, according to the "(ISC)² Cybersecurity Hiring Managers Guide." Based on a survey of 1,200 cybersecurity hiring managers from the US, UK, Canada, and India, the report details hiring practices around the globe.
"The study shows us that, with the exception of the smallest organizations, employment levels for entry-level cybersecurity professionals trail far behind every other experience level," says Tara Wisniewski, executive vice president of advocacy, global markets, and member engagements for (ISC)². "It's also a particularly notable challenge in the US and UK, compared to Canada and India where entry-level employment levels are higher overall."
In the US, for example, just 26% of security teams are composed of entry-level employees, compared with 38% who have four or more years of experience and 36% with one to three years of experience. The proportion of entry-level candidates may actually even be lower than that, considering that the survey methodology included only those managers who have hired entry-level or junior-level candidates sometime in the last two years. With those managers who only hire experienced candidates self-selecting out, the real numbers are likely even more stark than the report illustrates.
Regardless, the lag in entry-level employment rates occurs despite the fact that it takes a relatively short amount of time for these new practitioners to get up to speed on their job duties. Approximately 65% of hiring managers say it takes nine months or less to train entry-level staff. While these candidates improve their skills or knowledge, they're typically tasked with the repeatable security scut work that plagues security teams on the daily.
The top two tasks delegated to entry-level workers are alert and event monitoring and documenting processes and procedures, which were respectively named by 35% of hiring managers. In open-ended comments within the survey, managers said that entry-level team members often bring "fresh ideas and perspectives to the table" and they often are willing to go the extra mile to get ahead not only in their job but in the cybersecurity profession.
One of the likely reasons why hiring managers struggle to keep their cybersecurity roster freshened up with greater proportions of newcomers to the field is that they aren't necessarily looking in the right places to find them.
"Organizations rely heavily on external factors and resources to find staff, including looking for certifications and looking within the memberships of certification organizations to find candidates," says Wisniewski, who notes that more than half of respondents rely on external recruitment professionals to fill these roles.
She believes that one of the highest-value things that cybersecurity managers can start doing to attract entry-level and junior-level practitioners is to search for talent beyond the world of cybersecurity and even IT. The survey shows that just 18% of study participants have hired individuals from within the organization who were working in different job functions.
"Transferrable skills and eager-to-learn people can be found in sales, marketing, engineering, legal, the military, hospitality, and more," she says. "It's also about ensuring that roles, organizations, and the cybersecurity sector at large are more inclusive and accessible for all."
Reality Check for Training Dollars
Wherever the candidates are found, the investment to get them to the point where they can meaningfully contribute to the team is likely less expensive than some managers might expect. Over eight in 10 respondents said the costs are less than $5,000, and 42% said it costs less than $1,000 for newcomers to start handling assignments.
Even with more significant investments in professional development, Wisniewski says that hiring managers shouldn't hold off in hiring and training entry-level staff in fear that their training dollars will walk out the door. She believes that these practitioners are crucial for the sustainability of an organization's cybersecurity workforce.
"Hiring junior staff is not a risk or a compromise. If anything, it is a proactive move to improve cybersecurity resilience," she says. "You would not hold off investing in critical infrastructure today just because there's a chance the vendor might change strategy tomorrow. The same applies with investing in your people."