There's a general acknowledgement that there aren't enough trained cybersecurity professionals to go around. Conversations at cybersecurity conferences are often centered on where to find top pros, how much to pay them, and what string of letters behind their names means the most.
Even the organizations that provide cybersecurity certification admit that there aren't enough certified pros to meet the need — and that there never will be enough. So what's a manager charged with finding cybersecurity talent to do?
Many executives and hiring managers say the key to finding solid talent is flexibility in the search. "The process is very much like drafting professional athletes," says Mike Jordan, vice president of research with Shared Assessments. When you can't find a position player that you need, you look for individuals who have the skill sets relevant to the position. Find ones that are smart and hardworking and they should be able to fill the position nicely."
Heather Paunet, vice president of product management at Untangle, says that it's important to get it right. "Searching for candidates to fill cybersecurity positions beyond certifications and years of experience can seem counterintuitive, but there are many other interests and logical business skills that are just as important to consider," she explains.
We asked executives what they would look for in filling cybersecurity positions. What they provided was less a checklist of specific skills than an indication of the broad skills, experiences, and personality traits that make someone a great candidate for the cybersecurity team. What they didn't provide was a simple way to look for those on a resumé — but no one said that solving the hiring problem was going to be easy.
Of course, not everyone agrees that there is, in fact, a shortage of cybersecurity professionals.
"The premise that we are short of cybersec pros is BS spread by businesses with a vested interest in importing HB-1 workers," says Colin Bastable, CEO of Lucy Security. "There is no shortage of cybersec pros — just a shortage of good ones, and that is a good thing. The market decides. Certification is a scam — it just gets us a load of talentless credentialed people who make the world less secure. You want to hire someone who understands how the enemy thinks but without the moral baggage of being a cybercrook. Most employers with a four-year degree will hire someone with a four-year degree, but zero talent." All you have to do is find that elusive thinker.
What do you think — is it possible to hire a great cybersecurity professional in the absence of security certification? If it is, what do you look for in a great candidate? We'd like to know your thoughts; please talk to us in the Comments section, below.
Read on to see what other security hiring managers had to say.
(Image: chokniti VIA Adobe Stock)
Curtis Franklin Jr. is Senior Editor at Dark Reading. In this role he focuses on product and technology coverage for the publication. In addition he works on audio and video programming for Dark Reading and contributes to activities at Interop ITX, Black Hat, INsecurity, and ... View Full Bio