Today’s cybersecurity teams need all the help they can get to keep up with a breakneck pace of work. Threat Actors barrage corporate systems with new and inventive attacks by the minute. And Cybersecurity professionals are committed to protecting information, privacy, and maintaining regulatory compliance. Unfortunately, security hiring managers struggle to hire talent fast enough to fill their needs.
Some claim that it’s a market shortage of security skills that is keeping companies from filling positions in a timely manner. But there’s actually a lot more going on than a simple constraint of skilled labor that’s contributing to today’s cybersecurity staffing crisis.
The uncomfortable truth is that cybersecurity
recruiting today is very broken.
A disconnect exists where even as hiring managers are complaining that there aren’t enough skilled security professionals to go around, the veteran cybersecurity job recruits that are out there are unable to land great jobs in eight months or less. That doesn’t make logical sense from a pure supply-and-demand perspective.
It’s happening because there are a lot of dysfunctional dynamics at play in the security job market today.
As a longtime cybersecurity staffing specialist, I see every stakeholder in the cybersecurity ecosystem contributing to the problem. Here are the many broken faces of the cybersecurity job market.
Security Hiring Managers
A recent study from Enterprise Strategy Group found that some 53 percent of security hiring managers today report experiencing a ‘problematic shortage of cybersecurity skills.’
And yet if you dig deeper into the issue you’ll find that many of these same hiring managers are doing very little to proactively develop those skills in-house.
They’re not hiring creatively at the entry level or near entry level. They’re not bringing in new blood with great problem-solving skills or relevant technical skills that can be built upon with the right mix of on-the-job training and professional development classes. That’s probably because they’re also not sending staff to conferences or paying for training to help them learn new skills—or even just to keep up with the latest trends and technologies. Furthermore, they’re not pairing junior staffers with senior staffers, or doing any kind of strategic succession planning.
Instead, they seek to hit the lottery by trying to attract unicorn candidates. They look for impossible candidates who possess an unrealistic combination and depth of experience who’d also be willing to do the work of multiple specialists for a single person’s salary. They tentatively post these nightmare jobs to ‘see what happens’ in lieu of putting a comprehensive team-building strategy in place. Meantime the backlog builds and the overworked staffers already on the team grow more frustrated and discontented by the day.
Now, I don’t want to beat up on security hiring managers too much because their actions (or failure to act) are often a reflection of circumstances completely out of their control. For example, in many larger organizations corporate policy dictates that human resources will take it upon themselves to write job descriptions and market the open role to available candidates.
The trouble is that they don’t ‘speak’ cybersecurity and they’re often intimidated by the technical elements of the job.
So they resort to cutting and pasting job descriptions from ill-advised sources. Completely disconnected from cybersecurity culture or knowledge, HR may do some cursory investigation and utilize vague skills keywords that may mean different things to different organizations or candidates. Or they’ll overly rely on requiring certifications requirements with only passing relevance to the job at hand. Similarly, they might take a wish list of technical competencies from a hiring manager and translate it into an iron-clad requirements checklist for which every box needs to be ticked to even consider someone for an interview
What companies get out of the process is job descriptions and candidate requirements that are unreasonable and inflexible. These are the types of openings that throw up all sorts of red flags to longtime security pros. And so the rock star candidates keep walking, never throwing their hat in the ring.
On top of all of this, overloaded HR departments typically don’t have many resources to actively recruit and even when they do they don’t have deep ties into the very insular cybersecurity community. Most organizations are passively seeking to fill roles in a specialized job market where candidates don’t always openly market themselves (more on that in a moment.)
Disconcertingly, some of the most systemic problems that are causing today’s cybersecurity staffing crisis come from the very top of the corporate food chain. True, many in the C-suite would tout to regulators and customers that they’ve made the commitment to open up a plethora of new security roles in order to bolster their cyber capabilities. What they don’t say is that they’re not providing the necessary support or logistics to reasonably fill those roles.
Hiring managers frequently don’t offer training, can’t send people to conferences, don’t offer flexible work schedules or dress codes, and can’t budge on salary caps because the C-suite won’t approve those necessary enticements. What’s more, neither will the top brass approve outside recruiting support as a matter of course. In many instances I run across organizations where a position must remain open a minimum of six months before they even allow an outside agency to help fill it.
Recruiters and Staffing Agencies
Even when companies do turn to technical recruiters and staffing agencies, many a pitfall lies ahead. Too many organizations rely on general purpose technical recruiters with very little expertise in the cybersecurity market. As a result, even though they’re more aggressive about going out to find potential candidates they still have a difficult time effectively matching the right skilled candidates to the appropriate role. These generalists often run a volume game, and will do anything to bring in anybody that breathes to consider an interview in order to make their numbers—sometimes to the point of outright dishonesty to job candidates. What’s more, these generalists are usually still armed with poorly written job descriptions that are still based on free text writing and keywords, never really controlled with the taxonomy or structured language that breaks down specific cybersecurity professional tasks or projects and matches them to candidates with those experiences. And so there’s lots of room for misinterpretation during the recruitment process.
The final difficulty is not necessarily the fault of job seekers, but just a byproduct of the cybersecurity profession. It’s the fact that by necessity and experience, security people are skeptical about sharing information about themselves that can be used against them by cybercriminals. As a result, there’s only a small percentage of security pros that are on LinkedIn and many of them are leery of putting themselves out there for passive job searching. Thus, when they’re let go due to an unexpected layoff or merger or some other event like that they’re left flat-footed—even though there are plenty of companies that would love to have their expertise to fill an open role.
All of these factors contribute to a broken security job market. Organizations are not able to effectively match up with the talent they need. Skilled security job seekers have no visibility into the opportunities afforded to them. And teams are left outgunned and overworked as a result.
There’s no magic wand that will fix all of these dysfunctional dynamics, but my team at CyberSN has been working hard to help bridge some of the gaps that currently exist. In particular, we’re working on rolling out the structured platform we use internally to match recruits to job openings. Both passive and active job seekers will be able to anonymously create and update profiles using a standardized taxonomy of skills and experiences that hiring companies can use to match candidates to their jobs. If you are curious about how we are solving the cybersecurity hiring crisis, check out KnowMore at www.CyberSN.com on August 7, 2019 or visit us at Black Hat 2019 where the CyberSN team will be demonstrating KnowMore from our booth in Oceanside, CZ 310. For more information on Black Hat, visit https://www.blackhat.com/us-19/.. KnowMore is drastically altering the way cybersecurity professionals and employers find each other.