How to Fix Cybersecurity Recruiting
Since my career began about fifteen years ago, the challenges faced by businesses to recruit the best cybersecurity talent remain—how to find the right talent, and the realization of just how valuable and rare real cybersecurity skills are. Companies are still struggling to close the cybersecurity skills gap of over three million vacancies, and recruiters are still complaining about the lack of skill and talent.
Some things have changed for the better in the industry, and it’s undoubtedly positive that more and more universities are focusing on cybersecurity and are offering great programs addressing the market needs.
But many businesses continue to ask, “Why do we need to build a cybersecurity team?” Frankly, this question is stuck in the 1990s. Many companies avoided creating a team because it is not directly tied to profitability. For the same reason you have doors, windows and physical security, you need to have a cybersecurity team to protect your most important assets—data, intellectual property, information, intelligence and integrity. How many stories of “billion-dollar company X hacked” or “billion-dollar company Y extorted and paid millions in ransomware attack” do we need to hear before we get the picture? So, the question of “if” is not valid anymore; now it’s “when” and “how”.
How to Fix the Issue
Cybersecurity is a profession where skills matter. Regardless of your certifications or educational background, you must be a skilled and talented professional. And this is where most traditional recruitment strategies fail. Historically, recruiters focused on requiring formal cybersecurity qualifications. The problem with only using these measures is that certification examinations often use multiple choice questions and focus on building traditional theory-based knowledge. The industry needs to shift its focus to recognizing skills in interactive scenarios, as a modern cybersecurity professional requires a hacking mindset built through hands-on exercises and real-life penetration testing labs.
Certifications can be a way to determine a job candidate’s theoretical knowledge if they’re designed well. But a better approach is to augment multiple-choice certification exams with credentials from hands-on training programs. Organizations like (ISC)² and SANS absolutely serve an important role in testing knowledge. But a candidate’s engagement in a cybersecurity community can better reflect a candidate’s capabilities. That shows an understanding of both theory and practice.
Hands-on skills evaluation shows that job applicants not only understand the theory but can also apply it to real-life situations in both defensive and offensive roles. Education should be a collaborative endeavor, in which businesses benefit from firsthand expert experience. Multiple-choice examinations can be trusted to test theoretical knowledge, but hands-on skills evaluation better reflect a candidate’s practical capabilities. The cybersecurity threat landscape is constantly evolving, and applicants need to be able to replicate the same exploits that attackers are using. Many companies have learned the hard way that certifications are not always the best proof of experience and ability. It’s clear that having insufficient security knowledge makes organizations more susceptible to exploitation and that more harm is done because incidents cannot be mitigated effectively.
Temper Your Expectations
Another challenge for the industry is unrealistic requirements for certain roles, often requested by recruiters with little to no experience in cybersecurity. This is causing a huge number of vacant roles to remain unfilled. For example, a common issue is an insistence on a candidate holding a CISSP on all cybersecurity job postings. People need several years of industry experience to qualify for a CISSP, and that certification is mainly suitable for roles in executive management. The CISSP is excellent for these cybersecurity roles, but it’s unrealistic to expect it for entry-level positions.
The medical industry has this issue figured out. Nurses are hired with nursing credentials. Surgeons have medical degrees that are applicable to surgery. There are MD specializations for all medical professionals, whether they’re a surgeon, a dermatologist or a general practitioner. No one expects a nurse to have an MD and no one expects a surgeon to have a nursing degree. So, for example, pen testers need pen testing credentials, not executive credentials like the CISSP.
One thing certifications are great for is measuring the growth of an employee. Recruiters started using certifications to filter out unqualified candidates, to help them solve the problem of not possessing the knowledge that they need to screen their candidates. This system worked for a while, but eventually, the job seekers found out they could pass exams and gain the certification without the experience. Currently, it is difficult to identify the candidates that got a certification because they were skilled and passionate and a candidate that got the certification because it was mandatory.
Cybersecurity Communities
This is where dedicated, focused cybersecurity communities come in. These are where people can play, train and develop their skills based on modern cybersecurity practices. Recruitment teams need to use these platforms to their advantage; monitoring for the latest training and skills guidance to see which issues are prevalent in the industry. Not only can it provide evidence of a candidate’s recent training, but recruitment teams should also use the community forums to locate the best talent.
Recruiters should be using practical methods when approaching and locating new talent. Training zones can also be used by companies to create an in-house assessment process, or they can work with and trust companies who train those professionals.
Because hiring managers often have no experience when it comes to working in cybersecurity, companies should seek out and work hand-in-hand with training platforms, assessment centers and certification bodies to make sure they are assessing skills that are needed. With those tools, they can build assessment labs collaboratively and invite candidates to demonstrate their knowledge there. The final point to address is timing. To put it simply: If a business waits for an attack to happen before building a cybersecurity team—it’s obviously too little, too late.
Companies must work on security hardening, designing strong security policies, and building a strong security culture. This necessitates hiring the right people. Everyone is trainable, and companies must invest in their cybersecurity talent base by providing training for them. Training must also be conducted periodically and continuously, not just once. Technologies and the cybersecurity threat landscape are constantly evolving. An effective defense requires making sure your cybersecurity team is always up-to-date with their skills and knowledge.
