3 steps to smarter cybersecurity hiring and team building

A global cybersecurity skills shortage continues to plague the industry. An estimated three million-plus cybersecurity roles are unfilled across the globe. That gap is unlikely to shrink without intervention from hiring companies and CISOs. Organizations and security leaders must therefore adopt smarter approaches to hiring and team building.

That’s a notion put forward in a new report from the non-profit International Information System Security Certification Consortium, or (ISC)². The 2021 Cybersecurity Career Pursuers Study details actionable steps for the staffing up of balanced and diverse cybersecurity teams, based on insight from more than 2000 individuals working in and pursuing a career in cyber across the US and Canada.

“The reality facing organizations today is that there are simply not enough skilled cybersecurity professionals to adequately defend their critical assets,” the study read. “Consequently, more organizations need to shift their mindset when it comes to recruiting for cybersecurity roles.” To that end, the report sets out a 10-point plan for smarter cybersecurity team building, outlining the key factors businesses should consider.

Meanwhile, the Northern Ireland Department for Economy has announced a new project in partnership with cyber skills training provider Immersive Labs providing free access to an enterprise-grade cyber skills development platform for 16- to 25-year-olds who might not otherwise have been able to afford specialist training or education. The aim is to inject necessary skills into previously under-represented groups to prepare them for job opportunities in cybersecurity and help organizations in Northern Ireland hire more effectively.

“Development programs such as these afford young people from an array of backgrounds the opportunity to step onto the cyber career ladder, which will ultimately bolster the hiring pipeline, close the chronic skills gap and brighten the future of cybersecurity,” James Hadley, CEO and founder of Immersive Labs, tells CSO.

Clearly, actions are being taken within and beyond the global cybersecurity industry to help address the skills issue by aiding smarter approaches to hiring and team building, but what defines a smarter recruitment and team retainment strategy for organizations, and what impact can it really have on businesses and the wider sector?

1. Eliminate requirements for cybersecurity degrees and qualifications

Kunjal Tanna, director of cybersecurity recruitment company LT Harper, advocates eliminating requirements for cyber-related degrees, qualifications, and even previous experience within the hiring and team building process. This is something that has held the sector back for too long, she believes.

“By the time someone enters the workforce, what they have learned in their degree is out of date, so you will still have to invest time and effort into bringing them up to speed on what’s relevant now,” Tanna says. “Besides, a requirement to have a degree or qualification may exclude people who are more than capable and skilled to perform the duties required in your role but didn’t select a path of further education, potentially because of the cost involved or because they are neurodivergent and didn’t perform well enough in the traditional school system to be admitted to university.”

In the same regard, Tanna also warns against an overfocus on purely cyber-related skills in the hiring process, noting the high demand for most skills especially with cloud security and security engineering. “Typically, candidates with those skills could be interviewing with three or four companies and it will often be the same candidate who will secure all offers. As a hiring manager, at best that gives you a one-in-three chance of being the employer they choose,” she says.

In the best-case scenario, you’ll likely end up with a second-choice candidate. In the worst case, you’ll miss out altogether and will have spent weeks interviewing only to have to start the process again, Tanna says. “Not only can this be costly in terms of time spent interviewing but it can be incredibly frustrating.”

“Hiring should be based first and foremost on ability and the right mindset,” adds Hadley. “Hiring managers should be looking at how candidates approach complex problems and their methodologies for learning and developing their skills, not at the most polished CVs. At its core, this is an approach that attackers have long been taking, and we need to embrace the same mentality if we hope to defend our organizations from them.”

Clar Rosso, CEO of (ISC)², concurs: “Many organizations do place too much emphasis on having one or two cybersecurity ‘all-stars’ rather than distributing responsibility across the wider team. Not only is the all-star approach unsustainable at a time when we need to grow the talent base, it increases risk as too much policy and process is reliant on the few rather than the many. If we keep focusing on only hiring from a small pool of highly skilled and experienced professionals, it will exacerbate the skills shortage, rather than address it.”

If you do decide that a degree or qualification is a prerequisite for a new hire, look at those of a non-technical nature, suggests Tanna. “For example, you may be looking for someone with good skills in pattern recognition for some cyber roles. That’s basically what you learn in modern language grammar courses and these skills are absolutely transferable, so it pays to look in different places to your competitors.”

Don’t be afraid to hire career changers, Tanna advises. “One of the biggest challenges employers face when hiring entry-level candidates (in and out of cyber) is that new employees lack commercial acumen. Career changers will have worked in a business before and will most likely have a better understanding of where the role of the cyber team fits into the bigger picture and the importance of good cyber hygiene in an organization and could be at least as credible in front of a client than a graduate in cybersecurity.”

2. Adopt a long-term view to security team training and development

Smarter cybersecurity hiring and team building is about taking a long-term view, says Rosso. “Any hiring strategy should be focused on how individuals can be developed and invested in over time, not on the immediacy of their capabilities and contribution, which is commonplace with most hiring approaches.”

Tanna agrees, arguing that this is particularly important when hirers look beyond cyber-related qualifications and experience. “Leaders who take this approach need to invest time and money in the training and development of the people they bring into the team,” she says. “It would be unrealistic to hire someone who requires skills development and expect them to deliver the same results as someone who has done this type of work before.”

In return, organizations are less likely to lose these hires to competitors when they come knocking with the promise of more money because the employee will have benefited from investment in their skills development and will feel a sense of loyalty to the hiring manager who has given them an opportunity to upskill themselves, thus leaving them feeling valued, Tanna says. “Professional development ranks among the highest reasons for why people stay with a company, so hiring someone who has a longer career runway ahead of them could really pay off in terms of keeping skills within your team.”

Furthermore, adds Hadley, the skills required for security professionals change, and so training must be regularly updated to stay relevant to the contemporary threat landscape, which is growing in pace almost as fast as it is in scale. “For this reason, skills need to be kept fresh so they aren’t outpaced by attackers and the fluid nature of risk. This means continually iterating people’s capabilities, allowing them to stay relevant as attackers evolve.”

A final important element of a long-term approach to building a cybersecurity team is to acknowledge the opportunity to bring in talent already inside the wider business, says Rosso. “Again, this comes down to looking for the right aptitude and transferrable skills rather than only focusing on pre-existing experience and qualifications.

3. Create inclusive, diverse cybersecurity teams

A key goal of smarter cybersecurity hiring is to create a culture of diversity within security teams. Diversity of thought, opinion and experience can prove invaluable in dealing with the complex, varied nature of modern cyberthreats.

“It’s no secret that diverse teams outperform homogenous ones,” Tanna says. “If you have a team full of people who think the same, there’s a good chance that you may miss how an attacker is thinking. Conversely, if you have a team full of people who have a variety of work and life experiences, chances are you will stay one step ahead of even the most sophisticated attacks because of the variety of ways in which your team will get into the mind of how an attacker might behave to pre-empt attacks.”

However, cultivating diversity requires more than just making entry to and development within security roles more accessible and appealing. There needs to be a clear philosophy of inclusion, too. “It’s all very well hiring people from a variety of backgrounds, but you will need to have an infrastructure in place which will allow these employees to thrive,” Tanna says. “People perform at their best when they have the freedom to deliver high quality work in an environment where they are judged purely on the merit of their contributions, not on what their background is. As a leader, work to build an environment where collaboration is encouraged, ideas are flowing and where good quality work is recognised, and individuals and teams are praised publicly and frequently.”

The cybersecurity skills shortage is stark, but it simply isn’t going to close itself. As Hadley states: “The traditional approach to hiring and equipping individuals with the cybersecurity skills they need is broken.” Therefore, it is more than high time that businesses drop the conventional requirements of cyber qualifications or years of experience in the sector for more forward-thinking and ultimately efficient hiring and team development methods. Doing so will not only help to address the workforce issue, but also serve to make the cybersecurity industry itself more accessible and attractive to newcomers with diverse skills and qualities, thus helping organizations become more secure through a multiplicity of problem-solving qualities within security teams.