The shortage of experienced cyber security professionals is a key risk factor that impacts organizations of all sizes and all industries. It is estimated that by 2021, there will be a global need for between 3.5 and 4 million cyber security professionals (ISC^2). Currently, it is reported that in the United States, there are more than 500,000 open cyber security roles (cyberseek.org). The talent gap centers on the specialized technical skills that comprise the core functions of most corporate information security programs. The positions include, but are not limited to, security architecture, security engineering, product security, security operations, vulnerability management, and threat hunting. The ability of a Chief Information Security Officer (CISO) to attract and retain these technical security specialists is a core factor in determining the success of their cyber security program and their viability as an effective leader.
The CISO is Ultimately Responsible
The responsibility for the hiring and retention of cyber security talent lies with the Chief Information Security Officer (CISO). The CISO needs to develop an organizational culture where recruiting is important at all levels of their team. A CISO has the ability to both design program-wide standards as well as baselines for the assessment and evaluation of new talent that can be universally applied to all cyber security roles. These standards may be tangible or intangible. Tangible baselines may include technical ability, experiences, or education. Intangible standards may include communication skills, the ability to get along with others, or personality traits. In addition, the CISO and their leadership team can create certain interview protocols and processes that will ensure that anyone interviewing for a position within their organization is handled in a way that provides for a positive candidate experience. This can include things like candidate communication, response time, and sharing of feedback. The creation and implementation of standards sends an organizational signal that recruiting is important and that results will be measured. Ultimately, participation in the hiring process should be incorporated in performance reviews and be given strong consideration when determining promotions and incentive compensation.
Job Descriptions and Resumes
A large majority of cyber security positions go unfilled because of poor alignment between the posted job description and the way that the cyber security professional represents themselves on their resume. CISO’s and hiring managers need to remember that they are attempting to hire the best cyber security professionals for their positions and their teams, not the best resume writers. At the same time, a majority of cyber security job descriptions are extremely plain and come across as “laundry lists” of requirements and do not provide any true impetus for cyber security professionals to have any interest in applying for them.
The CISO should encourage their team to think of job descriptions as their “Marketing Document.” Ideally the job description should enable the hiring manager to provide both context and insight on the benefits of the opportunity and the information security program. The hiring manager should attempt to understand the point of view of the applicant and the types of things that would be appealing to them as part of the role. These can include exposure to new technologies, the importance of security to the core business, the capabilities of the existing team, work-life balance, and career path. By incorporating these elements of the role into the actual job description, it will pique the interest of cyber security professionals who may find these things lacking in their current position. Once they demonstrate interest, you now have the opportunity to evaluate if they would be good matches.
Work Closely with Your HR and Talent Acquisition Team
The most successful cyber security recruitment processes rely on strong teamwork. The three elements of a winning team include an engaged hiring manager, a qualified pool of cyber security candidates, and a competent recruitment function.
Considering that cyber security is such a unique skill set, it is essential that the CISO and the cyber security hiring managers take some time to help educate their internal team on the specific skills for which they are searching. In addition, it is also helpful to share specific companies that have people with these skills and cyber security professional organizations to which these people belong. Providing the internal recruitment team with this knowledge should enable them to better assess and screen talent, which ultimately will maximize the CISO’s and hiring team’s time and reduce frustration.
If internal recruitment does not succeed, they are the ones that will best understand the company’s policies for the engagement of external recruitment firms. CISO’s should work with the internal recruitment team to refer them in the direction of Cyber Security recruitment specialists who are known for their success in the recruitment of cyber security talent. Generalist technology search firms more than likely do not have the industry reach, cyber security relationships, or the cyber security subject matter knowledge to be effective.
Run An Interview Process As If You Were The Applicant
If the job description is the marketing document, the interview process becomes your sales tool. This is your opportunity to demonstrate to your cyber security applicant what it is like to work as part of your cyber security function. It is important that the candidate walks away from the interview process with an accurate understanding of the office environment, the team culture, and the capabilities of the team that they will be joining.
The CISO’s involvement in the interview process provides an indication of the importance of talent. It also provides a strong indication of the organization’s commitment to the cyber security function and visibility that all team members will have to senior leadership. In addition, the CISO and the hiring managers should clearly define the roles of the interviewers and what skills each person will be assessed during the process.
It is best to put the candidate through some generic real-world scenarios that will determine how they solve problems and think on their feet. The chosen scenario should be a problem that the candidate is comfortable in solving. By placing a cyber security professional in this type of environment, in front of a small panel of team members, they will receive an accurate impression on how problems are solved and how the team interacts. This will give the panel the opportunity to see the candidate “in action” and should provide a sense of how they communicate and accept feedback.
When the interview is concluded, it is essential that the candidate receive feedback quickly. Best practices would be within two days. Once the feedback is communicated, the candidate should either receive an offer or rejection within a short period of time. The longer decisions are delayed the less chance that the candidate will remain interested in the position, so this is imperative.
Retention is the Best Form of Recruitment
CISO’s can never take for granted that their team members will continue to work for them. Hiring is just one part of the equation; retaining your talent is the most important. High organizational turnover can make future recruiting difficult as cyber security professionals are skeptical by nature, and a revolving door of security talent can indicate that the work environment is not conducive to success.
It is important for CISO’s to remember that their team members have choices, and their best team members have more choices. Once they are hired and are performing, they need to be continually “recruited” in order for them to be retained.
Continuous recruitment begins with transparent communication about elements of work that are important to your team members. This can include providing career development, learning opportunities, and future financial growth. In addition, an increased sensitivity to work-life balance, flexibility, and quality of life are often more significant than increased compensation.
If your team feels good about how they are treated, the work that they are doing, and what their future holds as part of the cyber security program, they will become the best recruiting tools that a CISO can possibly have. When they speak with their industry peers at cyber security conferences or on private message boards, they will be advocates. When new positions become available there should be a good supply of applicants, based on the brand that has been created.
The recruitment of cyber security professionals will remain a challenge as long as there is a significant delta between the supply of qualified talent and the demand for these resources. CISO’s and cyber security leaders need to invest the time, energy, and resources to create and implement good processes for the hiring and retention of cyber security talent. Successfully doing so will better position them to protect their organizations and excel in their careers