One of the earliest mentions of the cybersecurity talent shortage was in January 2011, when ESG analyst Jon Oltsik asked, “Will there be a shortage of cybersecurity professionals in 2011?” 11 years later, leaders in the industry are still talking about the very same topic. Organizations have had a decade to address and overcome this growing problem, yet the talent shortage is far worse today than ever. In fact, data from CyberSeek shows that there are nearly 715,000 cybersecurity job openings in the U.S. right now.
Where is the cybersecurity industry going wrong? This is a loaded question, as there are a number of things that the industry needs to fix to overcome the cybersecurity talent shortage. Let’s focus on the broken employment process—because this is where all the problems start.
The misalignment between a job role and its requirements
The harsh reality today is that human resources (HR) teams, cybersecurity hiring managers and even chief information security officers (CISOs) are out of touch with the modern requirements of the cybersecurity profession.
The hiring process within many companies goes something like this: The CISO mandates that the security hiring manager fill open entry-level positions and relies on said hiring manager to get the job done with little oversight. To start the hiring process, the HR team tells the hiring manager to come up with a list of job responsibilities and requirements, so they can find and recruit qualified professionals to interview. And, all too often, the hiring manager has unreal expectations, wanting a “unicorn” to fill their team’s needs. Without any pushback, the HR team compares the job description provided by the hiring manager with the corporate structure and pay scale, and, before you know it, the entry-level position mandates qualifications typically possessed by senior security professionals — for example, someone with a four-year degree, three to five years of industry experience and security certifications, such as a CISSP.
Organizations won’t find entry-level candidates with three to five years of experience. Many might not even hold a college degree or security certification. And, on the flip side, no experienced security professional is going to apply for an entry-level position. Given this juxtaposition, a major misalignment emerges between the entry-level job role and the candidates qualified to apply for it — so it’s no wonder organizations can’t fill these open positions.
Fixing the cybersecurity hiring process
To bridge this divide, hiring managers need to stop trying to hire themselves; HR teams need to stop trying to fit legacy hiring restrictions (e.g., degrees, certifications and years of experience) on modern cybersecurity roles; and CISOs need to be more involved from the start. Here are a few specific ways companies can improve the cybersecurity hiring process.
1. Ditch the degree requirements.
To be honest, cybersecurity positions short of a director role do not require a four-year college degree. If an individual has drive, aptitude and a willingness to learn, they can be trained to be successful in the cybersecurity industry. Once a company slaps a degree requirement on a job posting, they eliminate a vast majority of candidates — many of which are entirely qualified to fill an entry-level position.
2. Get educated on the EdTech market.
When hiring managers include certifications from specific organizations in the required qualifications for a cybersecurity role, they could be excluding qualified applicants who have certifications from other organizations. The EdTech market has exploded recently, and there are now myriad companies that provide anyone with an interest in cybersecurity with options to get the knowledge and training they need to enter the field. Hiring managers and HR teams need to recognize that certifications may come from around the industry and write their job descriptions to include many sources of qualified talent.
3. Give up the rigidity around experience.
Similar to modern cybersecurity education and training, there are now new ways that individuals can gain security experience. There are a number of online lab platforms available that offer virtual environments for current and prospective cybersecurity professionals to practice penetration testing — and it can all be done at home, on the keyboard. Hiring managers and HR teams need to understand that hands-on experience through these online training platforms is equally valuable to legacy cognitive options.
4. Collaborate across the board.
Hiring managers and HR teams need to be on the same page when it comes to drafting job descriptions and associated qualifications, or the disconnect will move from the job responsibilities/requirements combination to between these two parties. Additionally, CISOs need to be more involved in the hiring process from the beginning, working with hiring managers and HR teams to keep a pulse on how cybersecurity roles are changing, how qualifications are evolving right alongside them, and what this means for filling vacant positions within their company.
There are so many things the cybersecurity needs to do to overcome the ongoing cybersecurity talent shortage, but it all starts with the employment process. It’s time organizations start looking beyond resumes and qualifications and accepting people that lack the traditional path to cybersecurity into the industry. The good news here is that the above best practices are all things that companies can implement today to make an immediate difference. If the cybersecurity industry can collectively move in this direction, hopefully, very soon, that sky-high number of open cybersecurity positions will drastically decrease.