By Rene Kolga, Head of Product, Nyotron.
It’s no secret that enterprises struggle to find the skilled personnel they need to properly secure their IT systems and protect sensitive information like intellectual property, personally identifiable information(PII) and protected health information (PHI). The cybersecurity industry needs to understand that this talent shortage is, to some extent, self-inflicted. Whatever the causes, we as an industry need to figure out a solution before it comes back to haunt us more than it already has.
One cause is the fact that companies want to hire candidates with the “perfect” mix of experience and skills in the industry. However, in a field that is still evolving and growing exponentially, this has become virtually impossible.
That’s not to say the challenge is the same across the entire industry or even across different locations. In some regions such as Silicon Valley, the pool of candidates is obviously larger, so it may be easier to put up an ad for a security analyst role and have it filled with a quality applicant in no time. However, the same thing isn’t likely to happen if you’re trying to fill a similar role in Montana, for example.
So, how do we force the industry to evolve, as so many other fields have transformed in the past? The first step, as with most programs, is acceptance. The industry needs to accept that there is a hiring problem.
Here are some strategies that organizations should consider when grappling with the cybersecurity skills gap:
Strong Leadership and Sense of Purpose
There are probably a million different overused expressions when it comes to leadership, including “Lead by example” and “A leader is nothing without his or her team.” However, there’s one good one that perfectly encapsulates the reality of the situation: “Employees don’t leave a job; they leave a manager.”
Next to money, culture is probably the top factor most people value when looking for a new job. This culture directly stems from the leaders in charge. If managers aren’t providing acceptable vision and motivation or treating their employees with respect, they’re going to have high turnover rates.
Beyond the basic idea of “treating others as you would like to be treated,” the cybersecurity industry should consider itself part of the same category as police officers or doctors. That might sound strange, but when you think about it, what do all three have in common? The idea of wanting to do good in the world. Employers should provide a clear and transparent mission statement about the company’s purpose and articulate how security personnel leads the charge in protecting the organization and its employees and customers, making the world a safer place.
Finally, employees want to know that they’re valued and that their bosses are willing to invest in them. Paying for employees to go back to school, attend credited webinars, or speak at cybersecurity conferences (like a local BSides event) is a great way to demonstrate that the company wants its workforce to grow their skills.
Pay Up and Recruit Better
One of the biggest factors in the job search process is compensation. Of course, this isn’t college sports; there isn’t a debate about whether or not security personnel should be paid. However, there is significant confusion and disagreement on how much to pay infosec employees. But make no mistake: underpaid employees won’t last long. The reality is that we live in a world where the concept of supply and demand reigns supreme. With so many unfilled jobs, companies need to bump up the pay for these roles in order to fill them. On the bright side, higher salaries will incentivize students to switch their focus from engineering or computer science to cybersecurity, leading to more potential applicants.
The recruiting problem isn’t limited to the cybersecurity industry, but it’s one we see time and time again. A company will post an overly specific job advertisement that limits the potential talent pool. Sure, if you find a hire this way, you’ll probably get exactly what you wanted. But it prolongs the process and wastes your time. Instead, open up the pool. Write up an ad that identifies your minimum requirements and start the interview process.
Also, headhunting is becoming antiquated. Many companies offer an internal employee referral program, compensating workers for each successful hire they recommend. Even if this compensation is $10,000, an outside recruiter is likely to charge you double or triple that. By sticking to an internal referral program, you’re getting recommendations from people you trust to know what your skill requirements are.
Until recently, cybersecurity was not an accredited major at many universities. Think about the percentage of engineers or computer science majors in the workforce that did not have the option to study cybersecurity in school. It’s much easier to train those that have relevant industry experience than it is to train a recent graduate with a cybersecurity degree. Heck, it’s even possible to train employees in roles you wouldn’t necessarily associate with cybersecurity. Think of the natural transition from Customer Support to level one security analyst. They’re still taking support calls and guiding customers through solutions, only this time with a dash of cyber added in. Similarly, your IT administrator has a lot of the necessary, hands-on knowledge that you so desperately need on the security team, combined with an in-depth understanding of your environment. Perfect background for a threat hunter or an analyst.
By implementing a culture where you upskill internally, you might find the talent you didn’t even know you had. Right resources might be just one week-long bootcamp away. Overall, internal upskilling probably offers the fastest path to closing your security team human resources gap.
Other, Longer Term Solutions
- Start ‘Em Young: Once you’ve thrown the incentive of a great salary on the table, you’ll have plenty of younger applicants willing to make the leap into cybersecurity. Enterprises need to capitalize on this and hold job fairs at universities to ensure they’ll have a steady stream of young talent applying.
- Diversity: Don’t just focus on hiring security majors, and make sure your security staff doesn’t look like clones. Consider hiring veterans that have plenty of experience working through a crisis, or communications majors who can help security staff work with the internal PR team or media when needed.
- Get Involved in the Community: The cybersecurity community is a close-knit one. Employees that attend extra classes or industry events have a better chance of improving their skills by sharing war-stories and learning tips they never would’ve thought of, than those who treat the job like a 9 to 5. If you have sufficient internal resources, considering hosting a security MeetUp.
While these solutions aren’t going to have the most immediate impact on your organization, in the long-run they’ll help foster a more positive and efficient environment that your employees will want to work for.
Solving the Problem
These are just a few strategies that enterprises should consider when hiring security staff. Obviously, every organization is different and one solution does not fit all. The tactics used should be determined by the immediate needs and available resources of the department. However, implementing even one of these strategies is a step in the right direction for the industry.
About the Author
Rene Kolga, CISSP, serves as Nyotron’s VP of Product Strategy and Head of Product Management. Prior to working at Nyotron, Rene was Head of Product at ThinAir. Rene also spent eight years at Symantec where he managed multiple enterprise security product lines in the areas of encryption and endpoint security. Additionally, Rene led dozens of endpoint management, backup and business intelligence product teams at SolarCity, Citrix and Altiris. Earlier in his career, Rene run Customer Support and QA teams. Rene earned his Computer Science degree from Tallinn University of Technology. He also received an MBA from University of Utah.