A few years ago, I was an IT director on the hunt for new IT talent. I went the traditional route, posting jobs, reviewing resumes and holding interviews. One day, I crossed paths with someone who specialized in installing cable modems for large commercial organizations. We got to talking, and I realized he was a prolific problem-solver who would not stop until he found a solution. He also possessed an insatiable desire to learn. That was what I wanted on my team. On paper, he did not seem like the obvious fit for my team, but through hands-on training, he developed the skills he needed. These skills, combined with his drive for problem-solving, made him an exceptional hire, and he is still an asset to the profession to this day.
Traditional job postings and hiring methods may be hindering your search for cybertalent. The average job description is often cloned from past postings, has rigid education and certification requirements, and has a set required number for years of experience. Although this approach may work for some business units, it tends to shut out cybertalent for a few reasons. Disrupting the standard hiring process can bring in new, exceptional talent that may have been previously overlooked.
Do Not Look for Purple Unicorns
When writing a new job posting, it is easy to start dreaming of a superhuman security professional who will solve all your problems. As you look through past job postings, you start picking all the best responsibilities and requirements until you feel like every gap on your team is being addressed in the posting. The problem is that this ideal superhuman security professional is like a purple unicorn, it does not exist, and experienced candidates will see your post for what it is: a laundry list of issues they will be expected to tackle with little support. Writing reasonable job descriptions that focus on a specific role will help bring in skilled hires. Setting clear, achievable expectations will result in happier employees and ultimately a more successful team. And do not neglect addressing personality elements as they can help attract the right fit for the team.
Be Flexible With Years-of-Experience Requirements
Years of experience is probably the most standard requirement on a job posting. It typically indicates the professional level desired (e.g., five years of experience for a manager-level position). But this requirement does not always work the same way in cybersecurity. Cybersecurity professionals often transition from other career paths, such as IT or even business roles. Many have not spent five years focused solely on cybersecurity. However, a good conversation about their job experience may reveal that while they were in IT, they helped remediate security issues within critical systems, which spurred their journey into cybersecurity. Asking the right questions about experience will give you far more insight than a basic number will.
Do Not Rely Solely on Certifications and Degrees
Although cybersecurity degrees are growing in popularity, this is a recent development. In lieu of degrees, many security professionals have turned to certifications to qualify their cybersecurity expertise. Although degrees and certifications are good indicators of knowledge, they do not always demonstrate ability or soft skills such as problem-solving, creativity and leadership. Setting certification requirements on job descriptions may discourage some candidates who have the right skills but lack the funds or experience for a certification to apply. Issuing skills assessments during the hiring process can provide a clearer picture of a candidate’s capabilities and give you a better sense of how they solve problems.
Do Not Pull a Bait and Switch
You have created a realistic job description that focused more on experience and skills than a set number of years or mandatory certifications, and it led you to find the right fit for your team. However, the work is not done. Retaining cybertalent is just as hard as finding it. Many security teams have such a great need for talent that when a new team member joins, they are pulled in different directions with more responsibilities than they signed up for. This can drive security professionals to quickly leave your team. Setting achievable goals and creating a clear career path for your team members will help you retain the cybertalent you hire.
Cybertalent comes in many different forms. It is not defined by rigid requirements or a magic number of years in the industry. It is founded on skills, problem-solving, creativity, passion and drive. Prioritizing these qualities in your candidates will help you build a team that can work well together, is up for the toughest challenges and is excited to grow with your organization. Programs like cyberworkforce development can help you mold the cyberskills you need to protect your organization.
Editor’s note: For further insights on this topic, read Philip Casesa’s recent Journal article, “A Window of Opportunity: Ending the Cyberworkforce Shortage Once and for All,” ISACA Journal, volume 1, 2021.
Don't forget—Members can earn free CPE from ISACA Journal quizzes!