Professionals in the cybersecurity space are well aware of the skills gap, which has already left 4 million global jobs unfilled and promises to grow worse. CISOs continue to feel the negative impact of this across their teams as cyber threats become increasingly sophisticated and the COVID-19 pandemic exacerbates existing security concerns and brings new ones with it.
Research from the first half of 2020 highlights a number of threat trends, including the exploitation of the global pandemic at a massive scale in cyber attacks, an increase in web-based malware, and the exploitation of consumer-grade routers and IoT devices, that further emphasize the need for CISOs to find and retain skilled talent to help protect their organizations.
Closing this skills gap is becoming increasingly challenging for organizations across industries. Intense competition means many companies are priced out of hiring experienced talent because candidates can often find a role with a higher salary elsewhere. Moreover, because the security space, and the responsibilities of those working within it, are changing so rapidly, it is becoming increasingly difficult for CISOs and hiring managers to articulate exactly what they need in a candidate.
To close that workforce gap within their organization, CISOs need to amend their strategies for finding, interviewing, and onboarding talent. Doing so will enable them to fill gaps on their team faster, while addressing the essential and evolving skillsets required for managing today’s complex, distributed networks.
Cybersecurity Recruitment Changes and Challenges
Determining the qualifications essential for a security candidate and assigning responsibilities across the team was once a fairly standard practice. Security was often integrated with broader IT functions, requiring familiarity with a few key systems and practices and a rather static network environment. However, this has all changed due to digital innovations and increased regulations from various compliance bodies.
The global shift towards digital transformation means that multi-cloud platforms, SaaS and other business-critical applications, IoT and mobile devices, and more have now become essential across every department in the business. Data is being stored in more locations, creating opportunities for data leakage or improper use. And at the same time, regulatory bodies have begun imposing strict rules on how data can be used and stored, such as PCI, the EU’s GDPR, and the California Consumer Privacy Act (CCPA), among others. Further, the recent COVID-19 pandemic caused organizations to suddenly and unexpectedly shift most, if not all, of their employees to remote work—something many companies found themselves unprepared to do. In fact, 60% of organizations say they experienced an increase in breach attempts during their shift to telework, amplifying the urgent need for skilled cybersecurity talent.
Together, these trends call for specialized security roles that can support digital transformation efforts while ensuring that security and compliance requirements are being met. Roles such as cybersecurity architect, cybersecurity analyst, and security engineer are essential for modern organizations and require specialized skillsets. And the candidates that fill these roles are also collaborating more than ever with different departments and divisions, calling for an expanded set of soft skills such as leadership and communication. Also, the evolving networking needs of digital transformation call for additional technical skills, such as adding prevention to detection and remediation capabilities, establishing Secure DevOps, and the ability to manage a variety of point products. This broader range of skills must also be accounted for in recruiting practices.
Best Practices when Hiring for a Cybersecurity Role
To ensure the candidates being considered to fill these positions are prepared with the essential skillsets, CISOs must be strategic and specific during the recruiting, hiring, and onboarding process. Below are some factors to consider.
- Job Descriptions: Candidates generally spend less than 60 seconds reviewing job descriptions to see if they are a match. And in such a competitive market, that means that CISOs need to ensure that the job descriptions they distribute not only clearly and succinctly state the skills needed, but also sell the opportunity. The goal is to get the right candidates interested in working at your organization specifically. A side benefit of clearly defining the roles of prospective workers is that the job description also helps team members internally organize which responsibilities will fall to the new hire. And finally, given the highly competitive nature of hiring experienced and skilled cybersecurity professionals, if the salary is a gating factor due to budget constraints, be prepared to offer options that appeal to today’s candidates, such as flex time, leadership opportunities, paid training, etc.
- Posting Strategies: While you want your listing to be posted on as many channels as possible, it is important that you are posting to job boards that attract professionals with a security background. Don’t ignore general job sites, but make it a point to find and post on niche sites as well, such as Dice. Beyond job boards, leverage your network to spread awareness of the opening through word of mouth, social media, and other tactics.
- Screening: Despite the skills gap, you will likely receive a good number of applications for your job posting. Of course, recruiters should evaluate candidates based on past responsibilities, relevant certifications, and presentation style, to understand if they are a fit. But don’t discount the value of soft skills. Look for candidates with experience in areas such as negotiation, leadership, team building, and creating consensus as well as more traditional security skillsets.
- Think Outside the Box: Diversity – both in educational and professional backgrounds, as well as in more traditional areas such as gender, race, and sexual orientation – can bring new value to the team, with new ways of looking at and solving problems, and should be a top priority during the screening process. Fortinet CISO Phil Quade, when discussing his years as a cybersecurity leader at the NSA, remarked, “One of the most effective cybersecurity analysts I’ve worked with wasn’t a mathematician, computer scientist, or data scientist. He was educated in anthropology – the scientific study of humans, human behavior, and societies. His diverse perspective added unique insights that were key pieces of the overall puzzle on high-end threat actors.”
- Interviewing: This is a chance for the candidate to learn about the role, in addition to the organization learning about the candidate. To ensure CISOs get the information needed and provide a positive interviewing experience, prepare different questions for each round of interviews, with the goal of moving from a shortlist of 6-10 candidates to three finalists. The questions should not only be geared toward ascertaining how candidates will use their role to advance the organization, but in uncovering the unique skills and abilities each candidate brings to the table.
- Vetting: After interviewing your three finalists, it is important that you select and make an offer to the right candidate. This is as much about ensuring the candidate fits the culture of the organization as it is about their specific skillsets. CISOs should work with the hiring manager and HR team to evaluate each candidate on how they meet the needs of the organization. Once you have decided on a winning candidate, contact their references to verify skills and experience.
- Engaging: Well executed onboarding programs impact efficiency, productivity, and retention. Most organizations have an onboarding process that includes amenities and benefits, IT tools, and procedures, along with getting to know the organization. But CISOs should ensure programs are also in place specific to the cybersecurity team and its responsibilities.
- Training: A large part of retention and closing the skills gap will occur by making sure these new hires have access to training and hands-on learning experiences to continue to increase their skillset in the security realm. This is especially true for lower-level security employees who can be trained to take on more responsibility in the company as they progress. Regular training in the latest tools, intelligence, and strategies, combined with a thoughtful and planned mentoring program, will ensure your organization stays a step ahead of cyber criminals and enable a focus on prevention, as well as detection and remediation.
Closing the Skills Gap
Between digital transformation, compliance regulations, the recent pandemic, and heavy competition in the space, finding the correct fit for the security team can be a challenge for CISOs looking to close the skills gap at their organization. Keeping these best practices in mind when hiring can assist in minimizing the effects of these challenges, while getting the talent needed to build a strong cybersecurity posture at your organization.
Find out more about Fortinet’s NSE Training Institute programs, including the Certification Program, Security Academy Program and Veterans Program, which provide critical cybersecurity training and education to help solve the cyber skills gap and prepare the cybersecurity workforce of tomorrow.