CISOs must change the ways they recruit, train, and retain cybersecurity professionals, according to Forrester.
Much has been made of the cybersecurity talent shortage in recent years, as vendors, conferences, and published reports describe it as a major challenge to fighting hackers and fulfilling the CISO’s agenda. However, the shortage is actually self-inflicted, and can be remedied once problems of bias, expectation, compensation, and commitment are addressed, according to Forrester Research’s recent Reverse Cybersecurity’s Self-Inflicted Staffing Shortage report.
The cybersecurity shortage is due in part to the following issues, according to the report:
Compensation: Security compensation remains linked to IT compensation and budgets, though there is far less demand for IT professionals generally than for cybersecurity employees.
Experience levels: Companies are seeking overly-qualified candidates but still paying low salaries for that experience.
Depending on the current candidate pool: Many current longtime cybersecurity professionals ended up in the field somewhat accidentally from other careers. However, CISOs can’t rely on this pool only to draw cyber talent from.
Failing to actively recruit candidates: Most security leaders reported to Forrester analysts that they felt they needed to assess 15-25 potential candidates to fill a single entry-level position, marketing open positions across a number of platforms instead of more targeted networking and marketing.
Using certifications as a filtering mechanism: Relying only on a certification does not determine the true capabilities of a candidate, and limits the pool to those who could afford the time, travel, and expenses necessary to get one.
How to hire a cybersecurity professional
CISOs and hiring managers must cast a wider net to find, develop, and retain cybersecurity workers, according to the report. Here are five tips Forrester analysts offered to change your recruiting and hiring practices:
1. Redefine what signals a good security candidate
When seeking early career candidates for roles that require less experience, job postings should focus on behaviors and characteristics, rather than certifications or experience with certain technologies. Ultimately, you would spend less time training this person than you would seeking a unicorn candidate with every skill you want.
2. Develop unique compensation structures for security pros
Because security talent is in demand, organizations need to compensate based on the market, as well as offer perks like vacation time, learning opportunities, and flexible work arrangements if possible. Underpaying security professionals will cost you in terms of hiring and turnover.
3. Reduce the number of required skills on requisitions
CISOs and hiring managers need to determine the three to five skills a candidate actually needs, and commit to finding candidates with the desire and aptitude to learn others on the job.
4. Broaden the backgrounds considered when recruiting veterans
Many companies pursue cyberoperators from specialized military units; however, this is a pricy and competitive way to find talent, and fails to consider the potential pool of military veterans who may be able to do the job.
5. Establish or take advantage of apprenticeship programs
Apprenticeship programs can be used to identify and develop cybersecurity talent, and organizations should consider starting such programs on their own or via partnerships with post-secondary institutions, career training organizations, or others.
For more, check out How to become a cybersecurity pro: A cheat sheet on TechRepublic.