Labeling skills as soft undervalues them. To prioritize skills such as communication, IT leaders must call them what they are in the digital era: Core.
Hiring security gurus: 3 strategies to find scarce talent
The battle for security talent rages on: Are you looking at too small a pool of candidates?
3. Don’t overlook anyone
This is the unmined frontier of security talent. If you’re only considering people who perfectly match your ideal wish list, we hope you have that armored truckload of cash ready.
Everyone we connected with had something to say about this point: If companies want to make a dent in the security skills gap, they need to widen their search parameters.
So, on the aforementioned topic of training, IT leaders that are willing to offer employees the chance to learn on the job are going to have an advantage.
“With such a high demand and a low supply of cybersecurity professionals, sometimes the best route is to be prepared to teach and train after hiring,” says Shivajee Samdarshi, senior VP of engineering at WhiteHat Security.
Specific examples where a teach-and-train strategy could be a talent boon include:
Entry-level candidates: Halpin, the recruiter, notes that security used to typically be a single topic or track within a broader IT or computer science program in schools and universities. That’s changing, he says, and more educational institutions are creating specialized security tracks. Even if the candidate doesn’t come from a program with a specialized security degree or credential, considering high-potential entry-level candidates will expand your talent pool.
“Research what schools in your area offer a specialized degree and participate with career fairs or network with faculty to keep a pulse on young talent,” Halpin says.
Samdarshi also recommends considering a security-focused internship program in your organization as another means of identifying and building early relationships with promising people.
Internal candidates with minimal security experience: “Chances are that there are people inside your organization that are eager to move into a cybersecurity role and with just the right training, it can happen,” says Roman Garber, development manager at Security Innovation. Garber suggests hosting internal “capture-the-flag” events, or CTFs, and using cyber-range exercises to identify such internal talent.
This is an “easy” one in the sense that it really just requires an open mind, along with the committed investment in skill development.
“Evaluate the skills and interest in your employees and find those who are willing and eager to learn,” WhiteHat’s Samdarshi says. “Give your [broader] IT and QA staff a chance to apply for cybersecurity roles, and then help them train in missing skills.”
Under-represented groups: Samdarshi points to a report conducted by Frost & Sullivan that found women make up just 11 percent of the cybersecurity workforce. Want to fill open desks that are collecting dust? Make sure you’re really considering everyone, and proactively seek out candidates from under-represented groups of people.
“Women make up only 11 percent of the cyber workforce, but they represent a large and talented labor pool for cybersecurity positions,” Samdarshi says. “Professional support, sponsorships, and mentorships can help women thrive in security and risk management positions.”
Career-changers or veteran staff who might feel stuck: Samdarshi also encourages IT leaders to consider mid- and late-career employees from IT backgrounds other than cybersecurity.
“Many seasoned IT professionals have been siloed in their current positions, even though they have highly valuable skill sets that can be applied to cybersecurity work,” Samdarshi says. “This represents a rich source of talent just waiting to be recognized and tapped.”
Whether internal or external, there could be plenty of potential in a veteran IT pro who might not seem like a good fit on paper.
Wilson, the CISO at SAS, notes the limitations of resumes and other material that might obscure high potential. And this is particularly important because security is indeed a field ripe for second (or third) careers.
“Resumes aren’t always a good indicator of how well someone will be suited for a particular job because they aren’t usually a good indicator of the soft skills required when taking on a security or compliance role,” Wilson says. “These roles frequently have applicants who are moving from one focus to another, or to a second career for many veterans.”
Wilson’s advice? Pretty simple: Talk to people.
“You can see how quick someone is on their feet, how they carry themselves, how their thought processes work, and how long it takes them to get to admit they don’t know something,” Wilson says. “A quick 15-minute ice breaker call could be enough to push someone over the hump in their quest to start their new career in security.”
[ Are you a DevOps job seeker or a hiring manager? Get our free resource: The Ultimate DevOps Hiring Guide. ]