Industry insights

Flip the funnel: Fixing the cybersecurity talent pipeline challenge

Cyber Pop-Up
January 13, 2021 by
Cyber Pop-Up

Organizations of all sizes are dealing with a critical challenge: the demand for cybersecurity talent continues to grossly outpace the supply of available and qualified cyber professionals. An Information Systems Security Association and ESG Research Report disclosed that 70% of respondents feel the cybersecurity skills shortage has impacted their organization either “somewhat” or “significantly.”  This has led to an abundance of unfilled roles, recruitment challenges, costly churn rates and burnout amongst security professionals. 

Should you pay the ransom?

Should you pay the ransom?

Download The Ransomware Paper for real-world ransomware examples, mistakes and lessons learned.

While most agree that the skills gap is a significant challenge, a deeper look at the problem exposes a more fundamental issue. There is a lack of candidates who meet the experience and certification requirements often listed in job descriptions. Some believe that the problem is bolstered by employers in search of elusive “unicorn” candidates who meet seemingly unrealistic job requirements such as advanced certifications and extensive years of hands-on experience. These are rarities in such a strained market. 

Opinions aside, what's missing is actionable guidance to help fill vacant cybersecurity roles. During Infosec Inspire, Karl Sharman, Head of Cyber Solutions & Consultancies at Stott and May, and Megan Sawle, Director of Research & Product Marketing at Infosec, discussed what successful security and IT leaders are doing to improve recruiting, hiring and retention. 

Video 1: Hiring entry-level candidates and the importance of not chasing “unicorn” candidates

Rethink how job descriptions are written and be open-minded about experience requirements

Seventy-six percent of cybersecurity roles take more than eight weeks to fill, according to Karl. In some cases, these positions remain unfilled for over six months, leading to wasted time, costs and prolonged security vulnerability within entities. This is a stark contrast to the increasing unemployment rates plaguing other industries during an ongoing pandemic.

A few companies have discovered a secret to overcoming this challenge: rethinking stringent candidate experience requirements. Fifty-eight percent of companies who successfully fill roles consider inexperienced candidates for open roles. Before writing a job description, it’s important to ask: “What are the three hard skills and soft skills we need in this role?” Focus on those. Everything else is not as relevant at this stage. 

Have a plan for developing less-experienced workers

Companies often want to hire highly experienced cyber professionals to avoid risk. After all, the stakes are high. A simple mistake made by an inexperienced security employee can lead to breaches, financial consequences, brand damage and more. 

While larger companies may be willing to take on this risk, this decision gets even harder for small and medium-sized businesses. No matter the size of the organization, take these steps to set yourself up for success.

  • Work with your HR team to make sure you source the right budding talent, based on your needs.
  • Incorporate skills demonstration projects into the hiring process. Companies seeing hiring success in filling cyber roles were 433% more likely to use projects in the hiring process.
  • Ensure inexperienced hires are prepared to deliver on expectations through training and development programs. Partner with third-party training providers to scale development efforts. 
  • Pair junior team members up with experienced mentors for reciprocal development benefits.
  • Look at the talent you have within your company and consider upskilling internally.
  • Assess employee skills and establish development pathways for employees within and outside of tech.

"I've seen really beautiful projects submitted by seemingly unqualified people. Maybe the resume wasn't impressive, but something in there caught your attention. You assigned them a project, and then you got something great back.” – Megan

These steps provide a host of benefits, including cost savings associated with hiring less expensive labor, decreased turnover due to loyalty from employees who are appreciative of the investments made in their development and more. 

Maintain a high-quality talent pool by looking beyond the resume

As companies widen selection criteria, there may be concerns around whether this reduces the quality of the talent coming into the company. Addressing this concern requires looking beyond the traditional resume to pinpoint the core hard and soft skills required to be considered a qualified candidate. Then, build consistent screening processes that encompass the following actions:

  • Conduct assessments: Require technical skills assessments to get a more accurate and consistent sense of candidate capabilities. Though often considered a larger time investment by all involved, this can also shed light on the true dedication of candidates and their interest in joining your team.
  • Examine culture fit: Hiring managers who consider culture fit important are more likely to be successful at filling roles than others. During interviews, consider whether the candidate is a good culture fit. Conduct video interviews as early in the process as possible to get a better feel of the personality and style of candidates.
  • Tackle bias: Be sure to proactively address potential biases in your hiring process. Create a consistent framework for evaluating candidates and get opinions from multiple people on trends in what a “good” candidate looks like from a skills and culture perspective. Also, be intentional about who you include in the interview process and ensure it’s a diverse slate. Train all involved in the process of recognizing and overcoming personal bias. 

“It’s so important to get the culture fit right. It’s also important to gain everyone's opinion.” – Karl

Video 2: The importance of culture fit

Phishing simulations & training

Phishing simulations & training

Build the knowledge and skills to stay cyber secure at work and home with 2,000+ security awareness resources. Unlock the right subscription plan for you.

As companies continue to hunt for highly experienced cybersecurity professionals, many question whether the industry is ready for an entry-level market. Though cyber enthusiasts are interested in breaking into the industry, it’s tough for candidates to get a job without experience. Companies are getting ahead of the talent challenge by embracing inexperienced workers with healthy caution and guardrails — and it’s working. These companies are seeing lower attrition rates, decreased cost associated with turnover, higher employee engagement and more satisfied and loyal employees.

The bottom line is that rethinking hiring processes and traditional job requirements are critical keys to filling the talent pipeline gap.

You can find the entire conversation between Karl and Megan here. 

Cyber Pop-Up
Cyber Pop-Up

Cyber Pop-up connects businesses to on-demand cybersecurity services powered by an army of vetted and highly skilled experts. Cyber Pop-up’s unique twist on freelancing tailored to the cybersecurity industry, provides businesses with an experience that is trustworthy, flexible, and efficient for companies of all sizes.