Flip the funnel: Fixing the cybersecurity talent pipeline challenge
Organizations of all sizes are dealing with a critical challenge: the demand for cybersecurity talent continues to grossly outpace the supply of available and qualified cyber professionals. An Information Systems Security Association and ESG Research Report disclosed that 70% of respondents feel the cybersecurity skills shortage has impacted their organization either “somewhat” or “significantly.” This has led to an abundance of unfilled roles, recruitment challenges, costly churn rates and burnout amongst security professionals.
ChatGPT training built for everyone
While most agree that the skills gap is a significant challenge, a deeper look at the problem exposes a more fundamental issue. There is a lack of candidates who meet the experience and certification requirements often listed in job descriptions. Some believe that the problem is bolstered by employers in search of elusive “unicorn” candidates who meet seemingly unrealistic job requirements such as advanced certifications and extensive years of hands-on experience. These are rarities in such a strained market.
Opinions aside, what's missing is actionable guidance to help fill vacant cybersecurity roles. During Infosec Inspire, Karl Sharman, Head of Cyber Solutions & Consultancies at Stott and May, and Megan Sawle, Director of Research & Product Marketing at Infosec, discussed what successful security and IT leaders are doing to improve recruiting, hiring and retention.
Video 1: Hiring entry-level candidates and the importance of not chasing “unicorn” candidates
Rethink how job descriptions are written and be open-minded about experience requirements
Seventy-six percent of cybersecurity roles take more than eight weeks to fill, according to Karl. In some cases, these positions remain unfilled for over six months, leading to wasted time, costs and prolonged security vulnerability within entities. This is a stark contrast to the increasing unemployment rates plaguing other industries during an ongoing pandemic.
A few companies have discovered a secret to overcoming this challenge: rethinking stringent candidate experience requirements. Fifty-eight percent of companies who successfully fill roles consider inexperienced candidates for open roles. Before writing a job description, it’s important to ask: “What are the three hard skills and soft skills we need in this role?” Focus on those. Everything else is not as relevant at this stage.
Have a plan for developing less-experienced workers
Companies often want to hire highly experienced cyber professionals to avoid risk. After all, the stakes are high. A simple mistake made by an inexperienced security employee can lead to breaches, financial consequences, brand damage and more.
While larger companies may be willing to take on this risk, this decision gets even harder for small and medium-sized businesses. No matter the size of the organization, take these steps to set yourself up for success.
- Work with your HR team to make sure you source the right budding talent, based on your needs.
- Incorporate skills demonstration projects into the hiring process. Companies seeing hiring success in filling cyber roles were 433% more likely to use projects in the hiring process.
- Ensure inexperienced hires are prepared to deliver on expectations through training and development programs. Partner with third-party training providers to scale development efforts.
- Pair junior team members up with experienced mentors for reciprocal development benefits.
- Look at the talent you have within your company and consider upskilling internally.
- Assess employee skills and establish development pathways for employees within and outside of tech.
"I've seen really beautiful projects submitted by seemingly unqualified people. Maybe the resume wasn't impressive, but something in there caught your attention. You assigned them a project, and then you got something great back.” – Megan
These steps provide a host of benefits, including cost savings associated with hiring less expensive labor, decreased turnover due to loyalty from employees who are appreciative of the investments made in their development and more.
Maintain a high-quality talent pool by looking beyond the resume
As companies widen selection criteria, there may be concerns around whether this reduces the quality of the talent coming into the company. Addressing this concern requires looking beyond the traditional resume to pinpoint the core hard and soft skills required to be considered a qualified candidate. Then, build consistent screening processes that encompass the following actions:
- Conduct assessments: Require technical skills assessments to get a more accurate and consistent sense of candidate capabilities. Though often considered a larger time investment by all involved, this can also shed light on the true dedication of candidates and their interest in joining your team.
- Examine culture fit: Hiring managers who consider culture fit important are more likely to be successful at filling roles than others. During interviews, consider whether the candidate is a good culture fit. Conduct video interviews as early in the process as possible to get a better feel of the personality and style of candidates.
- Tackle bias: Be sure to proactively address potential biases in your hiring process. Create a consistent framework for evaluating candidates and get opinions from multiple people on trends in what a “good” candidate looks like from a skills and culture perspective. Also, be intentional about who you include in the interview process and ensure it’s a diverse slate. Train all involved in the process of recognizing and overcoming personal bias.
“It’s so important to get the culture fit right. It’s also important to gain everyone's opinion.” – Karl
Video 2: The importance of culture fit
Phishing simulations & training
As companies continue to hunt for highly experienced cybersecurity professionals, many question whether the industry is ready for an entry-level market. Though cyber enthusiasts are interested in breaking into the industry, it’s tough for candidates to get a job without experience. Companies are getting ahead of the talent challenge by embracing inexperienced workers with healthy caution and guardrails — and it’s working. These companies are seeing lower attrition rates, decreased cost associated with turnover, higher employee engagement and more satisfied and loyal employees.
The bottom line is that rethinking hiring processes and traditional job requirements are critical keys to filling the talent pipeline gap.
You can find the entire conversation between Karl and Megan here.