Cyber security hiring: Tips and best practices
Cyber security hiring managers face a difficult situation. Finding the kind of applicants needed to fill open positions has become more challenging. Part of the challenge is that it can be hard for people entering or reentering the workforce to navigate which training or certification program will help them get a job, said Diana Kelley on a recent episode of the he Cyber Work Podcast.
Diana is a board member of the Cyber Future Foundation, CYS, and the Executive Women's Forum (EWF). She is also co-author of Practical Cybersecurity Architecture and Cryptographic Libraries for Developers and has extensive cyber security experience with some of the biggest names in IT.
The Cyber Future Foundation hosted Cyber Talent Week in 2022 to provide help to employers and employees alike and encourage the development of an expanding and highly skilled cyber workforce.
FREE role-guided training plans
“Something that’s emerged in the past year is a big need to help people who want to get into the cyber security field to actually be able to get trained up and find jobs,” said Kelley.
She believes change begins by shifting how employers and hiring managers address the issue. Basic actions such as writing better job descriptions, for example, can facilitate the next generation of the cyber workforce. Additionally, employers and hiring managers must find ways to bridge the gulf between those with no experience who want a career in cyber security and the jobs they seek. These individuals face a chicken-and-egg proposition. They can't get a job until they have experience, but to get experience, they need a job.
"The National Cyber Help Desk supports small businesses in concert with local and state governments and provides an opportunity for people that can't get internships and externships anywhere else," said Kelley. "It allows them to gain real-world hands-on experience."
Poor cyber security job descriptions
Some hiring departments put too much attention on attracting unicorn candidates. Their job descriptions reflect this: demands for 10 years of experience, marquee credentials and advanced degrees.
Kelley encouraged employers to re-examine job descriptions and prioritize the problems that need to be solved. That, in turn, should lead to a more precise definition of the actual skills, competencies and abilities they want to attract. Everything else can be taken care of by internal training and continuous education processes that help new hires develop additional skills that can be taught to candidates over time.
“The job description is often used as the baseline for Applicant Tracking Systems (ATS),” said Kelley. “If your resume doesn’t exactly match the pattern that they’re looking for or is missing certain keywords, you can get kicked out of the system. No human will ever see your resume.”
It can be as simple an error as saying, "cloud systems" instead of "Azure." With that keyword missing, ATS may automatically reject you. You may be skilled in AWS and DigitalOcean, but they want Azure. Such candidates could probably learn Azure rapidly. Why exclude them? Those writing job descriptions need to learn to write them in a more inclusive way.
FREE role-guided training plans
Example: state that you want somebody who's an expert in the cloud, with Azure preferred. Ensure that ATS knows to find the generic terms as well as the specifics. Further mistakes include being too gender-specific, such as saying "he" in the job description, as the last two previous incumbents were male.
Above all, Kelley advocates flexibility in job descriptions and applicant requirements. After all, being able to manage and secure one cloud versus another cloud is something that can be picked up on the job. Successfully running and safeguarding an AWS cloud demonstrates competence that can be translated to another platform like Azure with a modest amount of training.
"Most managers want somebody they can skill up and move forward because that's how we keep people engaged, learning, and excited," said Kelley.
Reluctance to invest in employees
Some managers, though, are reluctant to invest training and certification in people, fearing that once they are up to speed, they will leave for pastures newer or better paid. Companies like Infosec offer organizations a chance to train another employee at no cost in those situations — to help alleviate that concern.
"Managers often have workers they really loved and helped to advance their careers," said Kelley. "When one of those leaves, it feels very personal or even like abandonment."
However, there are many other factors at play when people leave. They may have been working in a toxic workplace or realized they had picked a company with little room for further advancement. They may have been headhunted with an offer they couldn't refuse, such as $10,000 more a year, a big relocation bonus and a free MBA thrown in.
FREE role-guided training plans
The lesson that hiring managers and IT managers should learn is that training is never a bad idea. Even if someone leaves, the skills they learned while working for a company made that company better. And it adds to the overall cyber security talent pool – an urgently needed thing in this age of rampant ransomware and data breaches.
Summer internships, too, have tremendous value even if some of those taking them don't end up working for the firm. Some hiring managers view internships as a hiring platform where they can review promising candidates and find excellent raw talent.
“What they want the person to do is to understand the company and the culture and see if you’re a good fit and like being there,” said Kelley.
For more, watch the full episode of the Cyber Work Podcast, Cybersecurity jobs: How to better apply, get hired and fill open roles.
In this Series
- Cyber security hiring: Tips and best practices
- Top-paying cybersecurity jobs and salary trends for 2024
- The importance of IT certifications in boosting your career
- Understanding the role of a network engineer in IT
- The role of the chief information officer (CIO) in cybersecurity
- What is a network engineer and how to become one?
- What does a system administrator do and how to become one?
- Cybersecurity soft skills: Career benefits of public speaking
- CompTIA Data+ certification: Opening doors to new careers
- Surviving cybersecurity burnout: Tips from industry experts
- How to make a mid-career change to cybersecurity
- 7 top security certifications you should have in 2024
- The Changing Role of the Modern SOC
- Discover the top 5 information security management certifications
- CySA+ versus CASP+: Is the CySA+ good enough for a career in cybersecurity?
- The best cybersecurity jobs in 2023: Trends, roles and salaries
- Top 10 penetration testing certifications for security professionals (2023)
- How to land an entry-level cybersecurity job: Essential skills and certifications
- 133 cyber security training courses you can take now — for free
- Breaking down barriers: How to make cybersecurity more inclusive and diverse
- Computer forensics interview questions
- The digital security forensic analyst salary guide
- Applying linguistics to cybersecurity: The journey of Jade Brown, a 2022 Infosec Scholarship winner
- The Path to “Career 4.0”: Amy Bonus leverages humanities, FinTech experience to bring Cybersecurity to the layperson
- Security engineer: Degree vs. certification
- Cybersecurity engineer: CyberSeek
- Infosec Accelerate Scholarship winner highlights essential qualities of a successful cybersecurity professional
- Career skills, imposter syndrome and intelligence-led pentesting | From the Cyber Work desk
- Cloud security engineer interview questions and answers
- Prior preparation results in a big payoff for Jason Mondragon, an Army veteran transitioning into cybersecurity
- Infosec scholarship winner Kandice Kucharczyk salutes her mentors as she sets her sights high
- Which CompTIA cert is right for you: Security+, PenTest+, CySA+ or CASP+? [updated 2023]
- How VetsInTech and Infosec Laid the Path to Gaurav Panta’s New IT Career
- Infosec 2022 scholarship winner Anthony Torres: Bringing the Marine Corps ethos to the cyber domain
- Infosec Scholarship winner Chris Chisholm knows the power of service and diversity in cybersecurity
- Betta Lyon Delsordo, Infosec scholarship 2022 winner, is a true life-long learner
- A veteran transitions from military medical logistics to multi-national security analyst
- An Army National Guard member fast tracks his cybersecurity career transition with VetsinTech
- How a career harnessing Navy nuclear energy can power a transition to a Security+ certification
- What is a cloud administrator? Essential roles and skills
- Security control mapping: Connecting MITRE ATT&CK to NIST 800-53
- Should you take the CCSP/SSCP before the CISSP? [updated 2022]
- (ISC)² certifications: The ultimate guide [updated 2022]
- CCSP vs. Cloud+ [updated 2022]
- Data architect: The ultimate career guide
- The ultimate guide to ISACA certifications: Overview & career paths [updated 2022]
- I failed IAPP’s CIPP/C certification. Here’s how I recovered
- How learning to be "Always Flexible" helped a Marine in earning the Security+ certification
- How to learn and pass your next certification exam
- Mission accomplished: How one army veteran turned neurobiologist moved into cybersecurity
- I failed my CREST Certified Infrastructure Tester exam: Here’s my story
Get certified and advance your career
- Exam Pass Guarantee
- Live instruction
- CompTIA, ISACA, (ISC)², Cisco, Microsoft and more!
Professional development
Professional development
Professional development
Professional development
The role of the chief information officer (CIO) in cybersecurity