Professional development

Recruiting externally vs. training internally: 5 tips to improve your cybersecurity talent pipeline in 2020

Patrick Mallory
May 26, 2020 by
Patrick Mallory


If you are in the market for cybersecurity talent, you do not need to hear (again) just how hard it is to find candidates for your job postings. Across every industry and organizations big and small, you see the impact that each one of the 3.5 million unfilled cybersecurity jobs (as cited by Cybersecurity Ventures) have on operations.

Instead, you want to hear about what your organization can do about filling your unfilled cybersecurity positions. This article will do just that: we outline five tips that your organization can use to improve your existing recruiting processes, as well as a few others that may open up new opportunities to recruit new security professionals. 

FREE role-guided training plans

FREE role-guided training plans

Get 12 cybersecurity training plans — one for each of the most common roles requested by employers.

Tip 1: Capitalize on opportunities for internal growth

Before your knee-jerk reaction to immediately search for a replacement cybersecurity professional on the (very) competitive job market, first pause to look internally for an opportunity to find a potential fit from within your own organization. Not only is this a great opportunity to provide existing employees with an opportunity to have a new experience and grow their own skill sets, but it can provide a nice amount of continuity of organizational knowledge and opportunities for increased cross-team communication and collaboration. 

Begin by documenting the key specialized and core skills that the vacancy requires and compare this information to other functions and staff already in place. For example, a strong quality assurance tester or application security engineer requires a firm foundation in software development. These crossover skill sets can help you to identify strong performers in other job disciplines that could have an interest in a new role and enough foundational skills to quickly pick it up. As an added bonus, these individuals have already demonstrated their work ethic and personalities, which can always be an unknown during traditional hiring cycles. 

Additionally, for junior employees or those possibly looking for something new outside of traditional IT roles (whether it is in human resources or even finance), have a high-level career development plan in place for key cybersecurity positions that identifies core skills, activities and educational experiences they need to be successful. Junior employees can use these plans to build experience in entry-level roles, provide continued growth opportunities and even take routine functions away from senior staff so they can focus on more specialized work. And when you realize that a surprising 93 percent of employees say they would stand with a company longer if they consistently invested in their careers, this is a win-win situation.

Tip 2: Create new external talent pipelines

While you may need to fill a critical position now, it is also important to think about the long-term hiring needs that your organization has, too. While there will always be a place for traditional job postings, recruiting services, and referrals, you should also think creatively about the resources that your community has.

One technique that can be leveraged by businesses of all sizes is to build a pipeline of security talent internally and externally. Externally, identify local community colleges, trade schools, high schools, nonprofits and military organizations that have steady streams of students and career changers that are looking for opportunities to try out their new-found skills. In exchange for internship credit, a temporary rotational program or even a part-time program, your organization can not only help local students, but it can also fill key roles. Successful participants can have a job waiting for them when their program and your needs align.

Combined with Tip #1, these two sources can help to create a pipeline of talent that not only forms a great foundation of skills, but also one that you already know fits the culture of your organization.

Tip 3: Be realistic with job postings

How many times have you actually updated your job vacancy descriptions? Are you sure all of those requirements, job skills and degrees are really necessary to have a successful hire?

When filling a security operations center vacancy, who wouldn’t love someone with ten-plus years of experience with demonstrated success in previous roles, all backed up with the certifications and degrees to prove it? Unfortunately, as with many things in line, often perfect is the enemy of “good enough.” 

Instead, take the time to update the job description and role expectations consistently (at least once a year) by talking with current staff and taking inventory of current systems and methodologies in place. If you do so, you will actually be in the top 25 percent of employers when it comes to being ready for a vacancy. Taking this one step further, perhaps even consider conducting an exit interview with the incumbent leaving the role to more accurately capture what it will take to be successful in the role. 

In addition to technical skills, make sure to capture the soft skills and unique organizational traits that are also crucial to the culture of your organization, like teamwork, flexibility and collaboration. 

By the end of the process, you should have a job summary that is concise — possibly even under 100 words — and full of the language, values and keywords that will attract the right candidates to meet your organization’s needs.

Tip 4: Evaluate your screening process

After updating your job vacancy descriptions and refreshing your methods for finding new talent, another tip is to re-think how your organization screen potential hires. Instead of the traditional cover letter reviews, question-and-answer sessions and reference checks, work with your existing staff to identify methods to have candidates actually demonstrate their abilities. This can come in the form of “case studies” that candidates have to walk interviews through their thought-processes or solutions, “role plays” that can demonstrate the art that often pairs with the science of IT roles or basic skills tests that can demonstrate what candidates know. 

To help measure the responses of interviews and get a sense of potential personality fit, also consider inviting members of your existing cybersecurity team and include their feedback in the final selection process.

Recognize that not all candidates can boast CISSP certifications paired with degrees in computer science from top-flight schools; more accurately capture the specific, fundamental tasks the vacant role fulfills; and ask candidates to prove and demonstrate their abilities. This can lead to finding a candidate that is actually successful on day one, versus the one with the most acronyms after their name. 

Tip 5: Think about retention before they are even hired

In the world of cybersecurity, it can be difficult to measure success. How do you evaluate someone for having the tools and measures in place to stop something from happening? Also, is stopping a breach the best and only way to judge effectiveness? 

Not necessarily. Instead, think more broadly about the skills, criteria and functions that security professionals should demonstrate, such as comparing performance against industry benchmarks in areas like:

  • Employee awareness in security prevention
  • Incident remediation
  • Incident response time
  • Integration of security in business processes and implementation

Similarly, have clear measures for success for these and other metrics to prevent ambiguity in what it means for a staff member to be performing well.

On a related topic, while not every organization can pay high bonuses or offer the top salaries in the region, think creatively about how to tap into individual motivations to keep retention high. Cybersecurity professionals have a strong sense of duty and understand their role in business operations. Recognize staff that demonstrate strong work ethics in other meaningful ways, such as additional training opportunities, paid vacation, conference fees or chances to share their successes with industry groups or internal communications. In fact, according to a 2018 (ISC)2 study, 88 percent of cybersecurity job seekers are looking for employers that invest in training and certifications.

Bringing it all together

For organizations to successfully compete in the cybersecurity marketplace, they need to reflect on their hiring processes, update and refine their vacancy descriptions and think differently about how and where they are looking for their next great hire. 

If you take on a few of these tips, your organization can possibly increase your chances of success now and hopefully well into the future. However, once you get them through the door and onboarded, it is just the beginning of a much larger journey of growth and development that you need to be equally ready to support.

What should you learn next?

What should you learn next?

From SOC Analyst to Secure Coder to Security Manager — our team of experts has 12 free training plans to help you hit your goals. Get your free copy now.



  1. Cybersecurity Talent Crunch To Create 3.5 Million Unfilled Jobs Globally By 2021, Cybercrime Magazine
  2. Developing Your Employees Is The Key To Retention -- Here Are 4 Smart Ways To Start, Forbes
  3. At year's end, don't forget to update your job descriptions, HR Dive
  4. Hiring and Retaining Top Cybersecurity Talent, (ISC)2
Patrick Mallory
Patrick Mallory

Patrick’s background includes cyber risk services consulting experience with Deloitte Consulting and time as an Assistant IT Director for the City of Raleigh. Patrick also has earned the OSCP, CISSP, CISM, and Security+ certifications, holds Master's Degrees in Information Security and Public Management from Carnegie Mellon University, and assists with graduate level teaching in an information security program.

Patrick enjoys staying on top of the latest in IT and cybersecurity news and sharing these updates to help others reach their business and public service goals.