Companies are struggling to find cybersecurity talent, and roles remain unfilled for months at a time. But is there really a lack of qualified candidates on the market? Is the problem with the lack of skills - or are we inadvertently limiting the talent pool before we even post the job spec?
Over the last few years, I've helped several companies grow their cybersecurity teams. There is a huge pool of untapped talent out there: the key is working out the right approach to get these people hired. Let’s look at five simple ways we can expand our pool of candidates, and increase our ability to hire the right people.
Requiring a degree
I keep seeing this as the biggest barrier companies face when trying to hire cybersecurity talent. This is an attitude that belongs firmly in the last century. "Must have a BSc or advanced degree" goes hand in hand with "Why can't we find the candidates we need?" The best security people I have worked with had no degrees. The great ones never finished high school.
Someone who has spent four years teaching themselves security, or has earned that experience on a job, will always be more motivated, skilled, and valuable to your company, than someone who has spent four years attending lectures. There are more of the former out there, too.
By looking for provable skills and real-world experience over that University parchment, we instantly get an increase in quality candidates who have the security skills our company needs.
Hire for ability, not certificates
Cybersecurity, as an industry, is facing familiar challenges on how to formalize recognition as a profession. There is an acronym soup of vendor certifications that has sprung up, which makes it very difficult to work out what real skills someone has.
Instead of focusing on certifications, ask applicants for a portfolio of their work. What code have they shared on GitHub? What tools have they built? Have they presented at any conferences? Are they active in any open source projects?
Good security people work in the industry because it's interesting and fun, so give them a chance to show that off. Get them talking about the conference talk they did, or the neat tool they built. This is real world, applicable experience that is vastly more valuable than answering 40 multiple choice questions in an hour.
Interview with a case study, not a list of questions
Building on the previous point, it is time to retire the “question and answer” interview. We all carry smartphones and we can all use Google. No one needs to know the difference between a virus and a Trojan off the top of their head.
Instead, take a leaf out of the big consultancies' books. Give candidates a case study -- a problem to solve on a whiteboard, in real time, as their interview. Regardless of skill or experience level, it gives them a chance to showcase their abilities and thought processes. As interviewers, we get a much better idea of how candidates approach real world problems, whether they will be a good cultural fit and where their strengths and weaknesses lie.
When I introduced case study interviews at one organization, I saw a 160-percent growth in the team in 12 months, with retention rates at 100 percent. Cast study interviews don't just land the right candidates -- they land candidates who want to stay.
Expand location expectations
COVID-19 has made it painfully clear that not only are companies able to support remote working, but that remote working actually increases the productivity and mental health of employees. Whether lockdown or travel restrictions ease or not, all companies should be embracing remote working and geographically diverse teams.
The moment a role is advertised that must be within commuting distance of a specific city, the pool of suitable candidates has been shrunk. If the goal is to attract the top skills to our company, expecting employees to be local is going to limit our options and weed out some great candidates.
Cross-train and cross-hire from other IT disciplines
Cybersecurity in particular touches not just all aspects of IT, but also finance, and business processes. Many companies fall into the trap of looking for unicorn candidates who already have all of this experience -- and then find themselves frustrated: there aren't that many people out there with the full skillset and the market is paying top money for them.
Instead, look to internal teams. A network engineer who has been working on firewalls and DDoS protection is a prime candidate for cross-training into a security engineering role. A finance person who has been auditing processes could be a good fit to train up into a governance role.
There is plenty of talent out there: by taking a different approach to the hiring process, we can ensure we attract the candidates with the skills and attitudes we need.