Filling cybersecurity jobs is getting so hard managers need to think outside the box if they hope to fill critical positions, experts say.
That means redefining jobs, training human resources departments to screen resumes differently, seeking latent talent already inside the organization, and hiring bright, motivated people who can grow into critical roles, according to an expert panel speaking at the recent Advanced Cyber Security Center conference in Boston.
+More on Network World: Phishing scheme crimps El Paso for $3.2 million+
Talent is so scarce that it typically takes eight to 12 months to fill cybersecurity jobs, says Mark Aiello, president of Cyber 360, a staffing firm specializing in finding cybersecurity skill. So employers need to be flexible about who they will consider.
“The goal is to hire someone not perfect for the role,” because you likely won’t find them, Aiello says. “The Goldilocks candidate does not exist.” He says organizations need to get their managers to be managers by managing how critical tasks are divvied up and training their staffs so all those tasks are accomplished. For example, he says hire a new person to handle lower-level tasks and realign existing staff to absorb the duties of the higher skilled person who left.
+More on Network World: FBI snags group that allegedly pinched 23,000 or $6.7 million worth of iPhones+
Look for bright, capable people with the aptitude for the skills needed for open positions, and then train them, says another panelist Devin Bryan, CISO of the Federal Reserve System. He says the 12 banks in the system had 78 vacancies for cybersecurity posts, the oldest being unfilled for a year. “There certainly is a war for talent,” he says.
Janet Levesque, CISO for RSA, says she works with her human resources team to flag candidates with critical-thinking and problem-solving skills and writing and communications talent, not just the technical competencies they tend to list on resumes.
“We have a responsibility to help HR sift through the pile of resumes from Monster,” says Bryan. And job seekers need to do more to help themselves by describing how their skills and competencies can help the hiring organization.
Aiello says HR should be told to set up interviews with everyone who meets broad qualifications. Managers should hire the smart people who meet those qualifications, even if they don’t have all the specific skills required so long as they are willing to learn and show enthusiasm for the open position. “If they have the right attitude, they will be a good employee,” he says.
Aiello says employers shouldn’t insist on a set of certifications or even a college degree when hiring. “That shouldn’t matter,” he says, just whether they have skills and brains.
Carla Brodley, dean of Northeastern University’s College of Computer and Information Science, agrees, but says that once they have jobs and want to move up the food chain, they will likely need to acquire formal credentials. “They can do that while they’re working for you,” she says.
To help in that training Northeastern has programs to give software engineers cybersecurity skills, and has extended that to students with undergraduate degrees in non-tech subjects like history, English and math.
Don’t assume that the best candidate will come from the outside, Bryan says. The best qualified candidates may already work for the hiring organization, and managers should be creative in finding those people.
Levesque says EMC rotates recent graduates hired at the company through three-month cycles in different areas to find out whether a programmer, for example, might have an interest in incident response.
It’s often tough for applicants and employers to succinctly describe skills and requirements, respectively. Aiello says that’s because cyber security is still an immature profession that lacks basic standards for what job skills are needed for what job titles. A job with the title security analyst at one organization might have a different set of tasks associated with it than a security analyst at another organization. “It’s hard to say, ‘I want to be this,’ when ‘this’ doesn’t have a title,” he says.
Bryan says that the National Institute for Standards and Testing (NIST) is trying to create standardized titles and job descriptions to do just that with its National Initiative for Cybersecurity Education (NICE). The project “provides a common language to categorize and describe cybersecurity work,” with the goal of helping businesses identify, recruit and develop appropriate talent.
Because of stiff competition, employers may have to compete with salaries and perks. Levesque says she’s seen corporations offer work-at-home options to strong candidates who don’t want to relocate.
Bryan says that the Federal Reserve System can’t offer the big salaries major private firms can so it operates at a disadvantage.
Universities face similar challenges finding the top security pros to teach, says Northeastern’s Brodley. “It’s hard to get Ph.D.s in cybersecurity. We have the same problem that’s going on in industry, and we can’t pay what industry pays,” she says.
Aiello says the average age for cybersecurity practitioners is 41. He recommends that when younger people are being considered, enlist younger current employees to help interview them. The motivations of boomers and millennials are very different, and having someone in the same age bracket can make the process go smoother.
Brodley says that 75% of people who try computer science like it enough to take a second course. She’s hoping computer science is made a high school requirement so more students get that initial exposure that might encourage them to major in it in college.
