Share this
by Reflare Research Team on Sep 1, 2022 7:40:00 PM
Companies are screaming for new cybersecurity professionals to join their teams. However, they are going out of the way to make their recruitment as difficult as possible.
First Published 2nd August 2022 | Latest Refresh 1st September 2022
CISO wanted - Immediate start. Great opportunity for undergrad. Must have 45 years of experience. Free dress on Fridays. Pleeeaase apply.
4 min read | Reflare Research Team
Context
The past several years have been extremely challenging for many of us. First (and still), we had to deal with Covid-19. Then (and still), the war in Ukraine. Now, a global economic recession is looming around the corner.
The effect of compounding crises is a perfect opportunity for cybercriminals. While we are all catching our breath from what we've just gone through (and scrambling to prepare for what comes next), would-be attackers are gearing up for our attention to yet again be pulled away from 'business as usual' and towards 'the next big problem'.
Such relentless diversions create incredibly convenient opportunities for attackers to strike... and most smart organisations know this. Subsequently, we are seeing the number of advertised vacancies for cybersecurity professionals in companies really start to increase.
The supply-demand paradox of cybersecurity talent
These waves of upheaval bring massive implications not only to the existing cybersecurity positions that are already filled, but also to the new jobs that are currently being created. But even before we get to that, we need to acknowledge that the cybersecurity job market is already in a state of ridiculousness. On the one hand, companies claim they are struggling to find cybersecurity talents. On the other hand, LinkedIn is never short of posts by potential candidates complaining about how they struggle to even get a job interview, let alone a job.
So how could two sides tell a contradictory story?
Having observed this phenomenon from both perspectives, this writer is inclined to apportion greater blame to the hiring side. Now, it's important to acknowledge that not all human resources and recruitment departments have got it wrong. Although, not all human resources and recruitment departments have the capabilities to source a sufficient pipeline of cybersecurity talent on their own. To truly understand what's going on here, we need to analyse one specific player on the hiring side who seems to be more problematic than others, and that player is... the job recruiter.
"Throw everything at the wall, and something should stick. Right?"
First of all, recruiters, most of the time, do not understand the job they are trying to fill. They have most likely never worked in the field, and will excessively rely on the hiring managers of what they read on the internet about the role to screen candidates. This is problematic in several ways because the information they get is either too generic, too narrow, or not context-specific.
We often see job requirements where the 'essential experience' stated has very little (or in some cases, nothing) to do with the actual job. Even worse, some cybersecurity job specs require knowledge of rare vendor-specific hardware that few would possess. It is for these reasons that good cybersecurity prospects are being passed over; the requirements read as if they are so 'set in stone' that the right talent isn't even bothering to try.
Furthermore, many recruiters seem to have a questionable view of the perceived quality of cybersecurity staff who are proactively on the job market. "How good can they be if they don't have a job?" This is a fundamentally flawed line of thinking when it comes to cybersecurity talent. Not all cybersecurity people are ladder climbing, promotion acquiring go-getters. But "if there is no clear career progression, the candidate can't be good" is all too often a line of thinking applied by recruiters to incredibly skilled cybersecurity professionals. Instead of actually making the effort to understand the dynamics of the talent pool, recruiters send unsolicited emails or LinkedIn messages to talent who are already gainfully employed with the intention of calling them away to a "better opportunity".
The success rate of headhunting cybersecurity professionals to move from Company A to Company B is significantly lower than many other functional professionals.
A lack of understanding by the recruitment industry about the psyche of cybersecurity talent is not only limiting the organisation's requirements to fill roles, but also frustrating the on-market cybersecurity talent who can't even get a first-round interview. The supply and demand are both here. They are just not meeting in the middle.
The (employed) cybersecurity community has a role to play here. We need to speak to our talent management partners and explain that there is indeed a pipeline of great talent out there. However, how they perceive and engage with that pipeline needs to change. Recruiters need to 'meet' the talent pool where they are, and not where they think they should be. The cost of not engaging with new cybersecurity talent the right way hurts the company (unfilled positions), the talent (underutilised resource), and the whole cybersecurity industry (unable to deliver all the work that's required).
A water cooler argument about college degrees
Our office recently discussed the value of college degrees in cybersecurity. One position asserted that college degrees were "a waste of time" and did not reflect a candidate's "real capabilities". They also argued that many companies these days, including those that traditionally hire candidates only with degrees, are now hiring candidates without.
As much as we would agree that college degrees might not be a good indicator of a candidate's potential and that many companies are now hiring people who have never been to college, we would not go as far as saying college degrees and certifications are"a waste of time."
First of all, people tend to assume working in cybersecurity is all about software and hardware technical skills. This is quite inaccurate, as cybersecurity is a diverse industry with people working from areas such as compliance to designing mathematical algorithms for quantum cryptography. While you might not need a college degree to learn how to perform penetration testing, you are less to find a job as a quantum cryptographer if you do not have an advanced college degree either in mathematics, physics, or related fields.
Most good universities will also teach students more than just technical skills. For example, most campuses have fully staffed careers departments that teach students how to ace job interviews. They also teach students how to work in a collaborative environment, make presentations in front of a large audience, and help students develop their leadership or entrepreneurship skills. In other words, going to college – at least at a good institution – is more than just about learning specific technical skills.
College degrees are still desirable in some areas of cybersecurity, but arguably could be of greater relevance when it comes to producing 'work-ready' cybersecurity employees.
Corporate diversity programs and neurodivergent recruitment
When corporations talk about diversity, most of us would think about a person's social-economic background, gender, ethnicity, or physical disability. Few would think about people whose brain is wired differently than us – people who are neurodivergent.
A person who is neurodivergent learns, behaves, and thinks differently compared to those with typical neurological development or functioning. People who are neurodivergent include individuals with autism, ADHD, Tourette's, dyslexia and a range of other neurodiverse conditions. While their differences can make life challenging for them in some cases, their ability to perceive the world differently than others has led many neurodivergent to make great contributions to science and technology.
One industry that could benefit from hiring neurodiverse individuals is cybersecurity. Because people who are neurodivergent are known to be good at recognising patterns and out-of-the-box thinking, they can become extremely valuable contributors when trying to detect anomalies and flaws in systems or trying to figure out new types of attacks by highlighting things that others failed to notice or by offering a different perspective to problems.
As a matter of fact, security agencies such as NSA and GCHQ are known to favour hiring neurodiverse individuals due to their ability to process information. From a historical perspective, it is believed that many famous codebreakers, mathematicians, and scientists (Alan Turing for one) were neurodivergent. Today, there are consultancies focusing solely on building neurodiverse talent benches to solve their clients' most complex problems.
However, when it comes to landing a job directly with those clients, the standard recruitment process is most often not an inviting proposition for such talent. If an organisation wishes to hire these brilliant individuals, recruitment processes need to evolve. Companies need to invest in understanding diverse talent pools if they wish to connect with any level of empathy, care, and positive intent. For example, allowing an applicant to bring notes to an interview, or have extra time to consider questions must not be held against them in a fair application process.
There are so many good people inside of security who are currently on the job market. Companies need to learn how to connect with these people, meaningfully, if they seriously want to solve their most critical security challenges.
To stay up to speed on the very latest trends and analyses in cybersecurity, subscribe to Reflare's research newsletter.
Additionally, you should explore some of our related articles listed to learn more.