Some thoughts on recruiting in cybersecurity
Cybersecurity is one of the tech industry’s most essential and fastest-growing sectors. With cybercrime representing a US$1.5 trillion economy and the demand for cybersecurity professionals outstripping the supply, hiring the quality talent for your cybersecurity team is crucial for your business's success and reputation.
However, recruiting in the cybersecurity industry is a challenging task. It requires a deep understanding of the relevant skills, qualifications, and certifications for different cybersecurity roles and the ability to attract and retain passionate, trustworthy, and adaptable candidates.
I have spent at least twenty of my 25+ years in cybersecurity managing others. Sometimes, it’s been one employee and other times, it’s been thirty employees in multiple countries. As an agency, I’ve even carried out recruiting for others in the past and even now, I believe so strongly in “everyone deserves the opportunity to work” that I administer the 55000+ member “security-jobs” group on LinkedIn to bring candidates and recruiters together totally free of charge.
In this article, I aim to share some dos and don’ts for hiring and retaining cybersecurity professionals based on the best practices and insights from experts and industry leaders.
DO: Look beyond the usual places to find talent.
One of the biggest challenges in cybersecurity recruitment is the talent shortage. According to a report by (ISC)², the global cybersecurity workforce gap in 2022 was estimated to be 3.12 million. This means there are not enough qualified candidates to fill the cybersecurity positions.
To overcome this challenge, you need to look beyond the traditional sources of talent, such as job boards, career fairs, and referrals, and explore alternative ways to find and attract cybersecurity talent. Some of the strategies you can use are:
Leverage your existing cybersecurity team: Your current employees are your best ambassadors for your company and culture. They can help you identify and reach out to potential candidates in their network, online communities, and professional associations. They can also provide testimonials, referrals, and recommendations for your employer’s brand and value proposition.
Partner with educational institutions and training providers: You can collaborate with universities, colleges, boot camps, and online courses that offer cybersecurity programs and certifications. You can sponsor scholarships, internships, hackathons, and competitions to attract and engage students and graduates interested in cybersecurity careers. You can also offer mentorship, coaching, and career guidance to help them develop their skills and prepare for the industry.
Tap into diverse and underrepresented talent pools: You can broaden your talent pipeline by reaching out to groups and communities often overlooked or marginalised in the tech industry, such as women, minorities, veterans, and people with disabilities. Diversity and inclusion are essential to forming a strong team, so partner with organisations and initiatives that support and promote diversity and inclusion in cybersecurity, such as Women in Cybersecurity (WiCyS), the International Consortium of Minority Cybersecurity Professionals (ICMCP), and the Wounded Warrior Project (WWP). You can also showcase your commitment to diversity and inclusion in your hiring process and workplace culture.
DON’T: Require candidates to have designated skills.
Another common mistake in cybersecurity recruitment is to have a rigid and unrealistic list of requirements for candidates. Many employers focus on specific skills, tools, and technologies essential for cybersecurity roles without considering those skills' context, relevance, and transferability.
This approach can limit your talent pool and exclude candidates with the potential and aptitude to learn and adapt to new cybersecurity challenges. Instead of looking for candidates who have a predefined set of skills, you should look for candidates who have:
A solid foundation of cybersecurity or IT fundamentals: This includes the core concepts, principles, and practices of cybersecurity, such as cryptography, network security, threat modelling, risk assessment, incident response, and security governance. Candidates should also have a basic understanding of the cybersecurity landscape, such as the common types of cyber-attacks, the cyber kill chain, the cybersecurity frameworks and standards, and the cybersecurity laws and regulations.
A relevant and demonstrable experience in cybersecurity: This can be through professional work experience, academic projects, certifications, publications, or personal projects. Candidates should showcase their cybersecurity skills and knowledge in a practical and applicable way, such as solving cybersecurity problems, implementing cybersecurity solutions, or conducting cybersecurity research.
A passion and curiosity for cybersecurity: This is the most critical and intangible quality you should look for in cybersecurity candidates. Candidates should have a genuine interest and enthusiasm for cybersecurity and a willingness and eagerness to learn and grow. Candidates should also demonstrate their passion and curiosity for cybersecurity by staying updated on the latest cybersecurity trends, news, and developments, participating in cybersecurity events and communities, and pursuing cybersecurity hobbies and challenges.
DO: Be willing to train candidates after they’re hired.
One of the best ways to overcome the cybersecurity talent gap and retain your cybersecurity employees is to invest in their training and development. Cybersecurity is a dynamic and evolving field where new threats, technologies, and solutions emerge daily. Therefore, it is essential to provide your cybersecurity team with the opportunities and resources to update and upgrade their skills and knowledge regularly. There is always something new to learn in cybersecurity, and as individuals, we should always want to improve ourselves.
Some of the benefits of training your cybersecurity employees are:
It improves their performance and productivity: Training can help cybersecurity employees acquire new skills, enhance their existing skills, and apply them more effectively and efficiently. Training can also help your cybersecurity employees learn from best practices, case studies, and experts in the field and avoid common mistakes and pitfalls.
It increases their engagement and satisfaction: Training can help your cybersecurity employees feel valued and appreciated by your company and motivated and challenged by their work. Training can help cybersecurity employees achieve personal and professional goals and advance their career paths.
It reduces your turnover and attrition rate: Training can help your cybersecurity employees stay loyal and committed to your company and happy and fulfilled by their work. Training can also help your cybersecurity employees cope with stress and burnout and prevent them from leaving your company for better opportunities.
Some of the ways you can train your cybersecurity employees are:
Offer internal and external training programs: You can create and deliver training programs tailored to your company’s needs and objectives or enroll your cybersecurity employees in external training programs that reputable and accredited providers offer. You can also use a combination of both, depending on your cybersecurity employees’ availability, budget, and preference.
Provide online and offline learning resources: You can provide your cybersecurity employees with access to various online and offline learning resources, such as books, articles, podcasts, videos, webinars, courses, certifications, and tools. You can also curate and recommend the most relevant and valuable learning resources for your cybersecurity employees based on their roles, interests, and needs.
Encourage peer-to-peer and mentor-mentee learning: You can foster a culture of learning and collaboration among your cybersecurity employees, where they can share their knowledge, experience, and feedback. You can pair your cybersecurity employees with mentors or coaches who guide, support and inspire them in their learning and development journey.
DON’T: Craft your job descriptions carelessly.
Your job description is the first impression of your potential cybersecurity candidates. It is also the most critical factor influencing their decision to apply for your cybersecurity position. So, you'll need to craft your job description carefully and strategically to make sure that it attracts and appeals to the right cybersecurity talent for your company.
Some of the tips for writing effective and engaging cybersecurity job descriptions are:
Use clear and concise language: Avoid jargon, acronyms, and technical terms that may confuse or intimidate your cybersecurity candidates. Use simple language that is easy to understand and follow. Use bullet points and subheadings to organise and highlight your information.
Highlight your company’s value proposition: Explain why your company is an excellent workplace for cybersecurity professionals. Showcase your company’s mission, vision, values, culture, and achievements. Emphasise your company’s commitment to cybersecurity and the impact and value of your cybersecurity team. Mention the benefits and perks you offer your cybersecurity employees, such as competitive compensation, flexible work arrangements, career growth opportunities, and training and development programs.
Describe your cybersecurity role and responsibilities: Please provide an accurate overview of your role and its responsibilities. Specify your cybersecurity role's primary duties and tasks and the expected outcomes and deliverables. Indicate the level and scope of your cybersecurity role, such as junior, senior, manager, or director, and the department and team that your cybersecurity role belongs to.
List your cybersecurity requirements and qualifications: Define the minimum and preferred requirements and qualifications you seek in your cybersecurity candidates. Include the essential and desirable skills, knowledge, experience, and certifications that are relevant and necessary for your cybersecurity role. Be realistic and flexible with your requirements and qualifications, and avoid asking for too many or specific skills that may limit your talent pool or deter your candidates.
Include a call to action: Invite your candidates to apply for your cybersecurity position and provide them with the instructions and details on how to do so. Include your contact information and the deadline for applications. Please express your interest and enthusiasm for hearing from your cybersecurity candidates and thank them for their time and attention.
DO: Sell the job and company.
The last and most crucial step in cybersecurity recruitment is to sell the job and company to your cybersecurity candidates. This means that you must convince and persuade your cybersecurity candidates that your cybersecurity position and company are the best fit and choice for them and that you are excited and eager to work with them. You'll need to communicate your value proposition, distinguish yourself from your competitors, and address any concerns or objections your cybersecurity candidates may have.
Some of the tips for selling the job and company to your cybersecurity candidates are:
Build rapport and trust with your cybersecurity candidates: Establish a positive and professional relationship with them, where you show respect, interest, and appreciation for them. Listen to their needs, goals, and expectations, and understand their motivations and challenges. Please provide them with honest and constructive feedback and answer their questions and doubts.
Highlight the benefits and advantages of your cybersecurity position and company: Explain how your cybersecurity position and company can help your candidates achieve their personal and professional aspirations and how they can contribute to your company’s mission and vision. Emphasise the unique and attractive aspects of your cybersecurity position and company, such as the impact and value of your cybersecurity work, the opportunities and support for your cybersecurity learning and development, and the culture and environment of your cybersecurity team and company.
Overcome the obstacles and challenges of your cybersecurity position and company: Acknowledge and address the potential drawbacks and difficulties of your cybersecurity position and company, such as the workload and pressure, the complexity and uncertainty, and the competition and risk. Provide solutions and reassurances for your cybersecurity candidates, such as the resources and tools, the guidance and mentorship, and the recognition and rewards you offer your cybersecurity employees.
Create a sense of urgency and excitement for your cybersecurity position and company: Encourage your cybersecurity candidates to act fast, apply, and express your confidence and enthusiasm for working with them. Use positive and persuasive language, such as “Don’t miss this opportunity”, “This is a rare and exciting chance”, and “We can’t wait to have you on board”. Follow up with your cybersecurity candidates and keep them updated on the status and progress of their applications.
Pay them what they’re worth and acknowledge their worth: If you have an excellent candidate with the skillset and mindset to improve your organisation’s cybersecurity, then pay them what they’re worth. Make them feel valued and, sometimes more importantly, seen.
Final Thoughts
Recruiting in the cybersecurity industry, where you can find and hire your company’s best cybersecurity talent, is challenging but rewarding. By following the dos and don’ts in this article, you can improve your cybersecurity recruitment strategy and outcomes and build a solid and successful cybersecurity team. But I want to hear your thoughts on attracting talent to your organisation.
ALSO PUBLISHED AT: