For several years industry experts have warned of a shortage of cybersecurity talent. Those reports are based mainly on vendor surveys of infosec pros who point to the number of open jobs on their teams.
But two Forrester Research analysts suggested this week the real problem is that infosec leaders are looking in the wrong places for talent.
“I see a lot of entry-level job requirements that ask for five to seven years of experience, or list a lot of computer languages or other technologies they want people to be familiar with — which require three to five of experience just to get a certification,” Joseph Blankenship, a research director on the company’s security and risk advisory team, said during a panel discussion on diversity at Forrester’s online security and risk conference.
“Instead of looking for all these years of experience in cybersecurity or all these specific toolsets, for entry-level positions look for intellect and motivation. Is this [applicant] someone who can be trained to pick up skillsets? Maybe [recruit] someone from the help desk, or risk, audit and compliance or networking.
“Get outside normal channels. If we continue to look in the same networks, chances are we’re not going to have a different result. You expand the talent pool by not just focusing on skills and years but intellect and motivation.”
Finding more talent to fill jobs is also about making teams more diverse, said moderator Stephanie Balaouras, vice-president and director of Forrester’s security and risk team. This means adding women, people of different ethnicities and even veterans to your cybersecurity teams.
Any team benefits from different world views and unique career experiences said Blankenship. “There’s certainly a danger in any team environment of becoming an echo chamber because if everyone goes at [a problem] with the exact same frame of mind they’re not bringing a diversity of thought.” And with a diverse threat environment, “you’re not doing yourself any favours, you’re not giving yourself an advantage” if the security team isn’t diverse, she added.
Yet despite recent progress, women still face barriers to getting into male-dominated security teams, said Heidi Shey, Forrester’s lead on data security and privacy, who has researched skills building and talent acquisition.
There’s still “sexism, bias, discrimination” on security teams, women report, whether deliberate or unintentional. “The job can be demanding enough without having someone deal with a toxic culture on top of that,” she said. Small wonder some leave the industry after a time.
It doesn’t help if infosec leaders only reach out to people they know and existing networks for talent, she added. Or if HR recruiters only look for those with military or computer science backgrounds, where historically there are few women.
To get out of this rut Shey urged infosec leaders to take advantage of the internet to find networking groups and non-profits that focus on women and under-represented groups. One is the Diana Initiative, a conference for women in information security. “What people can do is promote job openings to these various groups and those networks as a way of getting the word out and reaching a wider audience than they didn’t have reach into before,” Shey said.
Some training platforms like Immersive Labs have digital cyber academies, which provide ways of connecting job seekers with companies based on skills rather than rely on resumes, she added. “We have to look beyond what we think of as traditional backgrounds or experience for someone in this industry. Pay attention to those who are career changers, are looking for new roles because they bring different types of experiences and perspectives to the table.”
Look within your organization, Shey suggested. Organizations that do this take different approaches. One is to open up cybersecurity training not just for the infosec team but for all employees. That can help spot those who have an interest in moving to a new area. Another is to create an open list of skills needed for all jobs in the organization so staff can see they may have skills that fit another department (including the security team.)
Shey knows of one CISO who brought in five people to her team with no experience in cybersecurity. Seventy per cent of their time was spent learning on the job, paired with an experienced staffer. Twenty per cent of their time was spent on coaching and 10 per cent on formal training via courses. “It took a while,” Shey admitted, “and there was a lot of commitment to get it going.”
Finally, Shey advised leaders to reward the right behaviour, such as speaking up, holding respectful debate and collaboration. “Don’t tolerate jerks, toxic behaviour. Call that stuff out, no matter how high performing that person might be because over time, something like that might taint your culture and your team.”
People talk, she added. And those who leave your team won’t recommend it as a good place to work.