7 Tips for Recruiting the Infosec Talent You Need NowNew Ways to Attract Job Candidates and Keep Them Around
Hiring managers will need to get increasingly creative to find talent to fill their vacant information security positions, particularly in a shallow talent pool that is forecasted to get even thinner in the next few years.
The Global Information Security Workforce Study, released earlier this year, estimates the worldwide cybersecurity workforce shortfall will be about 1.8 million people by 2022.
What are some new ways to address this shortage and recruit professionals who can fill the void that many security departments are experiencing? Here are seven suggestions from experts in the hiring trenches.
Direct calls and face-to-face meetings with candidates are crucial to getting the attention of job candidates, says Domini Clark, director of strategy and technical recruitment at InfoSec Connect, an organization that facilitates relationships between hiring organizations and those seeking new opportunities.
"This is the kind of community that needs to know you're legitimate," Clark says. "And most talent just doesn't have the time to dig through a lot of information in a search. What I tell companies is it's not a customer service search. You can't post and pray. You've got to put time and energy into the networking side of it."
Clark also says deploying recruiters on your team who have the knowledge and understanding of the field to talk with job seekers is a must. A recruiter with a fundamental lack of understanding about the field can be a turn-off for an experienced security candidate.
"There's no silver bullet, or one-size-fits-all solution to this, so we have to do multiple things in order to address this skills gap," says Heather Ricciuto, who leads the Academic Initiatives program at IBM Security, which employs more than 8,000 people focused on cybersecurity. "We can't all keep recruiting from the same top schools."
IBM Security has added nearly 2,000 employees to its security business in the last two years with several initiatives. It's entered partnerships with outside education providers, such as Hacker Highschool, which offers free lessons to teens to help them learn cybersecurity and online awareness. IBM recruiters also do regular outreach at hacking competitions around the country. The organization recently announced it will sponsor a scholarship program to send women to the upcoming Hacker Halted conference, an ethical hacking competition taking place in October in Atlanta.
Make Your Job Listing Unique
Infosec Connect's Clark says too many hiring managers are making the mistake of letting the human resources department write job listings
"We've forgotten that this is a supply issue we're working against," Clark says. "We're letting HR teams put up that same old baloney job description."
Keep in mind a job listing is a sales pitch. Rather than a hollow explanation of the company and what it does, include details about why the job opportunity and the security team are both great, Clark advises. The listing should clearly spell out why someone would want to take the opportunity.
"What's in it for them? If you can't answer that question you lost before you even started the game," she says.
Rethink Degree Requirements
Christopher May, technical director of workforce development in the CERT Division of the Software Engineering Institute at Carnegie Mellon University, remembers a time when employment in information security at a research university required a master's degree and several years of experience. But a shallow talent pool means things have changed.
"Without a doubt, we've had to lower that bar," May says.
In recent years, May says, CMU has hired candidates with a variety of degrees and backgrounds. And in some cases, it's hired candidates with no degree at all.
"We've hired individuals with no degree but who have had 15 years of hands-on experience in the military, for example, who are clearly capable," he says. "It's just a fact of life now that with such enormous competition for candidates, you have to look more at aptitude for doing the job instead of education."
May says he seriously considers candidates coming out of the military with relevant training but no degree because they are often very motivated to take on further training and classes needed once hired.
Offer Incentives, Training and Mentoring
Make it clear in the job listing that on-the-job training and education will be provided, May stresses.
"There are effective ways, once you hire an individual, to bring people up to speed without spending a lot of money," he says. "SANS [the SANS Institute] does some good training, for example, among others. There's so much out there and it's all free."
Fulfilling promised training opportunities is essential, May says. "You have to approach training in a systemized way. Tell them 'I want you to be training an hour of each day - or whatever they can tolerate - and then monitor their progress.'"
Look Inside Organization for Candidates
Sometimes the answer to your infosec staffing woes could be right inside your own organization, says Joyce Brocaglia, founder and CEO of Alta Associates, an executive search firm specializing in cybersecurity.
"Corporations are only going to close this gap by investing in the people they have and by providing leadership and mentorships and stretch assignments," she says. "They need to make positive actions to retain the good talent they have."
Brocaglia, who focuses on women in infosec through her organization the Executive Women's Forum, also suggests emphasizing women-specific mentorships to help build a more diverse workforce.
"Women are not seeing leadership that looks like them in security," Brocaglia says. "That does not create a welcome environment for women. The reality is if you ignore 50 percent of the population or don't pay attention to an underrepresented group, we're never going to solve this problem of the workforce shortage."
Consider Your Market
Organizations with offices all over the world may find the talent pool in one region varies widely from the next.
For example, Design SHIFT, an international manufacturer that makes ORWL, an open source secure system for applications, has offices in California, Taiwan, India and France. The company tailors its searches according to the skills they know are strong in each area.
"In India, we hire talent that has strengths in security domains like secure boot, payment stack and IT security, which can be recruited from known resources or competitors," says CEO Olivier Boireau.
Clark says one client with locations in both San Francisco and Texas had to learn not to be "too picky" when setting requirements for hiring someone who lives in the local area.
"I'm advocating for taking someone with 80 percent of what they're looking for but in the location they want, and training the rest of the 20 percent," she says. "In this case it's a win for them, and the candidate gets something too with the opportunity to get this training. These are the kinds of solutions you need to consider rather than keeping that hole in your staff wide open while you continue to search for that perfect unicorn."