It’s no secret that the cybersecurity field has a talent shortage. Experts project that over 3.4 million jobs in the industry remain unfilled. The reasons behind this are numerous—burnout is churning people out, younger generations aren’t entering cybersecurity, and qualified candidates aren’t plentiful. The last one is worthy of discussion. As the industry evolves, so should the idea of “qualified.” To do this, organizations need to shift to cybersecurity skills-based hiring.
The Current Consensus on ‘Qualified’
So, what does being qualified mean to those hiring cyber professionals? In the State of Cybersecurity 2022 Report from ISACA, 55% of cyber leaders said applicants aren’t well qualified. They find people lacking in key areas, including prior hands-on experience, credentials, hands-on training, employer recommendations, degrees, and association memberships.
So, the question is—do these things demonstrate that someone will excel and thrive in cybersecurity? If you look further at the data from the study, the importance of what hiring managers seek doesn’t necessarily align with the skills they believe are most valuable. The most sought-after skills include hard and soft ones:
- Soft skills of communication, flexibility, and leadership
- Cloud computing
- Security controls regarding endpoints, networks, applications, and implementations
- Coding skills
- Software development-related topics, such as languages, machine code, testing, and deployment
- Data-related topics
- Network-related topics
- Pattern analysis
- System hardening
- Computing devices, including hardware, software, and file systems
Soft skills were at the top of the skills gap list. Technical aptitude is also vital, but just because someone has a degree or credential doesn’t mean they know how to apply them. Narrow-mindedness on this can actually lead to hiring “paper tigers,” who look great on paper but don’t have the aptitudes or abilities to be successful.
In an environment where hiring is competitive and challenging, it’s time to readjust your definition of qualified with skills-based hiring in cybersecurity.
What Is Skills-Based Hiring?
Skills-based hiring is an approach to recruitment that focuses on someone having specific competencies and aptitudes. It’s a new method that shifts the emphasis from traditional screening using education, credentials, and previous experience.
It seeks to look at someone holistically, considering their abilities, attitudes, and adaptability. Hiring based on skills makes a lot of sense for cybersecurity. A good example of this would be that an individual has proficiency in programming languages but doesn’t have a degree in computer science. Another example would be that a person has immense knowledge of cloud computing but not a certification.
Skills-based hiring also looks at potential candidates beyond their technical prowess. Since it looks at someone’s complete profile, you can also evaluate their soft skills, which are desperately needed!
Experts Are Adamant About Skills-Based Hiring in Cybersecurity
The push to hire based on skills is something that experts are recommending and urging. At a recent House Homeland Security Subcommittee on Cybersecurity and Infrastructure Protection hearing, many were there to discuss the workforce shortages. Their advice—stop requiring college degrees. The group said that to strengthen the cyber pipeline, the Federal government needs to take the lead in skills-based cybersecurity hiring.
Companies that are sounding the alarm on cybersecurity deficits can take on this new way of hiring. They could even fund skill development when they see someone with potential. Those people could come from many different places—military veterans, people seeking to change careers, new high school graduates, and even internal folks interested in the field. If there’s passion, curiosity, and appeal, you can nurture that to develop the person.
Why Is Skills-Based Hiring the Future of Cybersecurity?
The future of cybersecurity looks a little stark for the good guys. If you don’t have enough skilled employees, you’re automatically more at risk. While you can close some gaps with automation, human-in-the-loop will always be a strong component of all cyber operations. If the field makes this needed progression toward skills-based hiring, the future looks more manageable and optimistic.
Skills-based hiring finds those you may overlook or discount. It also has much to do with cultural fit and someone’s ability to be agile and flexible. A college degree, experience, or credentials don’t necessarily demonstrate any of these things. Further, if you hire based on skills—hard and soft—you are more likely to retain that person long-term.
By using cybersecurity skills-based hiring, you can:
- Discover people with talent and a growth mindset: When you focus on what someone can do and their range of attributes, you’re likely to find great candidates. They don’t fit the familiar mold, but that can be a good thing. If they have technical knowledge and possess a growth mindset, they could become superstars with some skill development and coaching.
- Attract younger generations: Currently, only 12% of the cyber workforce is 34 or younger. It’s not sustainable, so the urgency to get Gen Z to give cybersecurity a chance is huge. This generation and those even younger have different expectations about work and may avoid cybersecurity because they believe it to be rigid, stale, stuffy, and unchanged. Skills-based hiring allows you to change this false narrative by emphasizing the importance of soft and hard skills. If you’re creating a culture around skills, it should also be one of transparent communication, collaboration, and continuous improvement. Gen Z will find this much more attractive.
- Create equity in hiring practices: If you’re following the skills when you recruit, you’ll be able to streamline the process and ensure that candidates get the same treatment regardless of their resumes. It makes it more equitable as well. The cyber field has not always been accessible or friendly to all demographics. For example, women represent a small number of cyber professionals. If you reimagine how you hire based on specific skills, you may see more female candidates.
- Develop people over time: Skills-based hiring is also an investment in your people. You make them part of your team with expectations and requirements. This could include technical courses, hands-on training, and soft skill development. With this approach, you are making it clear that you want the person to be accessible, and you will give them the resources they need to do so. Such a strategy improves employee satisfaction and retention.
With all this to gain, the next step is implementing skills-based hiring.
How Do You Shift to Skills-Based Hiring in Cybersecurity?
If you want to go in this direction, you’ll need to work on a few areas so you can recruit and hire smarter. It’s not a massive change if you’ve already been assessing skills over diplomas and certifications. It will, however, require you to eliminate old ways of thinking about cybersecurity.
It’s a cultural shift where you want to banish all the stereotypes associated with technical folks—they’re bad communicators and collaborators who only see the world of ones and zeros. Yes, people in technical fields tend to be more pragmatic and logical, but they often don’t deserve the other labels. Your job is finding people outside the box who want to evolve cybersecurity with you.
Here are some tips:
- Redefine your job descriptions and requirements: Start by eliminating the need for a four-year degree and specific certifications. Instead, focus on core competencies, soft skills, personality, communication capabilities, and drive. If there are specific things the person needs to be proficient in, emphasize those, but don’t limit this expertise to having a degree or certification.
- Look for internal talent: Internally posting new jobs is a typical step, but if you do, add some context about whom you’re looking for beyond technical skills. There could be some smart and capable people that want to move into cybersecurity but don’t know how to start. Create relationships with those folks and work out a plan to upskill and reskill them.
- Use assessments to evaluate technical and personal skills: You need people to demonstrate they have the abilities you desire. You can assess them with different tests to understand how they’ll perform. Don’t limit this to only technical skills. You also want to know about their ability to communicate, lead, problem-solve, and think critically.
- Get to know people during the interview process: This part of hiring can be challenging for you and candidates. They’re nervous, and you’re cautious. I urge you to get to know the person and their philosophy on cybersecurity and why they want to be in the industry. You can learn so much from someone when you ask their opinion and perspective. You’ll be able to recognize genuine interest and desire from these discussions.
Skills-Based Hiring in Cybersecurity: Keep Developing Your People
Hiring based on skills fits the field of cybersecurity well. After all, you want employees to be able to deal with a dynamic environment. When you hire this way, you’re likely to find people with the right mix of abilities who want to be there for all the right reasons. Once they are on staff, keep developing them with an emphasis on soft skills. It’s not an easy journey, but you can find lots of advice on how to do this in my book, The Smartest Person in the Room, which features the Secure Methodology™. It’s a seven-step framework for improving and building these capabilities in technical folks. Check it out by getting your copy today.