fbpx

Cybersecurity Jobs

How to Recruit and Hire Cybersecurity Professionals to Help You Win the Cybersecurity War

cybersecurity jobsThe field of cybersecurity is growing, but the pool of qualified candidates is not. Nearly every industry deals with labor shortage challenges due to the pandemic, the Great Resignation, and other factors. However, cybersecurity was already experiencing recruitment and retention problems. Even with new people entering the market, it would be remiss to count them all as ready for the cybersecurity war. So, how do you recruit and hire cybersecurity professionals in these times? And is technical prowess the only factor to consider?

The Cybersecurity Labor Landscape

To begin the discussion on recruitment and hiring, let’s look at some of the data on the cybersecurity labor landscape.

  • The shortage of cybersecurity professionals is 2.72 million globally.
  • As of June 2022, there were 714,548 total cybersecurity job openings.
  • 78% of decision-makers stated that it’s hard to find certified people.

So, it seems there is a tremendous opportunity for those that want to enter the field. Many employers welcome them, with 91% willing to pay for training and certification. Cybersecurity is an attractive field with the potential for high earnings and upward mobility. With such an appealing opportunity, you could argue that labor shortages will dwindle, especially as more digital natives enter the workforce. So, maybe recruiting and hiring cybersecurity professionals will get easier.

The risk of these presumptions goes back to the idea of qualification, which goes beyond technical skills. In fact, leaders said the highest skill gap in cybersecurity is people skills. This response demonstrates a needed shift from what makes someone a good hire for these roles.

So, why should you care about people skills if candidates have the credentials and experience? As I’ve learned in my decades in the industry, people skills should always be a priority for technical roles. Without these, cybersecurity professionals make crucial missteps based on their own hubris and over-confidence. They don’t communicate or collaborate, and that’s the real reason we’re losing the cybersecurity war. It’s the central theme of my book, The Smartest Person in the Room.

So, let’s talk more about people skills.

Why People Skills Matter in Recruiting and Hiring Cybersecurity Professionals

There are many stereotypes about those in technical roles. It’s easy to lob them all together as bad communicators, inflexible, stubborn, and difficult. Some of this is true, as technical folks often eschew people skills as being important. Yet, they are so vital! Without people skills, these people won’t learn, grow, collaborate, or adapt, and those things are crucial in cybersecurity.

People skills matter because the war zone of cybersecurity isn’t just ones and zeroes. There are hackers on the other side who are deeply passionate about what they do, even though it’s illegal and immoral, to say the least.

Your cybersecurity team needs to have that same passion, which comes only from people skills. The most adept technical professional can be a bad hire when they come up short here.

These are the people skills I think are the most critical:

  • Empathy: When someone can understand another’s perspective, it makes them better at their job. They can comprehend someone’s mental state and what that might mean, whether that’s a coworker or a criminal on their other side.
  • Communication: This is the number one people skill for cybersecurity candidates. It’s the core of how we operate. Being a great communicator doesn’t mean you say whatever comes to mind. Rather, it balances expressing thoughts wisely and being excellent listeners. Successful interactions within the team and with other stakeholders are imperative to avoid miscommunication and misconceptions, which are the leading causes of cybersecurity failures.
  • Adaptability: Cybersecurity is a dynamic field, so those working in it must adapt quickly and be willing and open to change. A lack of this people skill could sink your cybersecurity operations.
  • Vulnerability: Being vulnerable is really about being honest and having trust. You’ll have to create a safe place for people to be vulnerable, where no one is scared to be wrong. Making this part of your people skills list can provide an ideal environment for solving cybersecurity challenges.

Gauging these people skills is much more complex than testing technical ability. There are many candidates out there masquerading as qualified applicants. They may be, on paper, that is.

Avoiding Hiring Paper Tigers

Paper tiger is a term in the industry that originates from the Chinese phrase zhi lao hu (纸老虎). In the technical world, it simply means that people look good on paper—resumes with an extensive list of certifications, for example. Yet, they lack the skills, experience, and expertise to succeed in cybersecurity.

Candidates like these will land in your inbox. You may not be able to spot them at first glance. So, you’ll have to draw conclusions based on interviews and conversations. Here are some key things to consider:

  • Where did they earn certifications? Not all organizations that provide credentials are “cyber mills,” taking in money to deliver the certification. The most legitimate and credible are practical and scenario-based exams from CompTIA and EC-Council.
  • How do they speak about their work experience? Not every applicant will have multiple years of experience, and you shouldn’t discount those new to the field. For those that do, you’ll want to hear about specific projects or responsibilities. Someone who uses a lot of jargon and buzzwords and talks in the abstract is likely a paper tiger.
  • What motivates them? Different people have different motivations for why they work. Money is at the top of the list. It’s not necessarily a red flag for those that are money motivated. After all, we’re not working for free. However, you’ll find that those who desire meaningful work (roles that are fulfilling), a collaborative team, and being part of something bigger will rank highly on people skills.
  • What kind of people skills do they exude? Ask questions that tie into the people skills described above. You can even “score” their people skills with assessments like TriMetrix® HD.
  • Is their knowledge book-based or experience-based? This evaluation concerns your defense posture and whether someone can react in the real world where stress and pressure exist.
  • How big is their ego? Ego can be a detriment to cybersecurity when your employees believe they can never be wrong. They will be wrong eventually and many times over. If their ego doesn’t fit through the door, it won’t fit on your team, either.
  • How do they work? Someone’s approach to the day-to-day matters, and you want to see someone with focus. Ideally, in cybersecurity, your employees should be mono-taskers (the opposite of multi-taskers). That undivided attention is necessary in the high-stakes world of cybersecurity.

Now that you know what people skills are critical and the steps to avoid paper tigers, I’ve got a few more tips for recruiting and hiring cybersecurity professionals.

Final Takeaways on Recruiting and Hiring Cybersecurity Professionals

  • Look to past hiring decisions as learnings, whether they turned out good or bad. Even as you evolve how you hire and recruit, you won’t always make the perfect hire. If you can learn from the past, you’ll be better prepared for the next hire.
  • Treat the interview as a conversation. You want to learn about the candidate, and they need to find out about the organization. Making these interactions rigid and controlled is a disservice. That’s not how things play out in the real world, so don’t treat this like an inquisition.
  • Don’t sell your organization short by filling the chair with anyone. A chair occupied by a paper tiger could cause more chaos than harmony. Don’t rush the hiring process because of these feelings. It’s always better to wait for the right person than make do with someone who isn’t.
  • Be sure the candidate fits your culture. When there’s misalignment here, the hire often becomes turnover. Talk about the culture of the organization and your department to discern how they’ll fit in with your organization. The assessment discussed earlier can help you determine this, too.
  • Be wary of job-hoppers. I typically screen these people out, but it’s not a rule without exceptions. They may have shorter tenures because of things outside of their control (e.g., layoffs, relocations, etc.). For anyone who’s trying to hire cybersecurity professionals, you know job-hopping is rampant. Consider the circumstances and context, then exclude anyone that looks like a risky hire.
  • Remember that people skills are teachable, and you can help your team develop them. That’s the sentiment behind the Secure Methodology, a seven-step guide to advancing technical folks from two-dimensional stereotypes to fully engaged and highly communicative team members. Of course, your staff has to be open to change and growth for this to work, which is one more reason to look for those with high potential for people skills in the hiring process.

Get more tips and strategies on how to build a team of cybersecurity professionals to help you win the cybersecurity war by reading my book, The Smartest Person in the Room.

Tips for Certified Cybersecurity Professionals to Find Jobs

cybersecurity jobThere are many ways to land a job that requires the CISSP (Certified Information Systems Security Professional) or any other cybersecurity certification. In this post, I share three methods to empower you to find your ideal job, leveraging your CISSP (or any other) certification. I hope these techniques enable you to land a job in cybersecurity that resonates with you.

I use CISSP throughout this example. You can easily use this tactic with other cybersecurity certifications, such as the Security+.

#1: Research CISSP Job Openings

cissp jobs

You should research CISSP job openings for where you are considering moving or the location you are seeking a job. According to CyberSeek, there are currently 77,492 open jobs in the United States that require the CISSP certification. Of the 77,492 open CISSP jobs, 2,031 are in the Public Sector, and 75,465 are in the Private Sector.

 

Job openings in the United States that require the CISSP certification. The orange number represents CISSP certification holders.

The blue number represents openings requesting the CISSP.

If you live in Arkansas and want to stay in Arkansas, as an example, there are 265 open CISSP jobs in the entire state of Arkansas.

If you want to move to Texas, for example, there are 6,333 open CISSP jobs in Texas.

#2: Determine Which Organizations Hire People with the CISSP Certification

This technique involves you actively seeking a CISSP job.

There are several paths you can take:

  1. you can work for the DoD as an actual DoD employee (civilian or military)

  2. you can work for the DoD as a contractor

  3. you can work in the private sector

Steps to become part of the DoD as a DoD civilian or member of the military are beyond the scope of this article. I will focus on numbers two and three above. If you are seeking a job as a DoD contractor or in the private sector, the process is the same because private companies that have DoD contracts hire DoD contractors. Private companies also hire CISSPs for private sector work.

A good place to determine which companies are hiring CISSPs is indeed.com. As of this writing, there are 13,469 open CISSP jobs in the United States.

According to indeed.com, the company Deloitte has 514 open CISSP jobs, and Washington, DC has 765 openings for people with the CISSP certification.

Another source to determine which organizations are hiring CISSPs is LinkedIn. Search “CISSP” on LinkedIn and set the focus of the results to “Jobs.”

As you can see from the screenshot, there are 25,997 open jobs in the United States that required the CISSP certification.

#3: Update your LinkedIn profile with your CISSP certification

This technique involves you passively seeking a CISSP job.

Many employers, recruiters, and headhunters use LinkedIn to search for people with the CISSP certification. Listing your CISSP certification on your LinkedIn profile will make you show up in searches for “CISSP.”

In the screenshot above, I searched for CISSP, then switched the results to “People.” As you notice, one guy even listed “Studying for CISSP Exam” in his LinkedIn “Headline” and he showed up. The second person put it after their name, like “John Smith, CISSP”. The third person listed the CISSP certification as their LinkedIn Headline. Any of these approaches work to get the attention of employers, recr

uiters, and headhunters. Just be prepared to be bombarded with “incredible opportunities” and lots of new connection requests.

Conclusion

I hope you find these strategies useful in your hunt for your ideal cybersecurity job. Best of luck!

The Urban Legend of the Cybersecurity Skills Gap

cybersecurity skills gapAccording to the Information Systems Security Association (ISSA), we’re facing a cybersecurity skills crisis. Their recent report calls the gap in qualified individuals a “rapidly widening business problem,” claiming businesses are investing their resources in the wrong places when it comes to cybersecurity.

ISSA partnered with Enterprise Strategy Group (ESG) to look at the state of qualified cybersecurity professionals in the workforce. Around 70% of respondents to their survey said they felt a lack of cybersecurity skills within their organization was affecting their company. According to the cybersecurity organization (ISC)², almost three million cybersecurity jobs needed to be filled globally as of 2018.

Most people agree that this is a serious problem. The lack of qualified professionals at major businesses with knowledge in cybersecurity is exacerbating data breaches, and has been called an “existential threat to our national security.” What there doesn’t seem to be a consensus on is how that problem should be solved.

Are There Really Not Enough Qualified People to Fill the Cybersecurity Skills Gap?

The short answer seems to be no. Rather, the problem seems to lie with the paths made available to talent looking to get into the cybersecurity industry.

For a long time, the university path has been the main place students get recruited into cybersecurity jobs. Organizations recruit from universities, and many require a college degree as part of their job descriptions for cybersecurity roles. But there are thousands of talented people that miss out on these job opportunities simply because they don’t choose to go to college.

In an article for Forbes, cybersecurity contributor and CEO of Immersive Labs James Hadley argues that the cybersecurity skills gap won’t be mitigated through the classroom. He argues that self-taught, talented people should be recruited and trained by organizations before they take their talents to the wrong side. He writes:

“The world is desperate for cybersecurity talent, yet the sector limits entrants and clings to obsolete training methods. As the skills gap grows and organizations become increasingly vulnerable to ever-more-complex threats, the need for a diverse pool of cybersecurity experts to learn in real-time, rather than a classroom, strengthens.”

Hadley uses the example of 22-year-old Daniel Kelley, who hacked the telecom company TalkTalk, stole the data of thousands of users, and used it for blackmail as an example of what could happen if people who feel snubbed by the system use their talents for ill. Kelley didn’t make the grade required for a computer course and attacked TalkTalk out of a desire for revenge. He could’ve ended up using his skills to help instead of hurt, Hadley argues, had that path not been closed off to him.

Companies don’t want to train employees, preferring that they come to the job with the skills they need already, but the nature of cybersecurity work demands constant retraining and maintenance of those skills. There are qualified people ready to help stop the next cybersecurity threat if companies are willing to adapt to them.

How Can Companies Fill The Gap?

The threat of cyberattacks and hacking isn’t going away. In fact, they’re likely to increase as time goes on and the technology both companies and hackers use becomes more sophisticated. That’s why businesses should do everything they can to make themselves resilient to cyber threats. How can they do that?

First, hire and train the right people. Provide them with the time and resources they need to continually develop their skills to match the changing threat and technological landscape. Devote more of the company budget to cybersecurity. Currently, 49% of companies say that cybersecurity is a budget priority, but pros say that figure should be closer to 60%.

A shift away from the traditional job requirements of a university degree path would allow for the scouting, hiring, and training of the right people. Instead of academic background, those in the cybersecurity field would be better served by looking at a candidate’s skill sets. Do they have the skills needed for the job, even if they don’t have the degree? If they do, invest in that talent.

A few of the skills necessary for cybersecurity jobs:

  • Relevant past work experience,

  • Ability to understand advanced cybersecurity concepts,

  • Cybersecurity certifications,

  • Strength in non-technical soft skill areas.

University education can help, but it shouldn’t be the only factor in determining whether a potentially promising candidate in the cybersecurity field gets turned away, especially if that candidate could broaden the diversity of the field. Women represent only 23% of the cybersecurity workforce, according to (ISC)², and that number is after they broadened the definition of who works in cybersecurity.

It isn’t just companies that can help close the gap and guide more capable people into a cybersecurity career. Government initiatives like the UK’s Cyber Discovery free training program can help people explore their interest in IT, and ultimately decide that it’s a good career for them. State and federal governments in the U.S. should implement their own programs to seek out and support talent in a similar fashion.

Part of solving this problem will be getting the word out. Careers in IT and cybersecurity aren’t talked about as widely as more traditional paths like doctors or nurses, or trendier digital careers like YouTuber or Instagram influencer. But the fact is that people who have these jobs hold them a long time, are satisfied with the work they do and are compensated very well for their efforts. If more people knew that, starting at a younger age, they might find a place for their skills where they didn’t think one existed.

Companies can put themselves at the front of the pack by taking the initiative to find and recruit top talent outside the conventional pipeline. And they can do it by being willing to invest the time and money in proper, ongoing training. The cybersecurity skills shortage isn’t all that frightening if you know where to look to close the gap and are willing to take action.

 

Cybersecurity Paper Tigers are Killing Us

cybersecurity certifications

A paper tiger is a fake tiger, made of paper. It may appear to be a real tiger, but it has no substance, is unable to stand up to challenge, and can’t perform any other tiger duties.

Wikipedia defines a paper tiger as this:

“Paper tiger” is a literal English translation of the Chinese phrase zhilaohu (纸老虎/紙老虎). The term refers to something or someone that claims or appears to be powerful and/or threatening, but is actually ineffectual and unable to withstand challenge.

comptia security+ logo

CompTIA has made the Security+ exam more difficult by adding “performance-based questions” to help with the paper tiger issue.

How do paper tigers relate to cybersecurity?

In my mind, the “paper” is often a cybersecurity certification and the “tiger” is the person holding the certification. A person with a CompTIA Security+ certification, for instance, may appear to be a real cybersecurity tiger. If this person just memorized exam questions, didn’t learn any material, and passed the CompTIA Security+ certification exam, they are a cybersecurity paper tiger though.

My company, Alpine Security, gets routine inquiries about our cybersecurity training. Many people assume we will just “teach the test”. Some people have even mentioned to us that other cybersecurity training providers offer onsite exams allowing people to take the exam “open book” and “as a group”, even though the exam is supposed to be taken solo, closed book. These behaviors breed more paper tigers. Is it any wonder why we have so many data breaches?

Cybersecurity Paper Tigers are Killing Us

Cybersecurity paper tigers are killing us for a number of reasons:

  • They don’t know enough to actually help with cybersecurity defense. Paper tigers are often responsible for cybersecurity controls, plans, policies, training, etc. The paper tigers don’t actually know much though, so the risk of them doing something wrong or ineffectively is very high. This is sort of like asking your 5 year old if he can drive your car. He says “yes”, so you let him drive to the grocery store. The outcome will not end up well.
  • They hire other paper tigers. People tend to want to be around people like them. Also, paper tigers typically have fragile egos, so hiring someone that knows less than them is often what they do. Fragile egos stem from incompetence and being “found out”.
  • They devalue cybersecurity certifications. Cybersecurity certifications still have a worth, but they used to mean more before the influx of the paper tigers. In the past, if you hired someone with the Certified Ethical Hacker (CEH) certification, you knew they had a certain level of knowledge, skills, and abilities. Now, you may see someone certified that doesn’t really know anything. I’ve interviewed people with penetration testing certifications that couldn’t tell me what nmap was…
  • They are not passionate about cybersecurity. This is sort of the elephant in the room. People that are passionate about a topic, industry, career, etc., make efforts to master these areas. Paper tigers are dabblers. They dabble just enough to give the appearance of expertise. If they are dabblers in their careers, the chance is they are dabblers in everything in their life.

Cybersecurity criminals are masters of their trade – not dabblers. A dabbler will always lose to a master.

ceh master

The CEH Master requires a practical. Paper tigers need not apply.

What can we do about the cybersecurity paper tiger issue?

There are two areas to focus on to get rid of paper tigers:

  1. Cybersecurity certifications that require a practical. Many certifications are moving towards having practical components to them. The CEH, for example, has two programs. The first is “Certified Ethical Hacker”, where you have to pass a multiple-choice exam. The second is “Certified Ethical Hacker Master” where you have to pass both the CEH multiple-choice exam and a CEH practical exam. Paper tigers may be able to pass a multiple-choice exam, but they will likely fail a practical exam, unless they actually learn some stuff. Learning some stuff may strip them from the paper tiger status!

  2. Hiring procedures. We need to do better at interviewing and screening cybersecurity applicants. Just because someone has multiple cybersecurity certifications, doesn’t mean they know the material. It’s an employer’s duty to screen applicants appropriately. The people doing the interview need to know about the certifications or be certified in those areas themselves in order to discern the paperness of the tiger. For instance, if I’m interviewing someone with a Security+ certification, I should know the basics covered in Security+ so I can validate the candidate’s knowledge.

Let’s do the cybersecurity industry a favor and work to get rid of the paper tigers.