The field of cybersecurity is growing, but the pool of qualified candidates is not. Nearly every industry deals with labor shortage challenges due to the pandemic, the Great Resignation, and other factors. However, cybersecurity was already experiencing recruitment and retention problems. Even with new people entering the market, it would be remiss to count them all as ready for the cybersecurity war. So, how do you recruit and hire cybersecurity professionals in these times? And is technical prowess the only factor to consider?
The Cybersecurity Labor Landscape
To begin the discussion on recruitment and hiring, let’s look at some of the data on the cybersecurity labor landscape.
- The shortage of cybersecurity professionals is 2.72 million globally.
- As of June 2022, there were 714,548 total cybersecurity job openings.
- 78% of decision-makers stated that it’s hard to find certified people.
So, it seems there is a tremendous opportunity for those that want to enter the field. Many employers welcome them, with 91% willing to pay for training and certification. Cybersecurity is an attractive field with the potential for high earnings and upward mobility. With such an appealing opportunity, you could argue that labor shortages will dwindle, especially as more digital natives enter the workforce. So, maybe recruiting and hiring cybersecurity professionals will get easier.
The risk of these presumptions goes back to the idea of qualification, which goes beyond technical skills. In fact, leaders said the highest skill gap in cybersecurity is people skills. This response demonstrates a needed shift from what makes someone a good hire for these roles.
So, why should you care about people skills if candidates have the credentials and experience? As I’ve learned in my decades in the industry, people skills should always be a priority for technical roles. Without these, cybersecurity professionals make crucial missteps based on their own hubris and over-confidence. They don’t communicate or collaborate, and that’s the real reason we’re losing the cybersecurity war. It’s the central theme of my book, The Smartest Person in the Room.
So, let’s talk more about people skills.
Why People Skills Matter in Recruiting and Hiring Cybersecurity Professionals
There are many stereotypes about those in technical roles. It’s easy to lob them all together as bad communicators, inflexible, stubborn, and difficult. Some of this is true, as technical folks often eschew people skills as being important. Yet, they are so vital! Without people skills, these people won’t learn, grow, collaborate, or adapt, and those things are crucial in cybersecurity.
People skills matter because the war zone of cybersecurity isn’t just ones and zeroes. There are hackers on the other side who are deeply passionate about what they do, even though it’s illegal and immoral, to say the least.
Your cybersecurity team needs to have that same passion, which comes only from people skills. The most adept technical professional can be a bad hire when they come up short here.
These are the people skills I think are the most critical:
- Empathy: When someone can understand another’s perspective, it makes them better at their job. They can comprehend someone’s mental state and what that might mean, whether that’s a coworker or a criminal on their other side.
- Communication: This is the number one people skill for cybersecurity candidates. It’s the core of how we operate. Being a great communicator doesn’t mean you say whatever comes to mind. Rather, it balances expressing thoughts wisely and being excellent listeners. Successful interactions within the team and with other stakeholders are imperative to avoid miscommunication and misconceptions, which are the leading causes of cybersecurity failures.
- Adaptability: Cybersecurity is a dynamic field, so those working in it must adapt quickly and be willing and open to change. A lack of this people skill could sink your cybersecurity operations.
- Vulnerability: Being vulnerable is really about being honest and having trust. You’ll have to create a safe place for people to be vulnerable, where no one is scared to be wrong. Making this part of your people skills list can provide an ideal environment for solving cybersecurity challenges.
Gauging these people skills is much more complex than testing technical ability. There are many candidates out there masquerading as qualified applicants. They may be, on paper, that is.
Avoiding Hiring Paper Tigers
Paper tiger is a term in the industry that originates from the Chinese phrase zhi lao hu (纸老虎). In the technical world, it simply means that people look good on paper—resumes with an extensive list of certifications, for example. Yet, they lack the skills, experience, and expertise to succeed in cybersecurity.
Candidates like these will land in your inbox. You may not be able to spot them at first glance. So, you’ll have to draw conclusions based on interviews and conversations. Here are some key things to consider:
- Where did they earn certifications? Not all organizations that provide credentials are “cyber mills,” taking in money to deliver the certification. The most legitimate and credible are practical and scenario-based exams from CompTIA and EC-Council.
- How do they speak about their work experience? Not every applicant will have multiple years of experience, and you shouldn’t discount those new to the field. For those that do, you’ll want to hear about specific projects or responsibilities. Someone who uses a lot of jargon and buzzwords and talks in the abstract is likely a paper tiger.
- What motivates them? Different people have different motivations for why they work. Money is at the top of the list. It’s not necessarily a red flag for those that are money motivated. After all, we’re not working for free. However, you’ll find that those who desire meaningful work (roles that are fulfilling), a collaborative team, and being part of something bigger will rank highly on people skills.
- What kind of people skills do they exude? Ask questions that tie into the people skills described above. You can even “score” their people skills with assessments like TriMetrix® HD.
- Is their knowledge book-based or experience-based? This evaluation concerns your defense posture and whether someone can react in the real world where stress and pressure exist.
- How big is their ego? Ego can be a detriment to cybersecurity when your employees believe they can never be wrong. They will be wrong eventually and many times over. If their ego doesn’t fit through the door, it won’t fit on your team, either.
- How do they work? Someone’s approach to the day-to-day matters, and you want to see someone with focus. Ideally, in cybersecurity, your employees should be mono-taskers (the opposite of multi-taskers). That undivided attention is necessary in the high-stakes world of cybersecurity.
Now that you know what people skills are critical and the steps to avoid paper tigers, I’ve got a few more tips for recruiting and hiring cybersecurity professionals.
Final Takeaways on Recruiting and Hiring Cybersecurity Professionals
- Look to past hiring decisions as learnings, whether they turned out good or bad. Even as you evolve how you hire and recruit, you won’t always make the perfect hire. If you can learn from the past, you’ll be better prepared for the next hire.
- Treat the interview as a conversation. You want to learn about the candidate, and they need to find out about the organization. Making these interactions rigid and controlled is a disservice. That’s not how things play out in the real world, so don’t treat this like an inquisition.
- Don’t sell your organization short by filling the chair with anyone. A chair occupied by a paper tiger could cause more chaos than harmony. Don’t rush the hiring process because of these feelings. It’s always better to wait for the right person than make do with someone who isn’t.
- Be sure the candidate fits your culture. When there’s misalignment here, the hire often becomes turnover. Talk about the culture of the organization and your department to discern how they’ll fit in with your organization. The assessment discussed earlier can help you determine this, too.
- Be wary of job-hoppers. I typically screen these people out, but it’s not a rule without exceptions. They may have shorter tenures because of things outside of their control (e.g., layoffs, relocations, etc.). For anyone who’s trying to hire cybersecurity professionals, you know job-hopping is rampant. Consider the circumstances and context, then exclude anyone that looks like a risky hire.
- Remember that people skills are teachable, and you can help your team develop them. That’s the sentiment behind the Secure Methodology, a seven-step guide to advancing technical folks from two-dimensional stereotypes to fully engaged and highly communicative team members. Of course, your staff has to be open to change and growth for this to work, which is one more reason to look for those with high potential for people skills in the hiring process.
Get more tips and strategies on how to build a team of cybersecurity professionals to help you win the cybersecurity war by reading my book, The Smartest Person in the Room.