Much has been made of the security skills shortage over the last few years. In headlines, at conferences, and in survey after survey, warnings are popping up, all with the same dire predictions: There are more and more ways for hackers to breach digital gates and not enough gatekeepers out there to stop them.
There’s no disputing we have more open security positions than we have available applicants to fill them. And, at first glance, the statistics are staggering: 3.5 million cybersecurity jobs will be available yet unfilled by 2021, despite ransomware attacks growing 350% year-over-year. That’s certainly cause for concern — especially as attackers become more sophisticated, creating new techniques and approaches to overcome barriers intended to block them. But placing blame squarely on a “security skills shortage” overlooks the real issue at hand.
What we have in this industry isn’t a skills shortage. It’s a creativity problem in hiring. To close the existing talent gap and attract more candidates to the field, we need to do more to uncover potential applicants from varied backgrounds and skill sets, instead of searching for nonexistent “unicorn” candidates — people with slews of certifications (like CISSP, CompTIAPenTest+, CySA+, CASP+, CEH, CISSP and CISM), long tenures in the industry (10+ or, in some cases, 20+ years of experience — longer than most relevant technology has been around), and specialized skills in not one, but several, tech stacks and disciplines (from cloud security to app sec and compliance).
But how? By dropping the secret-handshake-society mindset that enables a lack of diversity in the workforce, deters new entrants to the field, and, ultimately, undermines our ability to stay secure in the long run.
Breaking down barriers to entry
Hiring a security team that thinks the same, is educated the same, and looks and talks the same leads to blind spots. Yet cybersecurity is wrapped up in an air of mystique, from the words we use (malware, ransomware, cryptojacking, encryption) to the image we present (shadowy figures in hoodies). And that reputation, as an exclusive, elite club has allowed hiring across the board to become homogeneous. According to a recent global study, 89% of the cybersecurity industry is male, with less than a third from underrepresented groups. And, only 7% of cybersecurity pros are under the age of 29.
Part of the problem is a lack of awareness about cybersecurity as a viable career path for candidates inside and outside of tech, largely due to our longstanding “cloak and dagger” approach to what we do. If you asked most folks outside of the industry what the work of a cybersecurity professional entails, I’d imagine very few would be able to tell you. That needs to change. Expanding our recruiting pool and increasing the size of our talent pipeline starts with dropping our “dark arts” attitude and making security more accessible and easily understood — whether it’s through increased visibility at job fairs and career days at a range of institutions, building a pipeline of mentorship programs, or hosting inter-departmental workshops and information sessions.
To reel in more candidates, we need to be verbose about the day-to-day responsibilities of the job, articulate a path for career growth, and dispel the “lone wolf” stereotype that permeates this line of work. The more we step out of the shadows and make cybersecurity more approachable, the easier it is for people to understand what a career in cybersecurity actually entails — which, in turn, enables them to see themselves working in our industry.
Prioritize potential over pedigree
Of course, a large part of the puzzle is expanding our hiring funnel by recruiting outside of our narrow channel of established candidates. Security wins when it’s multi-disciplinary and when we hire people from varied backgrounds. Yet we, as an industry, over-index on pedigree and certifications all the time, even though some of the greatest minds in our field don’t have certifications, or for that matter, college degrees. I’ve seen it happen firsthand — a hiring committee more willing to hire candidates with a degree from an elite university and a splashy tech internship under their belt than a career changer from a separate, yet related, field. I’ve even experienced it in my own career, with a startup manager once telling me to my face that I didn’t “look like security” despite a resume and a computer engineering degree that said otherwise.
Cybersecurity isn’t sorcery. Security-specific skills can be taught. We need to do away with narrow criteria for who will be a good fit for many security roles and shift the way we evaluate resumes so that we look critically at what a candidate is capable or doing instead of looking solely at what they’ve already done. Too often, we look externally for certain skill sets to be filled before a candidate gets to us, either via degrees, certifications, or completed coursework. But the pool of talent that already has those skills is too small. To create the talent supply to fill demand, we need to reach talent that has the aptitude and ability to learn and apply the necessary skills for the job. That means organizations need to get creative and develop their own learning and development initiatives for skill-building, whether it’s a large-scale training initiative aimed at career changers, or something as simple as hosting workshops, meetups, lunch-and-learns, or informational office hours.
De-emphasizing degrees and certifications in job postings levels the playing field and creates more opportunities for diamond-in-the-rough candidates to stand out to hiring managers. Case in point: One of the best and brightest security professionals I ever mentored started her career as a front desk receptionist. She didn’t have the credentials that other cybersecurity professionals had starting out, but she was used to understanding the nuances of human behavior and picking up on anomalies, a critical skill for cybersecurity experts. With guidance and mentoring, she has gone on to become a senior technical program manager in information security.
Rethinking the way we evaluate resumes also means a shift in how we write job posts and how we evaluate candidates once they walk in the door. That means incorporating a first-principles problem-solving approach to recruiting. Oftentimes we ask, “What do we think this job opening should be, and has a candidate done that job elsewhere before?” Instead, we should ask, “What is this person going to do? What is their job going to be? And how should we test for that job?”
Inclusive language has been shown, across the board, to increase the quality and depth of talent, with Deloitte indicating companies that harness inclusive talent and recruiting strategies have 30% higher revenue per employee than those that don’t. Cybersecurity shouldn’t be any different. When it comes to job postings, the language we use should be aimed at drawing people in, instead of blocking people out. That starts with incorporating inclusive and easily-understood language (eg: “Develop easy-to-use tools and light-weight processes that will help our engineers seamlessly write secure code.”), instead of implicit messages that dissuade candidates from applying (eg: leading with years of experience requirements, or a laundry list of security-specific buzzwords that are indecipherable to most of the outside world).
But adding inclusive language to job posts only goes so far. Once candidates arrive on-site, replacing traditional, academic skills tests with interactive exercises and values and motivations assessments can go a long way in enabling hiring managers to explore and evaluate a candidate’s ability to find real-world solutions, both on their own and alongside the teams they’d be working with. That way, we assess candidates for true security mindset and problem-solving skills, beyond their ability to manage security tools.
Cybersecurity doesn’t have a skills shortage. We have a culture problem that manifests in the ways we source and recruit talent. By removing barriers to entry, prioritizing potential over pedigree, and re-engineering the way we recruit and interview candidates, we can welcome more cybersecurity professionals into the herd instead of continuing the ongoing “unicorn hunt” that will get us nowhere.
Fredrick “Flee” Lee is CISO of Gusto.