Do you struggle to hire and retain cybersecurity professionals? Does it seem like this problem is only getting worse, right when attackers are getting more sophisticated?
You’re not alone.
The International Information System Security Certification Consortium’s (ISC²) annual cybersecurity workforce study found a worldwide gap of 3.4 million cybersecurity workers — and that’s after this workforce grew just over 11% from 2021 to 2022, adding 464,000 jobs last year alone.
This isn’t just a risk of burnout among the current security staff, but a risk to the whole organization. The same study found that a significant percentage of the 11,779 practitioners and decision makers it surveyed reported that the following things that they have experienced might have been mitigated if they had enough cybersecurity staff:
And, the study reported, each of these fears saw an increase year over year.
So why is it so hard to recruit security engineers? More and more, it seems more like it’s not them — it’s you.
Cybersecurity job descriptions trend toward the generic, yet excessive, putting an impossible load on one person. Security job ads not only tend to ask for unrealistic levels of experience and credentials, but they also lack connection to the specific organization’s challenges and to candidates’ desire to find purpose in what they do.
A lot has to change before the tech industry can even begin to fill the ever-increasing demand for cybersecurity. Read on to learn how to successfully recruit people to fill tech’s hottest jobs: cybersecurity professionals.
A big part of the problem with recruiting security professionals comes down to organizations not understanding their particular needs — which are subsequently reflected in catch-all job descriptions.
“When people say: ‘I want someone to do cybersecurity,' they probably aren’t being very specific,” Olu Odeniyi, a cybersecurity and digital transformation consultant, told The New Stack.
Organizations don’t really know what they need because security is a broad field. For instance, the U.K. Cyber Security Council has actually identified 16 specializations within cybersecurity, which can encompass, include or sometimes overlap with information security and privacy.
An important part of his role is helping boards understand cybersecurity better. In fact, one of the most in-demand cybersecurity roles is creating cross-company security awareness. This typical lack of understanding is why Odeniyi had a client’s chairperson declare to his board: “We’ve had a cyber attack!” when really the company just had to address an important vulnerability.
Whether it's privacy regulations, cyber threats or simply commercial risks, he continued, each organization has to ask itself what skills it really needs to keep itself secure: “An organization needs to do a risk assessment that’s unique to that organization.”
Odeniyi further recommended starting with the goals of the company, answering:
And then craft roles around those strategies.
As an example, Odeniyi told The New Stack about a mostly brick-and-mortar company that has made it part of its strategic goals to build an e-commerce site, application and back-office operations behind it. Cybersecurity and information security must be critical parts of that strategy from the start. Which roles are needed to help deliver that?
Then, he added, “Recruiters need to link these roles with the strategic objectives of the company so those people want to do that role,” and advertise them “not just as some sort of geek. Help them understand where they’re going, what they’re supporting.”
“We do a terrible job of marketing ourselves as an industry to get into,” Masha Sedova, co-founder and president of Elevate Security, told The New Stack.
“Most people think about cybersecurity as a hacker with a hoodie in a basement stealing bitcoins and hacking into systems. It’s actually about protecting someone’s retirement account so they can retire safely, protecting people who are vulnerable, protecting small businesses.”
It’s proven that women want a purpose-driven career, and that millennials are even choosing purpose over paychecks. In fact, when hiring, Sedova is consistently asked by candidates: How will this job make positive change in the world?
Yet, she observed, the cybersecurity industry is missing the mark — and the marketing — in portraying the value of these roles to the betterment of lives. “I feel like we only show up with the hard edge,” she said. She advocated advertising security jobs as being less technical and more problem-solving, with an element of giving back and altruism.
“The mission of cybersecurity is incredibly powerful and it meets a lot of people’s need for making an impact for the world,” she said. “If we can change how we talk about it, if people can realize their time and energy can be used to be protective of digital citizens, we can attract a new generation.”
Not to disregard the technical prowess needed, Sedova clarified: “I think there are a lot of people who are capable of running the technical — but you don’t have to be a perfect coder.”
There are many reasons the cybersecurity candidate pool is shallow, but everyone interviewed for this piece cited the same one: the absurdity of catch-all cybersecurity job ads.
“Job descriptions are often terrible. [They] ask for more experience than actually exists in a certain technology,” Chris Hughes, chief information security officer and co-founder of Aquia, a cybersecurity services company, as well as host of the Resilient Cyber podcast and adjunct professor at University of Maryland Global Campus, told The New Stack. “The requirements are ridiculous and people don’t apply.”
Even roles described as “entry-level” often come with unrealistic prerequisites.
“We put really high entry-level bars — minimum years of experience, certifications which are long and cumbersome to get, a degree in cybersecurity,” Sedova said, red-flagging these as both financial and time barriers to entry.
Before co-founding her own risk-management platform, she hired and managed security expert teams, including at Salesforce, and has found that folks coming from non-traditional backgrounds bring a great problem-solving mindset to security.
“The mission of cybersecurity is incredibly powerful and it meets a lot of people’s need for making an impact for the world. If we can change how we talk about it, if people can realize their time and energy can be used to be protective of digital citizens, we can attract a new generation.”
—Masha Sedova, co-founder and president, Elevate Security
Cybersecurity job descriptions, Odeniyi observed, often only focus on technical requirements. “People think cybersecurity is about IT,” he said. “Cybersecurity sits in the IT department, but cybersecurity is about people, processes, and tech — not just technology.”
In writing the job ad, focus on the goals and purpose of the role, and not on just the detailed tasks and certifications you think a candidate needs.
Unsure how to improve? Follow Naomi Buckwalter on LinkedIn, as the information security expert shares a new entry-level cybersecurity job daily, underlining good and bad examples, and flagging openings that are good for career changers and for non-technical versus technical candidates.
On top of the off-putting job descriptions, it may actually be the arduous selection process itself that is deterring applicants.
“The hiring process for cybersecurity professionals can be difficult and time-consuming, discouraging some candidates from applying or preventing companies from pursuing specific candidates,” Philip Chan, adjunct professor at the School of Cybersecurity and Information Technology at the University of Maryland Global Campus, told The New Stack.
Even for someone interested in starting out in or moving into cybersecurity, there’s no clear path to entry beyond a degree, a bunch of certifications and an existing network.
“Job descriptions are often terrible. [They] ask for more experience than actually exists in a certain technology. The requirements are ridiculous and people don’t apply.”
—Chris Hughes, chief information security officer and co-founder, Aquia
“We don’t know how to interview creatively for these roles,” Sedova said, pointing to how other tech job processes leverage logic questions and other ways to work out how a candidate problem solves, while cybersecurity still heavily relies on past experience and certifications — despite the immense talent gap.
Recent research out of Harvard and Stanford Universities explored the characteristics of someone with a "security mindset," which researchers qualified as three interconnected aspects:
They found this mindset is developed by both professional and personal experience, with “curiosity about technical systems” emerging as the single most important quality for success in cybersecurity. The authors of the study suggested that employers and recruiters balance technical and qualitative evaluations:
“For example, they might combine a bug-bounty performance test with a task of explaining the relative risk of different bugs, given different sets of background assumptions. They might also ask candidates for their preferred sources of information about the relative risks of security flaws, or they might inquire about the candidate’s interactions with CISOs or other staff who are more likely to hold an evaluating-heavy role.”
It’s as much or more about thinking creatively and logically about vulnerabilities in a system, Sedova remarked, than it is about being able to put yourself in the mindset of an attacker. Can you create tests or experiences to test someone’s security mindset?
A 2018 symposium on Usable Privacy and Security found the most common perceptions of cybersecurity are “It’s scary…it’s confusing… and it’s dull.”
In both cybersecurity recruitment and advocacy, researchers at the University of Maryland, Baltimore County found that it’s essential to focus on situational context as well as on educating and speaking to different levels of technical understanding.
In the absence of people to fill security jobs and considering that recruitment costs far more than retention, organizations should upskill their current employees.
“The field of cybersecurity is constantly evolving, which means that professionals need to update their skills and knowledge continuously,” Chan said. Companies trying to hire and retain cybersecurity professionals with constant training requirements can be challenging.”
Considering these trainings and certifications can cost upwards of $4,000, companies can consider paying for that education as a way to attract and retain talent.
A role Odeniyi would like to see more of in 2023 is cybersecurity culture management — "and I just made that role up because I’ve not seen it advertised,” he said.
Such a role would influence the whole culture of the company to consider the people, processes and training necessary to cultivate that cybersecurity mindset. An employer might be better at identifying the right personalities and skill sets among its existing staff rather than seeking them from outsiders.
Recognizing another gap, Odeniyi would like someone to lead the operationalization of cybersecurity, looking to define and support the continuous IT security operations in the needs of an organization.
“The fundamental issue is, technology changes very fast and faster than we can get laws and regulations in place to try to get faster, and faster than we can train up people into their sectors,” he said. This position would require someone with a cross-functional role and mindset.
Hughes pegged the most in-demand skill sets as cloud security and DevSecOps. Of course, these are not entry-level roles. But if someone has a background in Kubernetes and containers, he said, “having technical depth and soft skills — being able to communicate, and good relationships and rapport with developers and leaders” could make them good candidates.
Sedova spotted entry-level roles within a company that could make logical segues into cybersecurity work, like those who work in incident response, security operations center analysis, and junior project management roles.
Cyversity is a non-profit that offers courses and mentorship to bring more women and underrepresented minorities into cybersecurity. Sedova mentioned there are also a lot of cyber mentoring programs sponsored by banks and governments.
Any cybersecurity onboarding program needs to be grounded in psychological safety to counter imposter syndrome. Even very highly qualified security professionals, Sedova said, can have painful experiences that leave them feeling inadequate.
There are so few entry-level roles in the current cyber industry, which is all the more reason, she said, that companies need to provide coaching, being sure to say: “It’s OK to not know.”
Michelle Lebesley, a security awareness lead who works as a consultant, argued that hiring managers shouldn’t be asking why cybersecurity professionals are hard to find, but rather flip it to: Why do you think people aren’t applying to your organization?
“If you’re looking for a good security engineer or a good security solutions architect, or my job, there are millions of us,” she said. “People self-select out because either they see the company doesn’t look welcoming or it’s all straight white people. Very few people will want to be the first Black person or disabled person at a company.”
“Diversity is a huge problem,” echoed Sedova, and a lack of it continues to create toxic working environments. According to Zippia, a career and jobs website, 78.5% of cybersecurity analysts in the U.S. are men, with an average age of 42. The gender breakdown of participants in the (ISC²) survey roughly parallels those figures.
“When you fail, it’s because ‘women can’t do cybersecurity’ or ‘Black people can’t do cybersecurity’ versus you’re new,” she said. “It’s a high-stakes game when you’re the only one in the room, which sucks.” So folks question if it’s even worth it: “Maybe I’ll go into a career that’s less high stakes and difficult to navigate.”
Like all things in tech, there’s a need for different voices to ask questions, which is how Lebesley described the crux of her day-to-day role in security awareness.
“You need the canaries in the coal mine,” she said. “ You need people from different backgrounds, a breadth of knowledge and life experience, but then they might not be considered,” in the typical cybersecurity job process.
Lebesley referred to loads of candidates who she described as “interested, motivated, whip-smart, incredibly great people, [but] their face doesn’t fit. Their name doesn’t sound right. It doesn’t sound like they will say yes. I honestly think it’s getting worse.”
“People self-select out because either they see the company doesn’t look welcoming or it’s all straight white people. Very few people will want to be the first Black person or disabled person at a company.”
—Michelle Lebesley, security awareness consultant
And with the tech layoffs, there’s a reasonable fear that there will be a backslide on the recent push for more diverse teams.
Cybersecurity hiring processes are notoriously gatekeeping, even for the tech industry. Every person interviewed for this piece cited a person’s network as the most common way to find a cybersecurity job — and building that network often favors people who have the time and money to attend conferences.
Similarly, as interviewing.io found, there’s a technical interview practice gap, where candidates from traditional backgrounds — and especially those from the top 20 American computer science programs — widely outperform those from non-traditional backgrounds, such as boot camp graduates or professionals who are self-taught.
In addition, the mock interview company found that women were more easily discouraged by setbacks: they quit interview practice seven times more often than men, after just one bad interview.
Facing so many hurdles, Lebesley predicts those marginalized in cybersecurity will start to create their own companies and organizations.
She already sees this on Black-led social media platforms and predicted that safe spaces will continue to crop up as a solution to hostile work environments in 2023: “People just want to work in a safe environment for a company they believe in.”
Google Sues App Developers Over Fake Crypto… April 8, 2024 Apr 08, 2024NewsroomInvestment Scam / Mobile Security Google has filed… (8)
Red Hat Security Advisory 2024-1687-03 – Torchsec April 9, 2024 The following advisory data is extracted from:https://access.redhat.com/security/data/csaf/v2/advisories/2024/rhsa-2024_1687.jsonRed Hat officially shut… (8)Debian Security Advisory 5664-1 – Torchsec April 18, 2024 -----BEGIN PGP SIGNED MESSAGE-----Hash: SHA512- -------------------------------------------------------------------------Debian Security Advisory DSA-5664-1 security@debian.orghttps://www.debian.org/security/… (8)Red Hat Security Advisory 2024-1692-03 – Torchsec April 8, 2024 The following advisory data is extracted from:https://access.redhat.com/security/data/csaf/v2/advisories/2024/rhsa-2024_1692.jsonRed Hat officially shut… (7)
Gloss