THANK YOU FOR SUBSCRIBING
Talk to any cybersecurity leader these days, and the difficulty finding talent to fill key positions is likely to be a top concern. The US Bureau of Labor Statistics projects a 33 percent increase in information security analyst position demand over the next ten years, and that’s on top of the thousands of current unfilled openings. These unfilled positions place a drain on current cybersecurity teams, leading to staff burnout and potentially new vacancies to fill.
How do we stop this vicious cycle? Our cybersecurity team has instituted key practices to reduce turnover and shorten time to fill positions. These practices are: Focusing on skill development, diverse search and interview practices, and building an entry-level pipeline.
Our team started with a simple question: What aptitudes lead to success? Too many job descriptions start, and end, with skills and experience. By focusing on what an individual has a knack for and how they learn new skills, we have been able to tap large talent pools in other departments at the company. A high percentage of our cybersecurity engineers and analysts transferred in from non-cybersecurity roles and developed cybersecurity-specific skills over time through training and development activities. This approach has required significant investment in training, but the training costs have been much lower than the expense of long-term vacancies and search fees.
Diverse Search and Interview Practices
Diversity, Equity and Inclusion (DEI) is an important focus for many companies today seeking to gain competitive advantage through higher performing teams. With respect to cybersecurity recruitment and retention, DEI has the added benefit of tapping talent pools that have traditionally been under-represented. We enacted three simple steps to attract and retain diverse candidates:
Building an Entry-level Pipeline
All of us have seen unintentionally humorous job postings requiring ten years of experience with a technology that has only been around for five years. This is only the most visible symptom of the tendency to recruit only senior people. Hiring managers should thoughtfully consider the work, team composition, and future needs when posting new roles. Consider that hiring a junior candidate and having them build skills through aggressive training in their first six months puts a team far ahead of keeping a senior position open for six months. Paid internships are also a valuable pipeline for rapid conversion to entry-level roles upon graduation. If your company does not currently support internships, take some time to build a financial case with company leadership to get a program in place, as it will typically pay for itself through reduced search costs and position vacancies.
The cybersecurity labor shortage will continue to be a systemic problem for many years to come, but the strategies I have outlined here can help any organization reduce the impact on their own cybersecurity teams.