According to a recent Conference Board survey, cybersecurity risks are the number one fear U.S. CEOs face in 2019. More money is being spent on cybersecurity than ever before, so how is it possible that organizations of every stripe, from NASA to the city of Baltimore, have still had their systems breached?
One obvious answer is that human beings are naturally curious, so they click on phishing bait. Or these same humans make simplistic passwords that are then stolen. But there’s another, less obvious reason behind these breaches: lack of cybersecurity talent. Employers simply can’t find the employees they need to secure their systems. In fact, Indeed’s 2019 Global Security Outlook found that while demand for cybersecurity professionals jumped by more than 7 percent from 2017 to 2018, interest in cybersecurity jobs has started to wane.
Money isn’t the issue: Employers are willing to pay for the right talent. And these jobs frequently pay top dollar—an average of $128,128 for an application security engineer, according to Indeed.
Looking deeper, Indeed also found that employers must do a better job helping potential applicants find relevant job postings. The three top tech-related searches that result in a click on a cybersecurity job posting are information technology, Amazon, and engineer, but cybersecurity job postings also yielded a high number of clicks from searches for the terms security, full-time, entry-level, and government. That means broadening search terms is one simple step that employers can take to find more cybersecurity candidates, although not every applicant will have top-level credentials.
According to professor (and Def Con 27 goon) Brian Pendelton, organizations also need to look outside traditional cybersecurity arenas to find more diversified talent. “The infosec community needs to get back to its roots of finding intelligent, curious people and training them in house instead of poaching experienced people from other firms,” said Pendelton. “Does it take longer? Of course, but it has benefits such as company loyalty that can’t be overlooked.”
Here are a few other ideas for recruiting cybersecurity talent:
- Consider fewer “must-haves”
Does the employee really have to have a bachelor’s degree? Could you recruit talent from a hackathon? Could you offer “bug bounties” that bring out talent from other avenues? Younger talent may not have all the required education or certifications but may be worthy enough to be hired and trained. Also consider mid- or late-career job seekers who may be be looking for a career change.
- Share your story
Money isn’t the only way to attract potential cybersecurity employees. Highlight your company’s mission, including how you’re combating cybercrime and how joining your team can enable the prospect to really make a difference in society. Enlist your human resources and marketing departments to help craft compelling messages.
- Think like Amazon
While Amazon is a juggernaut that few organizations can go toe-to-toe against, that doesn’t prevent your organization from being seen as a thought leader in its own right, worthy of consideration. By posting blogs, attending conferences, and offering subject matter experts to media outlets, you can build a stronger market presence that will help attract tech talent to your organization.
CyberSecurity Ventures predicts that there will be 3.5 million unfilled cybersecurity positions by 2021. Employers can’t afford to rely on outdated talent recruitment strategies. It’s time to get creative and find unconventional paths to identify and recruit the next wave of cybersecurity workers.