teissTalk: Redesigning your cyber-security recruitment strategy

teissTalk host Jenny Radcliffe was joined by Mike Johnson, Cyber Threat Intelligence and Incident Response Manager, WithYouWithMe; Andy Giles, Chief Product Owner (Security & Resilience) / Security Services Leader, Nationwide Building Society; and Samer Adi, CISO, Green Shield Canada (GSC).

 

Views on news

 

With an acute cybersecurity skills gap that stands at 2.7 million globally, hiring managers are looking to entry- and junior-level candidates to fill vacancies. One of the biggest challenges lies with hiring managers relying on unrealistic job descriptions and hiring practices – placing far too much emphasis on experience alone, even for entry-level roles where prior experience is impossible to obtain.

 

But it’s also hard to attract experienced people away from other cybersecurity employers due to the high levels of job satisfaction we see in the sector.

 

 

Most of the respondent managers in the survey rely on recruitment firms, certification organisations, universities and colleges, job postings, apprenticeships, internships and government workforce programmes when filling vacancies.

 

Attracting career changers from the military and non-technical jobs can also go a long way in alleviating shortages.

 

There is a lot of impostor syndrome in the sector as it stands, so putting off candidates with overdemanding and unrealistic job descriptions is can prove rather counterproductive.

 

The focus should increasingly shift from requiring long years of experience and high levels of qualification to finding candidates who have the intellectual curiosity that will drive them to pick up the cyber skills necessary for fulfilling roles at pace.

 

Candidates with accountancy and legal backgrounds, for example, are likely to have the skills required for GRC (Governance, Risk, Compliance) roles, even if they don’t have all the technical skills at the start. One of the more unusual experience recruiters are looking for is in customer service, which reflects the new expectations and attitudes around how cyber security should be delivered within the organisation.

 

Is diversity and inclusion the answer to cyber skills shortages?

 

Job descriptions for cyber security roles often get inflated and too complex because the roles themselves are rather broad and require a wide range of skills. Universities offering training in cyber often suggest that the route to employability is pen testing, failing to raise awareness of the variety and depth of different career opportunities in cyber.

 

Recruiters should also break with the attitude that unless a candidate has 20plus different certificates, they stand no chance of getting selected. Diversity and inclusion in cyber may mean that even if a candidate’s CV is not impeccable or contains spelling mistakes, recruiters give them a chance to demonstrate their cyber skills. Recruitment for cyber skills should be more than just looking for key words in CVs through automated systems and have humans back in the loop.

 

To combat unconscious bias, recruiters are now mandated to have interview panels including non-cyber security experts too, who can spot skills that their co-panellists wouldn’t. Panels comprising members with different backgrounds can be very helpful with calling out unconscious biases and rectifying them.