The cybersecurity profession is facing a shortage of qualified talent to fill an increasing demand for positions, as so many reports inform us. What I find self-fulfilling about our “talent dilemma” is the acknowledged rapid rate of technology change, yet the ongoing quest for specific technical experience and expertise. We seek plug-and-play people to match technology components, rather than individuals with foundational skills and an aptitude and desire to learn changing technology.
As processes and people internal and external to our organizations continually adapt to ongoing technology changes, our profession needs individuals with skills in systems thinking, problem-solving, innovation, and collaboration. Cybersecurity professionals also need strong business proficiency, including communications skills and the ability to manage risk in support of desired business outcomes and risk tolerance levels of our organizations. We need a workforce that reflects the diversity of customers we serve, going beyond external traits of gender and race, to a robust variety of experiences and ways of thinking.
Yet, when we look at job postings for information security positions, we see traditional male-dominant language, a long list of specific technical infrastructure and coding experience, and a preference for technical or information science degrees, particularly computer science. Do those elements yield the applicants with broad skills and perspectives we need, or is that the CV customary for our current homogenous information security workforce?
The most common trait across the cybersecurity industry is the absence of a common path to a cybersecurity career. According to the 2017 Global Information Security Workforce Study that surveyed 19,000 cybersecurity professionals worldwide, 87 percent of us started in a career path outside of cybersecurity. Of those, 30 percent came from non-IT, non-engineering backgrounds, including business, marketing, finance, accounting, military and defense.
I looked at the “non-traditional” education of strong performers on our past and present information security team at Harvard, and I found the following degrees: German, English, Philosophy, Fine Arts, Comparative Literature, and International Relations, among others. I also found some didn’t have college degrees at all. In addition to a desire for ongoing learning, we all have strong communication, analytic and risk management skills. Those are specifically the top three skills sought by hiring managers within information security, according to the 2017 Workforce Study. Another report, the ISACA/RSA Conference Survey for the State of Cybersecurity: Implications for 2015, identified the most common deficiency for cybersecurity professionals as the ability to understand the business, with 72.33 percent of respondents citing that gap. Sufficient technical skills came in second at a distant 46.32 percent, followed closely by communication skills at 42.16 percent.
How do we improve our recruiting – and retention – practices to attract and develop the enduring combination of skills we need for successful cybersecurity professionals? Follow these five steps as a start:
- Prioritize the top 10 skills – technical and cultural – for a role and limit the job description to those;
- Check for and correct gender bias in the wording of job postings, using a free or commercial tool;
- Use consistent interview questions and skills assessment processes for all applicants;
- Provide ongoing training in both technology and business leadership skills;
- Value differing backgrounds and perspectives within your workforce.
Editor’s note: Silk will be presenting on this topic in the session, “A New Rubric for IT Recruiting and Retention” at the 2019 North America CACS conference, to take place 13-15 May in Anaheim, California, USA.