It is entirely possible, even probable, that the cybersecurity skills gap is, at least partly, something of our own making: our fixation with purple squirrels. Most employers want them and spend weeks, months—even years—looking for purple squirrels to fill critical cybersecurity roles. The problem with this approach is, of course, that they do not exist. And, while organizations are searching for purple squirrels, they are passing over the red, gray, tree or flying squirrels, many of which are not only more common—expanding the sea of candidates—but might be exactly the right squirrel for the job.
“Purple squirrel” is a recruiting term used to describe the perfect candidate that meets every qualification listed in a job posting. Of course, we all know that there is no such thing as a purple squirrel or a “perfect” candidate, so why do organizations keep trying to find them? Even though the candidate that seems so fabulous on paper likely will turn out to be not quite as they appeared, just like that purple squirrel when the dye starts coming off.
The ongoing hiring dichotomy of employers’ inability to fill open positions and candidates’ inability to find jobs is something that we should have corrected by now. We have all seen the dire headlines: millions of cybersecurity job openings going unfilled.1 Searching “cyber security” on a popular recruiting website reveals 25,000 openings in the Washington DC (USA) Metro area alone.2 More than half of respondents to the ISACA State of Cybersecurity 2019, Part 1: Current Trends in Workforce Development survey reported that they currently have unfilled positions.3 Keeping cybersecurity employees is another struggle, with 84 percent of cybersecurity professionals reported to be open to new opportunities in 2018.4 Recruiters typically view “job hopping” as a negative, but that is not always the case in cybersecurity. In fact, cybersecurity professionals who stay in one position for several years may be perceived as not being progressive.5 Google, an organization known for great salaries and even better employee perks, has a median tenure of only 1.1 years, and attrition is also a problem at other tech giants such as Amazon and Apple.6
What is less documented and tallied is the number of people trying unsuccessfully to get cybersecurity jobs. My involvement with multiple industry associations and nonprofit organizations has provided me with the opportunity to meet many hopeful cybersecurity job candidates who just cannot get any traction in their job hunt. This does not make sense, particularly when you consider the more than 300,000 open cybersecurity positions reported in the United States7 and the seemingly endless stream of cyberattacks targeting virtually every industry sector and type of organization. In 2018 alone, there were more than 900 known cyberattacks with methods ranging from malware to distributed denial of service (DDoS) to credential stuffing. According to the State of Cybersecurity 2019, Part 1, 46 percent of respondents reported experiencing an increase in cybersecurity attacks, and the majority responded that they expected a cyberattack in the next year.
So, what is causing this disconnect? My theory is that it boils down to tired, inapplicable recruiting practices. Hiring a cybersecurity professional takes creativity and ingenuity. Keeping them requires commitment and investment. Is your organization doing it right?
It Takes a Village
If you are struggling to fill cybersecurity positions, why limit your candidate pool to less than half the population? Take a look at your current team and you will very likely find a dearth of women and people of color. The majority of respondents to the State of Cybersecurity 2019, Part 1 survey indicated that their cybersecurity staff consisted of “significantly more men than women” yet, sadly, more than half of respondents did not have any plans to change that. Bottom line—we cannot fill all the open slots without expanding the pipeline and tapping into a more diverse group of workers. Hiring managers tend to hire those similar to them—an issue of gender, race, sexual orientation and associated inherent biases. This is not scalable. Consider these compelling statistics:
- Women hold approximately 11 percent of cybersecurity positions, despite representing half of the global population. This figure has not changed over the past several years.8
- People of color represent only about 12 percent of information security analysts.9
Why does diversity matter? Other than the inherent expansion of the hiring pool and, quite frankly, just doing the right thing, research from McKinsey & Company indicates that organizations that commit to diverse leadership are more successful.10
All the Things
Finding a purple squirrel becomes less of an issue when job postings are written in a realistic and reasonable fashion. It is not uncommon for postings to have a laundry list of 10 or more disparate but required qualifications. One particularly egregious example was a posting for a security analyst that listed 17 required skills that ranged from “expert knowledge of routing and switching” to “expertise in application penetration testing” to “expertise in embedded device security.” How many areas can one person truly be an expert in at any given time? A significant drawback to having so many requirements is that women are much less likely to apply if they do not meet all of the qualifications.11 This can be avoided by skipping words such as “expert” or “expertise” and using terms such as “knowledge of” or “experience with” instead (figure 1). Additionally, it has been suggested that male-associated words such as “ambitious,” “dominant” and “confident” can be off-putting to women.12
When it comes to certifications, rather than expecting candidates to come fully equipped with the associated certifications, why not make the investment in training them and allowing them to study and pursue certifications while on enterprise time? Associated job posting verbiage could read, “Willingness to study for and attempt the CSXP certification13 in the first six months of employment.” This demonstrates an organization’s willingness to invest in an employee’s professional growth.
Culture Club
Job postings often hint at enterprise culture, and candidates will read between the lines to interpret meaning. Wording such as “fast-paced” and “ability to handle stress” may point to a pressure-cooker environment. “Flexible” may indicate frequent overtime and after-hours demands. “Multitasker” might mean you will be expected to do the job of more than one person. Words such as “rock star” and “ninja” imply impossible expectations. “Hit the ground running” may be interpreted as no training will be provided.
Avoid listing employee perks that are gender-centric. The foosball table at a previous job was constantly dominated by male employees and now is a job posting red flag for me. I feel the same way about Nerf guns, video games and free beer—these all suggest a frat-party environment. What does a candidate really want in a job? Funding for training and travel, generous paid time off, and the ability to work remotely are often at the top of the list.
He Said, She Said
Let us take a case where the hiring manager identifies a need for a candidate with networking experience and knowledge of protocol analysis. Those precise words go into the job posting. A candidate with expertise in Wireshark listed on their resume applies and is rejected. What happened? The human resources (HR) professional reviewing the resume did not know that Wireshark is primarily used for protocol analysis.
I once had a screening interview with a nontechnical recruiter who was clearly reading prepared questions and did not have the slightest idea about cybersecurity. He did not understand my responses and was apparently listening for certain keywords or phrases. I did not make it past the screening, although I was more than qualified for the position and, based on that experience, I was completely disenchanted with the organization.
Candidate interaction with human resources (HR) should not be a blocker. While it takes time to have your technical staff review resumes and conduct interviews, it is an essential step to take in the hiring process. HR must partner with the technical staff to identify potential new hires. Interviews should be conducted as a collaborative effort including both technical and nontechnical staff, with no one interviewer having the final say. Interviewers should be rotated in an effort to avoid unconscious bias and interview fatigue.
Timing Is Everything
Everyone’s time is important. When a recruiter is not respectful of a candidate’s time, it suggests an attitude of entitlement. I have had recruiters expect me to be available for interviews the day after they contacted me, and I have had recruiters be late for interviews on numerous occasions. This suggests a metaphorical flexing of the muscles or, in other words, an attempt to show who is the more important person in the equation. Or perhaps it is simply disorganization, but, either way, it is a turn-off. In the interview scenario mentioned above, the recruiter contacted me months after I had applied for the job. This points to potential issues with their hiring pipeline. A Glassdoor study found that 82 percent of candidates felt that the interview process should take no more than a month.14
Expanded Horizons
Organizations can enhance their ability to hire by expanding where they conduct their search. Traditional methods such as job boards and social media will only go so far. Looking to find more diverse candidates? Post on job boards with organizations such as Out & Equal15 and Women Who Code.16 Want to hire more veterans? They can be reached through groups such as Hire Our Heroes.17 Typically recruit from four-year colleges? Expand outreach to community colleges, where students are more likely to have gained hands-on-keys experience and be workforce ready.
If your organization requires a degree in computer science for cybersecurity candidates, then you are missing the point that cybersecurity is truly multidisciplinary and suitable candidates can come from a wide variety of backgrounds. The British War Office used a crossword puzzle competition to find candidates for the cryptology team that ultimately broke the Enigma code.18
Sponsor and attend cybersecurity events and conferences. The cybersecurity community tends to be very engaged, and your next candidate might be discovered while volunteering at a local Security BSides19 conference. There are also nonprofit organizations such as Women’s Society of Cyberjutsu20 and Unallocated Space21 that run free or low-cost training events and need sponsors to help enable their programming. This, in turn, can potentially give you access to their membership for recruiting purposes, not to mention generate goodwill toward your organization within the cybersecurity community.
Intern programs are a great way to discover new talent and foster both loyalty and community goodwill. Having an intern program allows an organization to assess how well a candidate fits within the organization with a minimal investment of time and resources. Interns must be paid and given meaningful work to do. Recruit from both four-year and community colleges.
Thankfully, there are more than a few organizations that are doing recruiting well. Those are the ones I think of when I am helping someone find a position. But, until more organizations start thinking out of the recruiting box and caring about the candidate experience, we will continue to face cybersecurity staffing shortages.
Stop looking for the purple squirrels and focus on changing your hiring practices for the better.
Endnotes
1 NeSmith, B.; “The Cybersecurity Talent Gap Is an Industry Crisis,” Forbes, 9 August 2018, http://www.forbes.com/sites/forbestechcouncil/2018/08/09/the-cybersecurity-talent-gap-is-an-industry-crisis/#603731eca6b3
2 Indeed, Cyber Security Jobs in Washington DC, http://www.indeed.com/q-cyber-security-l-Washington,-DC-jobs.html
3 ISACA, State of Cybersecurity 2019, Part 1: Current Trends in Workforce Development, USA, 2019, ar80.hwfj-art.com/state-of-cybersecurity-2019
4 DeNisco Rayome, A.; “Eighty-Four Percent of Cybersecurity Pros Are Open to Switching Companies in 2018,” TechRepublic, 28 February 2018, http://www.techrepublic.com/article/84-of-cybersecurity-pros-are-open-to-switching-companies-in-2018/
5 Johnson, E.; “Technology Tops List of Industry Talent Turnover Rates,” InformationWeek, 2 May 2018, http://www.informationweek.com/strategic-cio/team-building-and-staffing/ technology-tops-list-of-industry-talent-turnover-rates-/d/d-id/1331668
6 Johnson, T.; “The Real Problem With Tech Professionals: High Turnover,” Forbes, 29 June 2018, http://www.forbes.com/sites/forbesbusinessdevelopmentcouncil/2018/06/29/the-real-problem-with-tech-professionals-high-turnover/#8e5b0a542014
7 Cyber Seek, Cybersecurity Supply/Demand Heat Map, http://www.cyberseek.org/heatmap.html
8 Frost and Sullivan, Innovation Through Inclusion: The Multicultural Cybersecurity Workforce, USA, 2018, http://iamcybersafe.org/wp-content/uploads/2018/04/Multicultural-Diversity-Report-2018.pdf
9 McGirt, E.; “The Cybersecurity Problem No One Wants to Talk About,” Fortune, 7 October 2016, http://fortune.com/2016/10/07/cybersecurity-hacking-ibm-naidoo/
10 Hunt, V.; D. Layton; S. Prince; “Why Diversity Matters,” McKinsey & Company, January 2015, http://www.mckinsey.com/business-functions/organization/our-insights/why-diversity-matters
11 Moss, H.; “How to Make Job Descriptions Women-Friendly,” GovLoop, 11 October 2017, http://www.govloop.com/job-description-female-friendly/
12 Brinded, L.; “Santander UK Chairman: We Can Attract More Women Employees By Changing the Language in Job Ads,” Business Insider, 30 September 2016, http://www.businessinsider.com/santander-uk-chairman-shriti-vadera-on-changing-job-ad-language-for-more-women-in-banking-2016-9
13 ISACA, CSX Practitioner Certification, http://cybersecurity.hwfj-art.com/csx-certifications/csx-practitioner-certification
14 Glassdoor, “Lack of Information About Compensation Is the Biggest Frustration for U.S. Workers and Job Seekers, According to Glassdoor Survey,” 19 September 2018, http://www.glassdoor.com/about-us/lack-of-information-about-compensation-is-the-biggest-frustration-for-u-s-workers-and-job-seekers-according-to-glassdoor-survey/
15 Out & Equal, http://outandequal.org/
16 Women Who Code, http://www.womenwhocode.com/
17 Hire Our Heroes, http://hireourheroes.org/
18 Chivers, T.; “Could You Have Been a Codebreaker at Bletchley Park?” The Telegraph, 10 October 2014
19 Security BSides, www.securitybsides.com/w/page/12194156/FrontPage
20 Women’s Society of Cyberjutsu, http://womenscyberjutsu.org/
21 Unallocated Space, http://www.unallocatedspace.org/
Marcelle Lee, CSXP, ACE, C|EH, CCNA, CISSP, GCCC, GCFA, GCIA, GCIH, GISF, GPEN, GSEC, Security+, Network+
Is a threat researcher, an adjunct professor in digital forensics and network security, and she also provides security consulting and training services through her company, Fractal Security Group LLC. She specializes in network traffic analysis, malware analysis, phishing, and threat hunting. She is involved with many industry organizations, working groups, and boards, including the Women’s Society of Cyberjutsu, the US NIST Cyber Competitions Working Group and the Cybersecurity Association of Maryland (USA) Advisory Board. Lee has received the Chesapeake Regional Tech Council Women in Tech (WIT) Award and the Volunteer of the Year award from the Women’s Society of Cyberjutsu. She frequently presents at conferences and training events and is an active volunteer in the cybersecurity community. She also both builds and participates in cyber competitions, and shares her work through her Github site, http://marcellelee.github.io/. She can be reached at www.linkedin.com/in/marcellelee and www.twitter.com/marcelle_fsg.