By Blake Tinsley, Founder, and CEO, Prosyntix
The cyber threat landscape is ever-evolving. From rapid deployment of new code for application usage, the Internet of Things (IoT) pushing for billions of connected devices, to entire architecture being transformed by the cloud. Going into the new decade is going to present new forms of threats but also new ways of getting work done. The exciting thing to see is the transformation of how organizations look at security needs. It’s gone from the uncomfortable unknowns to proactive adoption of the right security measures as the primary foundation to grow.
With that being said, the current supply of talent does not meet the demand for businesses. The data is all over the internet showing how immense the shortfall is today and going into the future. According to The US Department of Commerce, there were around 350,000 unfilled jobs in 2018 and growing to a predicted 3.5 million open jobs by 2021. This is a staggering number to try and comprehend considering how much investment and time is going into Cybersecurity initiatives.
I spent time with many decision-makers on ways to address this issue. The commonalities of our discussion primarily hit on Practical Education Programs, Training, Changing Traditional Requirements for Hiring, and Lengthy Hiring Processes.
The needs of the hiring manager and Cybersecurity programs taught at the collegiate level seems to have a very wide gap. Due to the business needs, hiring managers are searching for specific abilities to fill an immediate gap, including key non-technical “soft” skills and business acumen. This is part of the reason why recent college graduates are often overlooked or have a tough time getting into the field. Ultimately, it boils down to professors looking at theory-based education as more intellectually appealing which is why it has been the common form of practice since the beginning of time. Cybersecurity, however, is one of those fields that needs practical ability right out of the gate. We’re already starting to see it on a very small scale but outside entities or local businesses around these institutions need to work together to build out labs where students can touch relevant tools and learn typical processes prior to graduating. NICE and NIST help influence the curriculum but we need to expand further to better align with business needs. This adoption is critical for young professionals to be equipped with applicable skill sets hiring managers can use.
Training is also a hot button we always hear about. My company is one of the very few startup firms that only focused on Cybersecurity and Engineering Talent Services in the nation. This is what we do, and I like to think we do it well. However, I can tell you right now, the WELL FEELS VERY DRY. Decision-makers need to focus on developing their existing team and not depend entirely on adding headcount to address a gap. Not only does this give your team broader knowledge that is more tailored to the organization’s specific needs but, in some cases, it expedites your gap coverage. I have had the pleasure of partnering with an amazing ISACA Cybersecurity Consulting firm. Their focus is working with existing teams to cross-train needed skillsets all while providing a flexible training program so that employees can keep up with daily business demands. Companies like these need to be used everywhere across all industries.
One of the things I see on a consistent basis is red tape disqualification of talent. Good, very capable candidates are being disqualified due to lack of education standards and years of experience. In the past 4 years, I have seen 13 candidates not get the job because they were 1 or 2 years shy of the minimum years of experience. I’ve seen 3 cases where candidates did not get the job because they didn’t have a bachelor’s degree. Just recently I had a client rave on the abilities of a candidate but passed on him because his 6 years of experience didn’t align with their definition of a “lead”. Companies need to focus more on ability rather than formality. The idea of someone not getting a job because they lack the required education is beyond belief considering our current state. The youngest hacker in the world is a 9-year-old kid that was accredited for exploiting a vulnerability. I have a close friend who taught himself how to code, never earned a college degree, was overlooked for several jobs, and is now the Lead Application Security Engineer for a well-known financial firm. Loosening up on red tape standards is a must when trying to creatively attract talent. Talent shortage, aggressive company growth, and red tape requirements don’t go together.
A well-defined hiring process is important but can also work against you. Every time I find a top, not security professional, they have 4 other interviews going by the time I send them over to the client. Times have drastically changed since the recession. The talent pool was abundant, there was a high probability the candidate would commit to a lengthy hiring process, and they would do anything the company needs to get the job. Nowadays, professionals are leaving companies without a contingency plan because they know they have a marketable skill set and will land a job in a matter of days or weeks. Companies must have an expedited hiring process because TIME IS THE ENEMY. On top of that, companies need to have 5 to 10 selling points on why that candidate should join the firm. Don’t just sell benefits and flexibility but focus on collaboration, meaningful projects, culture, etc. Without these things, you will have trouble finding top talent. The hiring process is not a one-way assessment anymore. Candidates are evaluating you just as much as you are evaluating them.
As we all know, cybersecurity is the leading job of the future. We are at a point now where data is the most important asset to an organization. How well you use and safeguard that data all depends on the type of people you can attract, how you sell the company story, and the time you invest in those people.
About the Author
Blake founded Prosyntix as one of the few startup Cybersecurity Talent Services firms in the nation where they help clients find experienced professionals within Risk Management and InfoSec. Prior to starting Prosyntix, he was a Partner at a risk management consulting firm. In this role, he helped clients enhance their security posture by focusing on Critical Security Controls and architecting secure data centers using DISA STIGS. He graduated from The Citadel, The Military College of South Carolina with a bachelor’s degree in Business Administration
