Now more than ever, jobs in cybersecurity are in high demand. When filling vacant cybersecurity roles—from SOC analysts to security researchers—hiring managers tend to ask a stock set of questions:
- Does the candidate have three to five years of experience?
- What about an cybersecurity certifications (OSCP, CISM, CISA, CEH, SANS,CISSP, etc.)?
- Degree in Computer Science or equivalent?
The truth is that these are the wrong questions, and they’re made absurd when asked of entry-level candidates. Consider that the CISSP certification requires five years of full-time work. Is three to five years of experience commensurate with an entry-level role? And, if a candidate has three to five years of experience, will they step down into an entry-level position?
Even if a security engineer has these qualifications, many fail when battle tested. Some are unable to communicate the practical implications of vulnerabilities to executives and stakeholders who lack technical backgrounds. This is problematic because these are the people who often control the purse strings of technology and security departments.
How should we respond? As an industry, we have locked these traditional cybersecurity roles behind a firewall of gratuitous requirements. In actuality, filling these roles isn’t a matter of finding qualified candidates, but building them. Organizations that are committed to growth and meeting security threats must look beyond the traditional skill sets and requirements, focusing instead on finding capable people from diverse industries who are motivated to learn.
An evolving workforce
The pandemic forced many companies to embrace remote work. You might think that access to a global talent pool would alleviate the shortage of qualified candidates, but that has not proven to be true. The situation looks serious when considering that ISC² estimates that the total cybersecurity workforce needs to grow by 65% to meet emerging threats1. This has transformed the industry into a candidate’s market in which there is tremendous competition for those few candidates with the perfect combination of experience and certification.
Organizations filling vacancies in their cybersecurity departments must get more creative in the types of candidates that they seek. Identifying highly motivated people with strong soft skills, a genuine passion for the subject matter, and a willingness to learn will often produce a better ROI over the long term. Technical skills can be taught, but work ethic, intrinsic motivation, and communication skills are far more challenging to influence.
According to a recent survey in the Hays Cyber Security Talent Report, 61% of employers found it difficult or very difficult to recruit cybersecurity talent2. Survey respondents attributed the challenges to a lack of technical skills and soft skills. Soft skills cited in the study were adaptability, interpersonal and communication skills, passion, being curious and inquisitive, and having general business acumen3.
A combination of technical domain knowledge and these soft skills is ideal for cybersecurity practitioners. An engineer who can conduct a penetration test, effectively communicate the findings in writing and verbally, all while translating the real-world, top-line and bottom-line business impact to clients sounds like the perfect candidate. While individuals like that certainly are out there, finding them is a challenge.
But there is another option. Hard skills such as specific technologies, analytics, and incident response techniques, can all be taught, but I’ve yet to see an effective method of teaching somebody to be passionate and inquisitive. Instead, focus on identifying candidates who have demonstrated adaptability (perhaps by training to switch industries into cybersecurity), have well-honed communication skills, and are passionate about learning the hard skills.
Consider a recent addition to the GoVanguard security engineering team. He had no formal experience in cybersecurity or information technology. However, he had the well-developed soft skills mentioned by the survey, along with a clear passion for improving his technical ability. This new team member has exceptionally strong communication skills, developed from years of explaining nuanced medical concepts to patients while working in healthcare. He can also quickly adapt to different situations and tasks, demonstrating that he was excited to learn and easy to teach.
We were able to leverage his communication skills immediately to improve our internal processes and reports. His soft skills are adding significant value to our organization while we train him to be a strong penetration tester.
When candidates are passionate about a field of study and intrinsically motivated to build their capabilities, the speed at which new hires can learn to perform specific job functions is limited only by how well the organization can describe what they are.
Leading with growth in mind
Granted, learning cybersecurity is not simple or easy. Some may object to this approach, saying that they need a candidate who can “hit the ground running.” Weigh that concern against the three-six months it typically takes to find a candidate4. Likely during that time, a high-caliber individual could have been onboarded, trained, and performing well within the organization. With a strong culture of individual and team development, this approach works.
The question becomes, how to develop these skills? With so many resources for IT and cybersecurity training, it can be daunting to select the best ones. It helps to take a two-pronged approach: what the individual can do to build their skills and what companies can do to train their teams.
Let’s begin with individuals. Cybersecurity is such a vast field that it can be overwhelming to identify what aspects to focus on. But having a knowledge base that is a mile wide and only an inch deep is acceptable for entry-level roles. Understanding what the information security stack encompasses (shown above) and how malicious actors leverage tactics techniques and procedures (TTPs) to attack organizations are the fundamentals of learning in this field.
GoVanguard curated a guide for this purpose, which you can find here. It focuses on the resources needed to get into information security and cybersecurity. For an even more in-depth collection of resources ranging from relevant certifications to data-recovery tools and everything in between, check out our Infosec Encyclopedia.
Businesses should consider using training platforms such as Tryhackme.com. This is a hands-on lab-based platform that can be set up for an enterprise at a very modest price per license. Organizations can create custom learning paths with specific challenges and skill-building exercises based on what the candidates need to know for their specific roles. Managers can monitor progress and get status reports of how new employees are doing.
GoVanguard has had a very positive experience with this platform and has established numerous training paths, such as the one pictured below, with level ratings commensurate with the skills of the individual. This has significantly sped up how quickly new employees can develop technical skills.
Consider that most entry-level roles—such as SOC analyst level 1, junior incident responder, junior penetration tester, or associate security engineer—have well-defined responsibilities within each organization. They use specific toolsets and technologies and have specific daily responsibilities. With a strong onboarding process that includes targeted training and detailed documentation on how to handle the day-to-day, the speed at which someone can “hit the ground running” increases exponentially. Finally, while a new hire is learning and building toward peak productivity, there likely are opportunities to leverage their existing skillsets to contribute to projects.
This developmental approach requires a strong commitment to an organizational culture that prioritizes training and mentorship. It also takes a company culture that encourages questions and graceful failure within certain parameters. Supervisors must be teachers. Processes must be well-documented and transparent.
To build better candidates, we must ask ourselves better questions. Let’s start with: Does our organization care more about the optics of a resume, or about how well an individual can integrate and grow? And do we have what it takes to build great team members?
4. It Takes an Average of 3 to 6 Months to Fill a Cybersecurity Job | DARK Reading