The Agony of Hiring Cyber Talent

Those of us in the cybersecurity industry are painfully aware of the shallow talent pool to draw from. So when a position needs to be filled (always timed during a panic situation it seems), finding an excellent — or even qualified — employee is daunting, to say the least.

Sure you get “hits” through your job postings on marginally effective mediums such as LinkedIn, et. al., but when time and quality are of the essence, finding that proverbial needle in the haystack can quickly pile up the frustration and panic levels. On top of that, it is a “seller’s market” right now; a fact that the talent in this field is all too aware of, particularly when they’ve obtained some form of certification. Of course a piece of paper or a shiny PDF rarely correlates to the real-world specific needs of a hiring company.

In this part one of this three-part series, I will talk about the workforce and gender gap as well as the problems encountered in training newcomers in the cybersecurity industry.

Cybersecurity staff shortages are putting organizations at risk

The first issue here is the workforce gap that exists in cybersecurity. As attacks mount exponentially, the need for businesses, organizations and governments to seek out cybersecurity services is growing faster than the dandelions in my neighbour’s yard.

According to the 2020 (ISC)² Cybersecurity Workforce Study, companies could use 3.1 million additional workers; nearly double the amount that exist today. More than half of the respondents to the study (56%) said cybersecurity staff shortages were putting their organizations at risk.

The shortage is exasperated further by the gender gap in this field. Although the gap is narrowing, it is still a 70/30 ratio for men. An equal playing field means more opportunity to cull talent and fill in these missing, and sorely needed, positions.

The good news is that students entering into their post-secondary education are starting to recognize the job availability in cybersecurity and are focusing their studies in the applicable fields. Leading universities like DePaul in Chicago, St John’s in New York and the University of Waterloo in Ontario, Canada are showing evidence of placing their graduates in good paying positions, causing an uptick in enrollment.

Individuals doubt their skills…(and) are afraid of being exposed as frauds

Because of the nature of the work, another problem is confidence. Cybersecurity is a stressful job to say the least, especially when trying to mitigate breach issues with million dollar corporations or governments. As a result, confidence levels can wane.

A common result of this is known as the impostor syndrome, which is a psychological pattern in which an individual doubts their skills, talents, or accomplishments and has a persistent fear of being exposed as a “fraud”. This seems a strange occurrence for those who have been doing their job at professional standards, yet it is more common than one would think. Knowing this fear exists to a fairly high degree in careers such as cybersecurity likely deters pursuing this career avenue and expedites the burnout factor.

“Why do I need training, I’ve got my certificates?”

Of course, having many confident individuals to choose from for hiring is still not enough. As with many careers — and many would argue life itself — there is a big difference between the value of “book smarts” and the value of “street smarts”. While it’s great, at times essential, to learn the basic theorem required to perform well at one’s chosen career, it’s rare that a textbook can be opened to a certain page that will solve the problems faced while actually on the job.

Additionally, every cyber incident is unique, new hacker techniques are constantly appearing and evolving, and every cybersecurity company has their own protocols, procedures and processes. Despite one’s experience, he or she still needs to be trained, and be willing to do so.

Many feel that because they have school or online training, or even past experience in the cybersecurity field, that going through a training course is unnecessary and redundant. But it is essential that they learn the company way. For example, some write their code in C++, many use python; a growing number are writing in Rust. Is the new hire comfortable in more than one language? Do he or she use the same writing styles, idioms, approaches, etc. When in a collaborative environment, uniformity is paramount to positive production.

Because of this, time and money has to be spent by the employer on training. Finding these, as well as providing motivation, comprehensible lessons that don’t need hand-holding and building confidence to avoid the aforementioned “imposter syndrome” is a very difficult balancing act.

At the end of it all, the new hire might not get it, might not like it, or might take the training and move on to perceived greener pastures. Now that time and money is lost and the position is still vacant. It’s a gamble, to be certain.

Finally, and this stems back to the “seller’s market” issue, those that obtain certificates via online or traditional courses to pad their resume stats seem to feel that their worth… well, that’s Part 2 of the series…