Cyber security hiring: Tips and best practices
Cyber security hiring managers face a difficult situation. Finding the kind of applicants needed to fill open positions has become more challenging. Part of the challenge is that it can be hard for people entering or reentering the workforce to navigate which training or certification program will help them get a job, said Diana Kelley on a recent episode of the he Cyber Work Podcast.
Diana is a board member of the Cyber Future Foundation, CYS, and the Executive Women's Forum (EWF). She is also co-author of Practical Cybersecurity Architecture and Cryptographic Libraries for Developers and has extensive cyber security experience with some of the biggest names in IT.
The Cyber Future Foundation hosted Cyber Talent Week in 2022 to provide help to employers and employees alike and encourage the development of an expanding and highly skilled cyber workforce.
FREE role-guided training plans
“Something that’s emerged in the past year is a big need to help people who want to get into the cyber security field to actually be able to get trained up and find jobs,” said Kelley.
She believes change begins by shifting how employers and hiring managers address the issue. Basic actions such as writing better job descriptions, for example, can facilitate the next generation of the cyber workforce. Additionally, employers and hiring managers must find ways to bridge the gulf between those with no experience who want a career in cyber security and the jobs they seek. These individuals face a chicken-and-egg proposition. They can't get a job until they have experience, but to get experience, they need a job.
"The National Cyber Help Desk supports small businesses in concert with local and state governments and provides an opportunity for people that can't get internships and externships anywhere else," said Kelley. "It allows them to gain real-world hands-on experience."
Poor cyber security job descriptions
Some hiring departments put too much attention on attracting unicorn candidates. Their job descriptions reflect this: demands for 10 years of experience, marquee credentials and advanced degrees.
Kelley encouraged employers to re-examine job descriptions and prioritize the problems that need to be solved. That, in turn, should lead to a more precise definition of the actual skills, competencies and abilities they want to attract. Everything else can be taken care of by internal training and continuous education processes that help new hires develop additional skills that can be taught to candidates over time.
“The job description is often used as the baseline for Applicant Tracking Systems (ATS),” said Kelley. “If your resume doesn’t exactly match the pattern that they’re looking for or is missing certain keywords, you can get kicked out of the system. No human will ever see your resume.”
It can be as simple an error as saying, "cloud systems" instead of "Azure." With that keyword missing, ATS may automatically reject you. You may be skilled in AWS and DigitalOcean, but they want Azure. Such candidates could probably learn Azure rapidly. Why exclude them? Those writing job descriptions need to learn to write them in a more inclusive way.
FREE role-guided training plans
Example: state that you want somebody who's an expert in the cloud, with Azure preferred. Ensure that ATS knows to find the generic terms as well as the specifics. Further mistakes include being too gender-specific, such as saying "he" in the job description, as the last two previous incumbents were male.
Above all, Kelley advocates flexibility in job descriptions and applicant requirements. After all, being able to manage and secure one cloud versus another cloud is something that can be picked up on the job. Successfully running and safeguarding an AWS cloud demonstrates competence that can be translated to another platform like Azure with a modest amount of training.
"Most managers want somebody they can skill up and move forward because that's how we keep people engaged, learning, and excited," said Kelley.
Reluctance to invest in employees
Some managers, though, are reluctant to invest training and certification in people, fearing that once they are up to speed, they will leave for pastures newer or better paid. Companies like Infosec offer organizations a chance to train another employee at no cost in those situations — to help alleviate that concern.
"Managers often have workers they really loved and helped to advance their careers," said Kelley. "When one of those leaves, it feels very personal or even like abandonment."
However, there are many other factors at play when people leave. They may have been working in a toxic workplace or realized they had picked a company with little room for further advancement. They may have been headhunted with an offer they couldn't refuse, such as $10,000 more a year, a big relocation bonus and a free MBA thrown in.
FREE role-guided training plans
The lesson that hiring managers and IT managers should learn is that training is never a bad idea. Even if someone leaves, the skills they learned while working for a company made that company better. And it adds to the overall cyber security talent pool – an urgently needed thing in this age of rampant ransomware and data breaches.
Summer internships, too, have tremendous value even if some of those taking them don't end up working for the firm. Some hiring managers view internships as a hiring platform where they can review promising candidates and find excellent raw talent.
“What they want the person to do is to understand the company and the culture and see if you’re a good fit and like being there,” said Kelley.
For more, watch the full episode of the Cyber Work Podcast, Cybersecurity jobs: How to better apply, get hired and fill open roles.