Hacking The Cyber Security Talent Shortage
White Paper | Written by Jim Donnelly
Demand for cyber security professionals at all levels is accelerating in the face of increasingly volatile global data security conditions and ever higher stakes, while the talent pool apparently remains limited and difficult to access. With cybercrime now a more than $445 billion business, International Data Corporation (IDC) has forecast that this market will present a $101 billion opportunity by 2020; yet a report from Frost & Sullivan and (ISC) predicts more than 1.5 million unfilled positions in the global cybersecurity workforce at that time.1 In spite of the fact that this has been a known challenge for years, both the government and commercial sectors have been unable to get ahead of this predicted shortfall in the face of burgeoning need, which has only been compounded by the continuing backlog of security clearance processing for “cleared positions.”
Why is this such a seemingly intractable problem? Unfortunately, the old adage “to a hammer, everything is a nail” may account for part of it. Internal recruiting teams are — appropriately — primarily focused on funded positions on government contracts however unfunded billets/positions still need attention, and many talent acquisition leaders continue to focus on a traditional just-in-time recruiting approach of buying in skills. Unfortunately, when those skills are in short supply or still evolving in the market, and the talent pool remains inaccessible, companies need to consider thinking outside the box to find the right people, particularly at the senior executive level.
Adjust your search criteria.
To start with, a mindset shift is needed. Rather than focusing on the idea that there aren’t enough qualified people in the industry, talent acquisition leaders need to widen the lens they are looking through. Many senior level cyber security professionals with any significant tenure in the field will likely not have a degree in cybersecurity, nor might their job experience look particularly relevant on paper, due to the organic nature of how many of them have come by their cyber security expertise. In addition, as cyber security and related degree programs struggle to keep pace with the industry shifts and innovations, many of these qualifications end up not being technical enough and can’t be relied upon as a proxy for experience. Organizations are increasingly seeing the need to innovate with “new collar” approaches to hiring that prioritize attributes such as technical curiosity and aptitude, problem solving, versatility, and risk assessment over specific qualifications that may be redundant as soon as they are gained.
Widening the net may also mean looking to different industries and embracing an inclusive hiring strategy. Cybersecurity is inherently interdisciplinary, and involves knowledge of not just technology but, human behavior, finance, risk, law, and regulation, so looking to other industries can be beneficial, particularly those that deal often with privacy and consumer security, such as retail and service industries. Because of the complex nature of cybersecurity problems needing to be solved, gender diversity can significantly strengthen an organization’s competency in this area.2 Consider, as well, the unique adaptability, tenacity, and problem solving perspective somebody with a disability will bring: someone used to hacking everything from mobility to appliance use is going to approach security problems very differently from someone who has never had to navigate such challenges.
When bringing in talent from the outside, it is critical to work with someone who knows how to see past the “camouflage” of a resume to find the best cyber security specialists whether they are active on the job market or not. Often this requires being able to tap into a deep network of connections for referrals and qualified introductions. With over 25 years in the Govcon space focused on the areas of Aerospace, Defense, and Security, the Centerstone DC team has the established relationships and connections to do just that. By combining our industry network with a lateral thinking approach to executive search, we have also been able to successfully introduce non-traditional candidates who have helped companies expand their worldview without sacrificing the effectiveness or synergy of existing leadership teams.
You may already know them.
Too often, organizations fail to effectively tap into a talent source right in front of them: the professional networks of their existing employees. In the cyber security space, this is a mission-critical failure due to the nature of the work and the kinds of people who excel at it. The security community is small; the community of cleared professionals even smaller. There is no doubt that the best cyber security professionals know each other and may actively collaborate to resolve shared challenges.
Employee referral programs and candidate outreach can also leverage the strength of particular communities, such as active military (reservists), and veterans who may have key skills, knowledge, and clearances. Employee referral contests are a great way to generate candidates for specific openings. Additionally, fully leveraging your company alumni network to drive re-hires and referrals is a great source and very cost effective.
There is a continuum of sensitivity when it comes to cultivating referrals and introductions, however, compounded by seniority and clearance levels. Overt employee referral programs work exceptionally well at the entry and mid-levels, and for opportunities requiring low level clearances, however for more sensitive and/or senior roles, a degree of finesse is required that goes beyond simple introductions. This is where an experienced search partner can effectively and confidentially vet and manage outreach to identified professionals, from initial contact all the way through to handling sensitive negotiations and closing the deal. Centerstone’s proprietary TCSS (TurboCharged Search and Solutions) process is well suited to both expedited and referral-driven searches.
Hire ahead and hold on to your people.
Corporate and government leaders with strong security programs focus as much on building talent as they do on buying skills, focusing on hiring in people with critical aptitudes, core competencies and related skills, and then giving them both formal and on-the-job training in security specifics.3 This is where retention is a critical component of any talent acquisition and development strategy. Implementing effective people programs to ensure the cultivation of key resources is non-negotiable, and even more so at the executive levels, where a track record of leading innovation at the strategic level may prove more important than depth in a particular technical skill. Example of people programs for retention include, but not limited to, continuing education, job rotation opportunities, decreased benefit premiums for employees with specific experiences and/or clearances.
When hiring in at the senior level, it also helps to have a strong executive succession planning approach, and to “hire ahead» through executive placements that offer headroom for development into more senior leadership roles over time. This has been a hallmark of Centerstone’s approach to leadership consulting and executive search and, in conjunction with our ability to source strong non-traditional candidates, has helped our clients develop their existing senior leadership and introduce outstanding new talent to their executive teams to mitigate the risk of search churn at critical transition points in the future.
Centerstone Washington DC: Your search partner.
Centerstone Washington DC is uniquely positioned to support clients in sourcing the best cyber security executives. Our Aerospace, Defense and Security Practice Managing Director, Jim Donnelly has a 25-year track record of talent acquisition success in the cyber, intelligence, and federal healthcare sectors, with an associated network of trust-based relationships and deep vertical expertise. Centerstone’s high-touch, relationship-driven approach to executive search and leadership consulting has allowed all of our industry-focused practices to build credibility and consistently deliver success for our clients.
For more information about Centerstone’s services for aerospace, defense or security, call the D.C. office at (202) 847-4867 or contact Donnelly directly at [email protected].
1 https://hbr.org/2017/05/cybersecurity-has-a-serious-talent-shortage-heres-how-to-fix-it
2 https://www.techrepublic.com/article/rise-of-the-accidental-cybersecurity-professional
3 https://www.computerworld.com/article/2979858/it-skills-training/the-myth-of-the-cybersecurity-skills-shortage.html