Charlie Waterhouse is a senior security analyst at Synack.
One major challenge in addressing the cybersecurity talent gap centers on capability. Even when you’ve found a candidate, do they have the right skills for your organization’s tech stack or just the list of certifications from the job description? Many organizations are missing out on talent and talent augmentation because of outdated hiring practices.
Traditional Hiring Methods Might Screen Out the Best Candidates
If you’re having a hard time finding your next cyber candidate, ask yourself: Are you filtering out the best ones? Many great candidates are screened out by hiring systems for lacking traditional requirements like a four-year degree or a certain level of experience. Sometimes, the listed expectations are not only prohibitively rare, but impossible. I’ve seen job postings ask for five years’ experience in a technology that has only been around for three—and for an entry level position at that! There are also many job postings asking for an unreasonable 5-10 years in testing and analysis experience for an associate position.
These job description errors have two detrimental effects: First, you discourage quality candidates from applying because they doubt their qualifications are applicable. Second, experienced practitioners may dismiss your company because they view the expectations as unreasonable.
I have met many individuals with valuable cybersecurity skills who are frustrated at not being able to even land an interview. Priorities should shift to finding a candidate with the right skills, rather than looking for a litany of degrees or certifications. Often, these titles reflect theoretical knowledge but don’t necessarily signal actual hands-on experience or skill. A candidate may lack traditional resume items, but be a driven, passionate security professional who proves to be a star in your organization.
Education and Investing in Employee Skills
There are plenty of training resources to help individuals start an IT or security career: BUiLT, FedVTE, Love Never Fails and others educate underserved communities. At Synack, we sponsor the Synack Academy, a program to train people for cybersecurity roles and recruit them for full-time roles upon graduation. Synack also actively recruits veterans both internally and for our global Synack Red Team community of top-notch security researchers.
The candidates who benefit from these educational efforts are hungry to advance and excel, putting in hours of their own time to learn new skills. Should you turn these individuals down just because they don’t check boxes like having a four-year degree? I wouldn’t. In my view, the people who graduate from these programs are some of the best you can hire. I would also encourage employers to provide access to training to advance skills of existing employees, an affordable initiative compared to the cost of searching for and hiring new candidates.
I know firsthand how successful a nontraditional candidate can be, as I was a nontraditional hire into security. I spent more than 20 years in the airline industry before coming to Synack as a security analyst. I do not have a degree in cybersecurity or a related field, but I did have an interest and drive to learn. I spent time working on real-life security problems and focused my energy on those scenarios. For example, I worked on Hack the Box to understand network security and exploitation of websites. Today, I am routinely brought into projects or client meetings as a technical expert on securing large enterprise environments.
Evaluating What Skills Are Needed in Full-Time Roles
Even when a candidate has enticing skills, another dilemma can arise: Is your organization able to use them? Is there enough work to justify filling a full-time role?
Security needs come and go, and sometimes temporary work is a better option than adding a full-time employee. However, managing contractors is time-consuming, and finding them is challenging in its own right.
Synack is particularly suited to address that challenge through talent augmentation. Researchers in our Synack Red Team can perform security testing on demand. When recruiting for the SRT, we assess each candidate’s skills and vet them carefully. This makes for a community with diverse, highly-skilled researchers who can tackle any attack surface. Some have traditional four-year degrees and practitioner experience, while others hail from less traditional backgrounds. But they all have the capability to help secure your organization.
It’s Time To Rethink Your Approach to the Cybersecurity Talent Gap
At the end of the day, there are cyber candidates out there who can help bridge the talent gap. But traditional job descriptions might be prohibitively limiting. There are education initiatives underway aimed at bringing new, passionate people to the workforce, but additional hiring challenges may remain for cyber leaders. Alternative talent augmentation, like that brought by the Synack Red Team, may be the best option.