Imagine a networking event of cybersecurity professionals. Discussions reveal that several of them are actively seeking employment. Most of these jobseekers have been on the job market for several months, applying to multiple positions a week. Aside from their technical credentials, they are engaged in the cybersecurity community. They attend conferences and volunteer at many of them. These professionals participate in training to continuously improve their skills. They make themselves visible on social media. They are exactly the type of cyber workers every company is desperately seeking. It seems unbelievable that they are still in search of offers given the current number of open positions in cybersecurity. Sadly, this is not a mirage, but a reality.
In December 2022, Fortune Magazine reported the shortfall of cybersecurity employees at 3.4 million. There are businesses and organizations of all sizes in dire need of cybersecurity professionals. Despite common assumptions, cyber-related positions are not limited to technical jobs. People with cyber knowledge are needed for training, legal, human resources, management, accounting, and corporate strategy departments among others.
Why are these two groups having difficulty finding each other? Because we are trying to fill cybersecurity positions using the same techniques that we use for all other positions. Our hiring practices have yet to recognize the unique characteristics of cybersecurity positions. It is a relatively new field, so expecting several years of experience for early-career positions is unrealistic, however, it is repeatedly listed in job requirements. Cybersecurity is an interdisciplinary field with roots in political science, mathematics, computer science, information technology, and the military. Limiting acceptable background experience to only computer technology positions ignores the larger range of cyber-related job tasks. Very few upper-level cybersecurity professionals have career paths isolated to cybersecurity positions. Most have held a variety of positions before entering into cybersecurity.
Every functional area of business interacts with other functional areas and has some type of cybersecurity concern. For example, companies doing business across borders need to manage international law. Countries in Europe have different requirements for protecting customer data than countries in other regions. Managing such differences requires professionals who have a working knowledge of international law and data protection. Another example can be found in healthcare. Doctor’s offices maintain patient health records, insurance, and payment information. There are different regulations for handling patient records and insurance from payment transactions. Understanding of both is necessary to keep all patient records safe. Al Capone can serve as a third example. Let’s not forget that Scarface was arrested and imprisoned for income-tax evasion, not any violent crime. Today, identifying tax evaders requires mastery of the tax system and accounting practices and a moderate background in data storage and data management. None of these examples require deep technical know-how. They do require a solid understanding of cybersecurity issues and how they relate to and impact other areas. The requisite cybersecurity knowledge here is not technically in-depth. The key is the insight of crossover between different areas, like international law and cybersecurity or healthcare and cybersecurity.
We need to fix the problem that prevents jobseekers from securing open positions. Human resources (HR) often takes the blame for this disconnect. This censure is misplaced. HR can only follow the directions they are given with regard to a job posting. If they are given a bullet list of degrees and certifications and instructions that state these are minimum requirements, then they cannot be blamed for missing the applicant who has equivalent work experience. Relying on the normal methods for evaluating applicants is a disservice to all and propagates the cybersecurity workforce gap. People with critical thinking and problem-solving skills are needed to fill cyber positions. Anyone with the prerequisite cognitive skills has the ability to learn any software, process, or system that may be needed for the job.
Well-informed people are needed to connect applicants and openings. Recruiters, who understand which non-cyber skills crossover into cyber tasks, are necessary to recommend applicants to companies for specific openings. Cybersecurity hiring specialists within human resources departments are also needed. These specialists would know what experience, certifications, and education meet the requirements of the position without relying blindly on a list of minimum requirements. This solution requires an investment in hiring practices for cybersecurity positions. It is either that or “hiring as usual” which is not getting the job done.