Hacking the Cybersecurity Talent Shortage
July 24, 2018 – Demand for cybersecurity professionals at all levels is accelerating in the face of increasingly volatile global data security condition. But the talent pool remains limited and difficult to access. With cybercrime draining more than $445 billion from the global economy, International Data Corporation (IDC) has forecast that this market will present a $101 billion opportunity by 2020.
At the same time, a report from Frost & Sullivan, predicts that more than 1.5 million positions in the global cybersecurity workforce will go unfilled up through that time.
Although this has been a known challenge for years, both the government and commercial sectors have been unable to get ahead of this predicted shortfall in the face of burgeoning need. This has only been compounded by the continuing backlog of security clearance processing for “cleared positions,” according to a recent report by Jim Donnelly, managing director of Centerstone Executive Search & Consulting.
Why does this seem to be such an intractable problem? “Unfortunately, the old adage, ‘To a hammer, everything is a nail,’ may account for part of it,” said Mr. Donnelly. “Internal recruiting teams are – appropriately – primarily focused on funded positions on government contracts, however unfunded billets/positions still need attention, and many talent acquisition leaders continue to focus on a traditional just-in-time recruiting approach of buying in skills. Unfortunately, when those skills are in short supply or still evolving in the market, and the talent pool remains inaccessible, companies need to consider thinking outside the box to find the right people, particularly at the senior executive level.”
Mr. Donnelly is a veteran search executive who has over 25 years of talent acquisition experience in the cyber, intelligence and federal healthcare sectors. His senior-level executive searches represent a diverse portfolio of clients in the defense, intelligence and federal civilian markets, covering functional areas like operations, business development, engineering and corporate leadership.
In a recent discussion, Mr. Donnelly offered up some tips for recruiting cybersecurity professionals.
Adjust Your Search Criteria
To start with, a change in mindset is necessary, he said. Rather than focusing on the lack of qualified people in the industry, talent acquisition leaders must widen the lens they are looking through. “Many senior-level cybersecurity professionals with any significant tenure in the field will likely not have a degree in cybersecurity, nor might their job experience look particularly relevant on paper, due to the organic nature of how many of them have come by their cybersecurity expertise,” said Mr. Donnelly.
In addition, as cybersecurity and related degree programs struggle to keep pace with the industry shifts and innovations, many of these qualifications end up not being technical enough and fall short in terms of experience. “Organizations are increasingly seeing the need to innovate with new collar approaches to hiring that prioritize attributes such as technical curiosity and aptitude, problem solving, versatility and risk assessment over specific qualifications that may be redundant as soon as they are gained,” Mr. Donnelly said.
Security Threats Create Talent Challenges, Opportunities
Cybersecurity might well be the greatest challenge facing corporate America today. The threat to reputation, private information and dollars — both from immediate theft and the cost of repairing the damage of a cyber-attack — can be staggering.
Widening the net may also mean looking to different industries and embracing an inclusive hiring strategy, recruiters say. Cybersecurity is inherently interdisciplinary and involves knowledge of not just technology but human behavior, finance, risk, law and regulation. “Looking to other industries can be beneficial, particularly those that deal often with privacy and consumer security, such as retail and service industries,” said Mr. Donnelly. “Because of the complex nature of cybersecurity problems needing to be solved, gender diversity can significantly strengthen an organization’s competency in this area.”
“Consider as well the unique adaptability, tenacity and problem-solving perspective somebody with a disability will bring: Someone used to hacking everything from mobility to appliance use is going to approach security problems very differently from someone who has never had to navigate such challenges,” he said.
Related: Spencer Stuart Explores Global Cybersecurity Talent Needs
When bringing in talent from the outside, it is critical to work with professionals who know how to see past the “camouflage” of a resume to find the best cybersecurity specialists whether they are active on the job market or not, the report said. Often this requires the ability to tap into a deep network of connections for referrals and qualified introductions.
“With over 25 years in the Govcon space focused on the areas of aerospace, defense and security, the Centerstone DC team has the established relationships and connections to do just that,” Mr. Donnelly said. “By combining our industry network with a lateral thinking approach to executive search, we have also been able to successfully introduce non-traditional candidates who have helped companies expand their worldview without sacrificing the effectiveness or synergy of existing leadership teams.”
You May Already Know Them
Too often, organizations fail to effectively tap into a talent source right in front of them: the professional networks of their existing employees. “In the cybersecurity space, this is a mission-critical failure due to the nature of the work and the kinds of people who excel at it,” Mr. Donnelly’s report found. “The security community is small, the community of cleared professionals even smaller. There is no doubt that the best cybersecurity professionals know each other and may actively collaborate to resolve shared challenges.”
Recruiters also say that employee referral programs and candidate outreach can leverage the strength of particular communities, such as active military and veterans who may have key skills, knowledge and clearances. Employee referral contests are a great way to generate candidates for specific openings. Additionally, fully leveraging your company’s alumni network to drive re-hires and referrals is a great source and very cost-effective.
Cybersecurity Hiring Crisis Fueled by Lackluster Salaries
In order to protect their companies, and in the bigger picture the nation’s national security, organizations must rethink – and raise – salary caps to hire top flight cybersecurity talent, according to a new report just released by CyberSN, a leading search firm in the field.
There is a continuum of sensitivity when it comes to cultivating referrals and introductions, however, which is compounded by seniority and clearance levels. “Overt employee referral programs work exceptionally well at the entry and mid-levels, and for opportunities requiring low-level clearances; however, for more sensitive and/or senior roles, a degree of finesse is required that goes beyond simple introductions,” Mr. Donnelly said. “This is where an experienced search partner can effectively and confidentially vet and manage outreach to identified professionals, from initial contact all the way through to handling sensitive negotiations and closing the deal.”
Related: Cybersecurity Leadership Role Evolves to Meet New Threats
Hire Ahead and Hold On to Your People
Corporate and government leaders with strong security programs concentrate as much on building talent as they do on buying skills. They focus on hiring people with critical aptitudes, core competencies and related skills, and then give them both formal and on-the-job training in security specifics, the report said. “This is where retention is a critical component of any talent acquisition and development strategy,” said Mr. Donnelly. “Implementing effective people-programs to ensure the cultivation of key resources is non-negotiable, and even more so at the executive levels, where a track record of leading innovation at the strategic level may prove more important than depth in a particular technical skill.”
Some examples of people programs for retention include, but are not limited to, continuing education, job rotation opportunities, and decreased benefit premiums for employees with specific experiences and/or clearances, he added.
When hiring at the senior level, it also helps to have a strong executive succession planning approach, and to hire ahead through executive placements that offer headroom for development into more senior leadership roles. This has been “a hallmark of Centerstone’s approach to leadership consulting and executive search,” said Mr. Donnelly. “And, in conjunction with our ability to source strong non-traditional candidates, it has helped our clients develop their existing senior leadership and introduce outstanding new talent to their executive teams to mitigate the risk of search churn at critical transition points in the future.”
Related: Scrambling for Cybersecurity Leaders is Big Business for Recruiters
Contributed by Scott A. Scanlon, Editor-in-Chief; Dale M. Zupsansky, Managing Editor; Stephen Sawicki, Managing Editor; and Andrew W. Mitchell, Managing Editor – Hunt Scanlon Media