Examining the disconnect between employers and job seekers in Security?

There is a lot of talk among business leaders about a critical shortage of cyber security talent. Many cite studies and surveys that provide context for just how big the problem has become. In fact, Cybersecurity Ventures predicted in 2017 that by 2021 nearly 3.5 Million security jobs will go unfilled. While this discussion is seemingly ubiquitous in the business world, there is another side to the story.

Interacting with the security community through social media, one quickly discovers that there are significant numbers of job seekers unable to find security jobs. In fact, I recently tweeted about a job opening that I have coming up. With roughly 4,200 followers, I had over 200 people send me direct messages expressing interest. After weeding out those who were clearly not fits, I still have a list of over 50 potential candidates. With that much interest from one tweet about one position, it seems odd that organizations are having a hard time finding candidates. This dissonance is so powerful that I personally call BS on the talent shortage. What we have is a talent disconnect, but why?

Job descriptions and unrealistic expectations

Browse the listings of security jobs and you’ll quickly see just how poor and unrealistic many of them are. In my own less-than-scientific research, I’ve noted a few of the more common issues:

  • Requirements for an overly broad range of expert-level skills beyond what any single human could possibly possess
  • Length of experience requirements that are not commensurate with the position (e.g., 6-8 years of security experience for a security analyst role)
  • Unrealistic salary ranges for a given title (e.g., a Senior Security Architect role with a salary range of $50,000-65,000)
  • Seeking impossible levels of experience in emerging technologies (e.g., 10 years experience with block chain technology)
Breaking it down

Let’s tackle these one at a time. Overly broad skills requirements often stem from building job descriptions like a wish list. The approach ends up being “we can’t have it all, but whoever checks the most boxes in this list is the one we choose”. There are two problems with this methodology. First, job seekers read those lists as hard requirements. The more items on the list they can’t check, the less likely they are to apply. Second, picking a candidate with broad knowledge but little depth may leave the organization in a bad position when deep technical expertise is needed.

Security related job descriptions are still new to many organizations. As such, they are often derived from other technical roles with similar titles. This can lead to a scenario where the length of experience being asked for does not match up to what the market would dictate for that level position. This same scenario can often lead to the seeking impossible levels of expertise. Ultimately, more time and analysis is needed from security leaders and Human Resources working together to develop market-aligned expectations.

One of the most frustrating issues isn’t always visible from the job description itself. When the salary range attached to a role is unrealistic in terms of market forces, both hiring managers and candidates are impacted. Candidates often go through multiple rounds of interviews before finding out the pay range is too low. They end up feeling like their time was wasted. In cases where initial screening interviews are used to match salary needs, the hiring manager will likely receive few qualified candidates options, resulting in further frustrations on their part.

Engaging the Security Community

Another common issue that seems to hamstring many recruiters is their inability to connect with the security community. Anyone who has security experience listed on their LinkedIn profile has likely gotten messages from recruiters. Commonly, recruiters will use one or two search criteria and match highly experienced candidates with entry-level or unrelated positions. The “hot” job market in security brings many non-technical recruiters out in search of security talent. The resulting credibility problems for recruiters in the security industry in particular creates a heavy divide.

Recruiters must overcome that credibility problem with a genuine understanding of the security landscape. Additionally, they must learn to engage security professionals through less traditional avenues. The best security recruiters have learned how to connect with the community via social media. They’ve learned how to have meaningful interactions on Twitter and are patient in their approach. It takes time, but recruiters who take time to learn security and develop long-term relationships with members of the security community find greater overall success in filling roles.

Breaking the mold

A side effect of interacting with the security community is that organizations will also shed their preconceptions of what security talent looks like. Sometimes there literally is a bias as far as the appearance of security professionals. Bold hair colors, visible tattoos, body piercings, and non-traditional fashions are very common among security experts. Meanwhile, the corporate world continues to shift at a glacial pace toward acceptance of such appearances.

Security and business leaders alike still carry heavy bias, albeit sometimes unconscious, against individual expression. Conformance to traditional standards is still sought and often to degree of disqualified otherwise highly qualified candidates. Managers hiring for security positions (or any positions for that matter) need to understand this and move beyond their preconceived images.

Incubating talent

I find it particularly frustrating how little foresight organizations put into developing security expertise in their current staff. As digital transformation trends continue, security has to be a part of every phase of our business. So why then don’t leaders look to groom security expertise in all business functions? Imagine a world where every team from accounting to finance to development was required to have security expertise.

An approach like this has multiple benefits. First and foremost, it begins developing a culture in which security is always a consideration. No longer do we allow admin or operational groups to fly under the radar of security considerations. Second, these resources now become an internal pool of candidates from which security-focused positions can be filled. Essentially, it becomes an incubator of security talent. Third, this type of investment in employees also helps combat turnover. Employees are able to develop marketable skills that give them a clear path for advancement or new challenges.

Obviously, this type of approach requires executive level buy-in and support. Business and support functions will be reluctant to dedicate portions of their budgets to training in skills they see as unrelated to their purpose. However, at an executive level, when the cost of training is weighed against recruiting costs, turnover costs, cost-of-vacancy, and third party services expenses, the business case is easy to build. Organizations must stop relying on someone else to develop security talent and instead they must take an active role in the process.

Bridging the gap

Is the idea of a talent shortage truly false? It’s hard for anyone to say for sure. However, the way organizations search for and cultivate talent clearly contributes to the problem. We’re seeing a shifting of the tides in terms of how security talent and hiring firms come together, but there’s still a massive gap. To those of us active in the community, that disconnect is very visible everyday.