This is a challenging time for recruiting and retention of additional cybersecurity resources. Research by CyberSeekTM, a joint project between the National Initiative for Cybersecurity Education (NICE), CompTIA, and Emsi Burning Glass (now Lightcast) shows the number of cybersecurity job postings in the U.S. in 2022 has exceeded 700,000 positions.

CyberSeek reports also show that cybersecurity job demand increased 43% over a 12-month period ending April, 2022. This far exceeds the 18% growth in demand across all occupations. You can find statistics for your state or major city on CyberSeek’s interactive map.

A number of factors are driving this demand:

• Explosive growth in the number of devices and people that store data online.
• Overwhelming dependence on technology and number of internet connections.
• Almost all financial transactions are online, and it’s much easier to steal money by hacking than to rob a bank.
• Legacy software is running everything from point-of-sale systems to power plants, water treatment facilities and other essential public services. (For more, See “7 Big Reasons for Cybersecurity Demand” by Matt Day.

TRADITIONAL STRATEGY - HR RECRUITING

The traditional approach of using HR recruiters still works, but there’s a major issue with job descriptions. Job seekers in the cybersecurity community are reporting a number of missteps in job descriptions that cause them to avoid specific employers. See “3 Red Flags in Cybersecurity Postings.

One common issue relates to entry level positions. Some ask for 3 to 5 years of job experience. Others want advanced certifications such as Certified Information Systems Security Professional (CISSP). However, individuals must have 5 years of relevant experience before they can even take the certification exam. Job postings with unrealistic expectations lack credibility. As a result, the organization appears out of touch.

Job descriptions that are too general when it comes to duties are another mistake. This field is not well established enough to have the same standardized job title and description for a wide spectrum of skills.

Further, a candidate may interpret a general job description as having too many duties. This implies long hours and a lack of work-life balance. A good resource for sample job descriptions is the SANS Institute, a respected leader in cybersecurity. You can see several samples on their website.

In trying to remain competitive with other hiring companies, you may find that job seekers expect perks your company doesn’t normally offer. These include:

• At least one week of training or continuing education, including travel expenses
• Time during business hours to listen to webinars
• A career path in the organization or growthopportunities to develop new skills
• Reimbursement for dues to at least one recognized professional association

There are several areas of specialization within the cybersecurity field. Samples skills sets include:

• System administration of security tools and technologies such as vulnerability scanning, identity management, firewall management, etc.
• Threat detection and incident response, which involves monitoring and escalation procedures
• Application security for software development, including securemcoding reviews and implementing security fixes
• External and internal penetration testing
• Cloud security engineering and implementation of control measures
• Third party security risk management
• Security awareness and end user programs such as newsletters and training
• Project management to address the implementation of new security tools and systems
• Network security management to address firewalls, segmentation and access controls
• Policy development and ongoing updates tied to IT infrastructure, applications and organization or business changes
• Security audits to ensure that all risk controls are working effectively and as expected
• Taking steps to ensure various compliance requirements

When it comes to security management roles, one best practice is to separate duties between managing security

technologies (IT security) and managing governance, risk and compliance (GRC).

The GRC function should be responsible for security policies, compliance audits and user training and awareness. It may make sense to include a data privacy officer in the GRC function as well. These two management functions must coordinate and work together, although IT security logically is grouped with technology and GRC fits best with either legal or finance.

LONGER TERM STRATEGY: A DEVELOPMENT PROGRAM FOR CYBERSECURITY STAFF

Another strategy is to create a development process or program for cybersecurity staff. This allows internal people who are familiar with the company culture and business environment -- and have experience using IT systems and applications -- to learn, grow and transition into cybersecurity. This strategy applies to include external candidates as well.

One key consideration: Academic qualifications may not be relevant. “Many tech-related roles, including those in cybersecurity, can be filled by those with a few select qualifications and skills, rather than a full four-year degree,” says Will Markow, vice president of applied research at Emsi Burning Glass. “In an environment where talent is hard to find, employers may find a competitive advantage by expanding their potential talent pools.” For more, see “Cybersecurity Jobs Surging” by Caroline Effinger and Tim Hatton, June 7, 2022.

The rapidly changing nature of cybersecurity attacks underscores the need to expand reach. Creating and maintaining an effective cybersecurity defense requires continuous learning on behalf of employees.