In the 1993 film Rookie of the Year, coach Larry Fisher, thinking differently while fighting to save his club from the ignominy of a declining fan following, looks to recruit rookie Henry Rowengartner to save the day. Lithe in appearance in a game dominated by gigantic quarterbacks and guards, there is nothing spectacular about Henry – except that he can fastball at a phenomenal 100 miles/hr. Pressed into action, Henry, his throwing arm the result of a freak post-surgery healing, responds. Soon the results start to show.
A case of good fortune or one of thinking differently where talent is concerned?
There’s a war out there
Cut now to the cybersecurity world, where a war of experts is raging. At stake are the all-important assets of organizations – data, revenues, and arguably even their fortunes. The protagonists – the organizations – seem to be hopelessly outnumbered. The antagonists – the cybercriminals – on the other hand, clearly have the edge at least where numbers are concerned, as organizations struggle to fill their vacant positions, and rejuvenate their exhausted workforces in the face of a growing cyber threat onslaught, exponentially increasing many times over by the WFH scenario. ZDNet in an article (1) says that 62% of respondents felt workload has increased many times over for information security personnel.
Organizations however seem to be getting their recruitment wrong, because of which cybersecurity positions continue to remain vacant despite there being no dearth of talent out there. ZDNet cites that almost 39% of organizations are finding it hard to fill cloud computing roles.
This article purports to suggest that a different approach needs to be taken, if the arguably and increasingly one-sided war is brought to a level playing field.
What it takes to be a cybersecurity professional
Let’s look first at what makes a cybersecurity professional in terms of qualifications.
- Primary among qualifications is a computer science degree and a certification in the form of a CISSP – a credential which is under the aegis of the International Information Systems Security Certification Consortium. Clearing this exam is possible only after having at least five years of experience in IT security.
- Next comes Network Security, where the following certifications are considered the gold standard for Cybersecurity professionals. The first is the CompTIA Security+ certification, which employers generally look for. It comprises a one-hour test with a pass percent of 80.
Another is the Certified Information Systems Security Professional (CISSP) certification that is under ISC2. This test requires clearing several prerequisite exams and again, having at least five years of experience in the field.
The last one is the Certified Ethical Hacker (CEH) certification which is under the EC-Council. This exam is about your ability to find vulnerabilities in computer systems.
- Over and above these, cybersecurity professionals are required to know how to use cloud computing technologies, programming languages such as Java, C++, and Python, and understand vulnerabilities in operating systems like Windows and Linux.
Breaking the mould
9 out of 10 job descriptions for Cybersecurity professionals are aligned with the above. But while there are experts out there whose profiles match the requirements, it’s hard to explain why positions remain unfilled. Especially when supply is equal to demand. One answer lies in the burgeoning workload on cyber professionals due to the increasing number of threats, resulting in overworked teams, burnout, and migration. The second, and more important answer, lies in a failure to adopt a different approach to recruitment.
Nothing more needs to be added about the first. Cybercriminals are having a field day and new threat vectors are increasing ceaselessly. As to the second: Human Resource Departments are blindly following recruitment templates to a T, placing an overemphasis on qualifications and certifications. While certifications are certainly necessary, they are not the be all and end all. A report by the Information Systems Security Association (ISSA)/ESG found that 25% (1) of cybersecurity professionals state that job postings at their organization tended to be unrealistic. Cybersecurity is not only about certifications It’s about experience and talent, identifying people with passion, problem-solving skills, agility, aptitude, a quest for learning, along with differential and lateral thinking. Further, it’s about bringing in people from different backgrounds with these attributes, training them, and tasking them with challenges they’d love to wrap their heads around.
Until such time as the mould is not broken and human resources persist with established recruitment norms, organizations will struggle to fill these positions.
Experience, Compensation and Timing
A considerable amount of cybersecurity recruitment today is done at the entry-level position. A CISSP certification that requires a 5-year work experience in the field, should guarantee a position in cybersecurity. Internships too are being offered with a 5-year work experience. But herein lies the fallacy in the cybersecurity recruitment landscape. Simply put it’s about the time you’ve spent in the industry and not only qualifications. ZDNet declares that 29% (1) of respondents felt their HR department didn’t understand the skills needed for cybersecurity.
Human resources however are seemingly not following the conversation. The result is that persons with years of hands-on experience, some self-taught, are being offered entry-level positions and compensation that simply doesn’t justify their abilities and experience. Some respondents feel their organization doesn’t offer competitive compensation.
Another aspect organizations need to improve on, is the timing of their recruitment. Most organizations are almost reactive in their approach to recruitment, going on a massive drive to recruit cyber professionals immediately following a data breach. Cyber professionals are not magicians and bringing specialists on board, asking them to deliver immediately is not practical. Furthermore, cybersecurity is far too important an area to receive shabby patch-up treatment. Rather, a sustained recruitment drive would help with timely addressing of data breach situations.
Organizations also need to adopt a different approach to how cyber teams are viewed. Most organizations look at cybersecurity as a cost center and a technical issue rather than a business necessity – an approach that impacts their approach to recruitment. In fact, the opposite is true – a good cybersecurity team equipped with the right tools can save organizations millions, even to the point of averting bankruptcy.
Getting it right
The following steps could be considered to correct the anomalies in the present situation, where arguably the demand matches but is not able to resonate with the supply of cyber professionals.
- Assign the right value to cybersecurity in the business plan of the organization.
- Organizations to align with the forthcoming Securities Commission regulations for a Director to have cybersecurity qualifications
- Empower the CISO
- Recruit cyber personnel on an ongoing basis at the start of their careers and build up a strong cybersecurity team
- Undertake talent searches starting at the school level, and extending within the organization
- Explore funding for cybersecurity scholarships
- Change the mindset and approach of human resource teams to cybersecurity recruitment
- Invest in training and tools for the cybersecurity teams
As the season progresses in the Little League, unheralded and underrated rookie Henry learns the nuances of the game and under the tutelage of seniors, becomes a force to reckon with. Eventually, he leads his team to the National League Championship Series. Then in a climactic finish, his team wins the World Series!
The cybersecurity world could take a leaf from this celluloid world example. The time is upon us to change. Else, cybercriminals will continue to rule the roost, leaving in their wake organizations and managements to rue their unwillingness to change and decision-making paralysis.
The time to level the playing field, to act, is now. Later, may be too late!
Additional reading :