In this interview with Help Net Security, Max Shuftan, Director of Mission Programs & Partnerships at SANS Institute, talks about how companies and the cybersecurity industry should try to recruit hobbyists and DIYers – as well as individuals from many atypical backgrounds – to help fill the growing cybersecurity workforce gap.
From my (perhaps limited and anecdotal) perspective, some companies are already pulling prospective cyber security practitioners from the hobbyists/DIY pool – though perhaps there’s no concerted, organized effort on the broad cybersecurity industry level. How can the industry make such an effort? What (realistic) approaches should it consider?
You are correct that employers are hiring from hobbyists and the DIY community. I would further agree that there doesn’t seem to be a strategic, organized effort across the industry. It’s hard to do so given different employers’ varying resources, hiring needs, and job requirements.
I do think what would be helpful is for the industry to establish best practices and avenues for engaging hobbyists and the DIY community. Having a presence at conferences such as RSA and Black Hat are fantastic, but organizations need to look to community-based BSides events, MeetUp groups, and engaging organizations focused on improving diversity, equity, and inclusion (DEI) in cyber like WiCyS, Cyversity, and the Women’s Society of Cyberjutsu, etc. for outreach opportunities.
They need to spend more time connecting on Reddit and Discord, not just trawling LinkedIn for those with certifications to hire from other employers. Perhaps the industry can come together to host CTFs in partnership with community orgs to engage hobbyists and identify high-potential talent. The WiCyS Security Training Scholarship uses a basic-level CTF to identify individuals with aptitude for scholarships to play cyber games, and eventually, receive training and certifications.
Launching broad opportunities for hobbyists to demonstrate their talent is the key, be it through CTFs, ranges, aptitude tests, gamification, bug bounties, or other approaches. If these opportunities are made regularly available through an industrywide talent identification program, companies could reach new talent, enable them to demonstrate capability, and provide pathways to internships, apprenticeships, and jobs.
Some companies have the time to invest and experts to dedicate to teaching cybersecurity job candidates the ropes, but most don’t. Also, some might have all those things, but are wary of investing into candidates that can easily take that acquired knowledge and experience and parley it into a better paid position with another company (given that demand for cybersecurity pros of all levels is high and the infosec industry having a definite job-hopping culture). Should those companies reconsider their stance – at least until a better and more systemic solution is offered by the cybersecurity industry?
Cybersecurity professionals value the opportunity to grow and develop new skills quite highly. Numerous studies indicate being provided training and certification opportunities is appealing to candidates and helps with retention. I would posit that any companies avoiding doing so for fear of losing talent, are likely to lose their top talent anyway.
Practitioners in cybersecurity don’t just need to constantly stay abreast of trends and developments in the field as well as hone new skills, the vast majority have a passion for continuous learning and improvement. They want training, and they want to learn how to use new tools and deploy new techniques.
At times, it is true that talented professionals are going to leave their employer, and it might align with having received new training and/or achieved new certifications. The solution is not to deny them this opportunity, though. Companies should explore the opportunities of pay raises and promotions being tied to training and certification to retain talent. They should cultivate a culture of continuous learning, in which training opportunities are built in for team members, showing their employees they want to invest in them and value their contribution, and thus improving retention.
Hobbyists and DIYers are one possible pool of prospective cyber security professionals. Are there any others that people wouldn’t necessarily think of?
In working on talent discovery and reskilling programs, we’ve been fortunate to see and hear the stories of thousands of individuals finding success pivoting into cybersecurity from other past careers.
First and foremost, there is a lack of diversity in cybersecurity. Women make up 24% of the industry, and people of color are extremely underrepresented in the field. DEI efforts to reach more people in these communities are of paramount importance.
Additionally, gamers, former stay-at-home parents returning to the workforce, neurodiverse candidates, community college students, and adult career changers have all proven successful in moving into cybersecurity.
I think of individuals like a recent graduate of a cyber scholarship program, Christine. She worked as a physical therapist, but during the pandemic reflected on her job and decided she wanted to try something new. Knowing family members working in tech, she chose to pursue cybersecurity. After an intensive learning journey and achieving several certifications, she’s now a Cloud Security Analyst at a large government contractor!
What successful “new to cyber” candidates such as Christine have in common is key traits such as problem solving, critical thinking, and information parsing. They are often people who like puzzles, brain teasers, or taking apart toys, equipment, technology, etc. and seeing how they work. Their passion and tenacity for constant learning and solving problems can be indicative of potential for building cybersecurity skills, even without a background in the field.
We’ve seen individuals from myriad backgrounds such as bartenders, mechanics, marketing, the arts, hair stylists, sales reps, human resources, retail employees, and so many others pivot successfully into cybersecurity through scholarships to reskilling programs. If adult career changers have a work or academic background in a field that requires an analytical mindset, that can be a plus, too!
I’ve heard it said many times that companies’ hiring managers should occasionally hire cybersecurity talent based on potential, not just existing knowledge, and this seems to fit in with the idea of non-standard candidates for entry-level cybersecurity positions. In your experience, are there methods/ approaches/tools that can be used to reliably recognize such potential?
Yes, absolutely. Using assessments that measure aptitude for cybersecurity can be very powerful in identifying high-potential talent. Public and private sector entities utilize these types of tools to consider entry-level hires and candidates for training programs, apprenticeships, etc., to great success in the U.S., Canada, U.K., EMEA, and APAC. Through cyber aptitude testing, organizations can confidently identify candidates with high potential for success in cyber skills training and on industry certification exams.
At the same time, employers can’t just hire based on aptitude. They also need to ensure candidates have passion for cybersecurity and the challenges of immersing oneself in constant learning, or they may run into problems with attrition. Having cybersecurity managers and talent acquisition collaborate to build interview processes so they focus on screening for passion, career goals, things people are learning on their own, etc. instead of only finding employed professionals with prior experience can help differentiate your company in hiring based on potential and also grow the talent pipeline.
Should companies consider making wider and more thorough sweeps of their workforce to unearth potential candidates for entry-level cybersecurity positions – individuals that never even thought their specific skills might be used in cybersecurity? If you were a hiring manager, how would you go about this?
Employers need to find untapped pools of talent, both externally and internally. There is almost certainly an employee at every large employer not currently working in cybersecurity that has the capability to do so.
In a Women’s scholarship academy, our team observed an individual who had recently lost her job in HR due to automation and layoffs. After taking several cybersecurity training courses and achieving three industry certifications, she was re-hired by that same company as an IT Security Incident Response Analyst, later getting promoted to be an IR team lead! Think about if companies explored for hidden talent like this at scale!
Leadership needs to work closely with hiring managers and HR to pursue this for internal programs – they’ll never find the talent unless they look. The great thing about reskilling existing staff is they already know the company culture and are likely a good fit on that front. Employers need to run awareness campaigns about career in cyber at their organization, highlight current employees so people can understand what they do, and allow employees to express interest in pursuing a transition to a cybersecurity career.
Then, companies need to leverage proven tools like aptitude assessments, foundational cyber games, or basic-level CTFs to give their people a chance to demonstrate their potential.
What advice can you offer to HR and cybersecurity teams looking to work together on creating job postings that will attract suitable candidates?
Listen to each other and be flexible.
There is truly a shortage of talent, so not every job will be filled by someone with many years of experience. Also, employers should be open to not requiring four year degrees if they aren’t necessary. Certifications may be required for certain roles, while not required for others, so don’t default to one or the other. Identify where they are necessary, preferred, or optional.
Don’t overload job descriptions with too many industry-specific terms or technical jargon; you can confuse candidates, even those with a strong technical background. Write job postings focused on broader skill sets and the core tools, techniques, etc. that are essential to the position.
Leverage common task areas such as those listed in the NIST NICE Framework. This will help recruit more diverse candidates, plus get HR and cybersecurity managers speaking the same language (no small feat).
Job postings should be written so that they feature company culture, opportunities for growth and learning in cybersecurity, and use inclusive language.They should emphasize the need for candidates to have passion for cybersecurity and self-driven learning (e.g., “candidates who participate in CTFs or community events are encouraged to apply”).
There will never be perfect job descriptions in such a constantly evolving and complex workforce. However, the more talent acquisition and cybersecurity managers collaborate to build job descriptions and share best practices in doing so across the industry, the better they’ll become.