Using creative recruitment strategies to tackle the cybersecurity skills shortage

With the increasing complexity of cyber threats and the global shortage of cybersecurity experts, organizations are looking for creative approaches to recruiting and retaining top talent.

In this Help Net Security interview, Jon Check, Executive Director of Cybersecurity Protection Solutions at Raytheon, sheds light on the significance of internships and apprenticeships in nurturing the next generation of cyber defenders.

How do internships and apprenticeships contribute to bridging the theoretical and practical divide in the cybersecurity field?

Traditionally, there’s been an assumption that to begin a career in cybersecurity, you must have a specialized education and resume. However, the expanding threat landscape has forced the industry to reconsider what makes great talent. This includes emphasizing soft skills and varied backgrounds above all else, especially when it comes to combating the next big threat. Internships and apprenticeships can then offer the additional training needed to build a successful cybersecurity career.

Education should also be continuous in the cybersecurity field, so organizations must ensure they are making an active effort to train the next generation of the workforce. This consists of supporting their current employees and also encouraging their path to learn in the best way possible.

External and internal internships and apprenticeships are key to achieving this. They not only create more awareness around what it actually takes to have a job in cybersecurity but also help those within and outside of organizations develop the necessary skills to meet the needs of the evolving threat landscape.

Given the global shortage of qualified security personnel, what creative approaches do you suggest for recruiting talent?

Leaders must first reframe their mindset around what makes a qualified cyber defender, beyond checking specific boxes (i.e., specific degrees from prestigious colleges) and extending it to focus on soft skills, including critical thinking, problem-solving, and public speaking. Creativity is also a valuable skill to have when it comes to developing solutions to unique cyber challenges.

Organizations can then look to attract and develop talent by supporting curriculum-based and mentorship programs to build more awareness around a career in cybersecurity. This can include cyber competitions that enable students to gain hands-on experience, test their skills, network, and connect with mentors, laying a critical foundation to prepare themselves for a career in cyber (i.e., National Collegiate Cyber Defense Competition and US Cyber Games).

The value of recruiting internal talent should also not be underestimated. Providing non-technical employees with the opportunity to learn about cyberspace allows them an opportunity to switch career paths, especially if they have the right skill sets and passion to learn something new. This creates a pipeline of qualified talent and reduces the need for organizations to rely solely on experienced candidates from a limited talent pool. Ultimately, such internal training and development programs not only promote more retention, but enable better growth within the cybersecurity industry.

How does promoting from within contribute to the sustainability of a security program and the retention of top security talent?

Many security departments tend to operate in silos, which creates fragmented workplaces that cause employees to feel stagnant in their roles and also limits the growth of employees. This perpetuates an unsupportive work environment leading to lack of productivity, increased burnout, and attrition.

Burnout specifically leads to increased mistakes, a lack of motivation, and ultimately, leaves teams without the numbers needed to complete all the tasks required for a job that runs 24/7. The onus is on security leaders to constantly reinvent the ways in which teams operate to promote better individual growth and cross-team collaboration. This means establishing a supportive and encouraging work environment across the organization, cohesive to better engagement and productivity.

Do you believe cybersecurity professionals feel comfortable discussing their concerns with leadership, and how can this be encouraged more?

It depends on the organization. It can be easy for leaders to forget about the needs of individual team members when they’re focused on defending against the next cyber threat or recovering from a data breach. However, if your people aren’t supported, their work will be less than satisfactory.

To ensure cyber employees feel supported to voice any concerns they have, organizations should embrace the concept of “Cyberlandia” – a concept I came up with to describe the optimum state of cyber readiness, with happy team members who feel empowered to face whatever threats they encounter. This concept emphasizes a people-first work culture where team members are empowered to speak up and gain the confidence necessary to face whatever threats they may encounter. This includes establishing effective communication. Employees must be offered the space to vocalize what is needed to be productive on the job (i.e., changes to the work schedule or more training opportunities).

How can organizations leverage the wealth of idle talent in smaller suburban areas, particularly when major cities face talent shortages?

Cyber defenders can be found anywhere – but some areas lack the proper resources and education to generate new talent. The cybersecurity industry as a whole needs to do a better job of investing in underserved communities to build a stronger pipeline of future cyber talent by creating more equitable opportunities. For example, organizations can be a part of the solution by supporting initiatives such as scholarship, mentorship, and fellowship programs.

Why must companies emphasize high-impact experts or key frontline employees more than managers and directors in the cybersecurity sector?

Most importantly, high-impact experts or key frontline employees will be an organization’s first line of defense against a cyberattack that has the potential to destroy the business. Under limited cyber spending and a skills gap, they understand the context of an organization’s environment the best, which means they know exactly where to allocate resources that can make the most impact. Furthermore, experts and frontline defenders will be the most effective at training the next generation of the workforce, and as such, are an essential component to bolstering an organization’s security posture.