The Keys to Finding Cybersecurity Talent in a Candidates' Job Market

Posted on by Tony Kontzer

There's a lot of fretting these days about the impact artificial intelligence will have on the job market. The fear is that many skills will become obsolete as machines perfect them, but there's no such worry in the cybersecurity world.

Security pros are in an enviable position today, what with zero unemployment in the field and more job openings than qualified applicants. On the flip side, though, filling security jobs can be a bear, which is a potentially huge problem given the array of threats organizations face today. So it's no surprise that recruiters from search firms, large companies and security vendors are descending upon cybersecurity industry gatherings in search of fresh talent.

A recent piece in CSO Magazine highlighted ten fascinating insights about the cybersecurity job market that an anonymous headhunter who was in attendance at one such event shared. Let's take a look at each one, along with our quick take on each insight.

-Candidates hold the power, often demanding a 15-20 percent premium over what employers are offering.

Our take: While it's probably not wise to make things too easy by offering more money, those in search of security talent must be ready to pay top dollar for that talent, or risk losing them to rivals who will.

-Military cybersecurity expertise is in especially hot demand, but those who possess it tend to want to work for other military folks. 

Our take: Organizations should make it a priority to hire a few military types to fill executive roles, hence making themselves more attractive to this critical talent pool.

-The pace at which colleges and universities are churning out cybersecurity graduates isn't sufficient to fill available entry-level jobs.

Our take: Perhaps it's time to rethink how we educate our future cybersecurity workers. Jim Lewis, a senior VP at the Center for Strategic and International Studies who's been teaching a cybersecurity section at the Naval Academy, ditched textbooks this year in favor of using news headlines as his main teaching tool, citing the seismic shift in what security pros need to know to do their jobs today. "Textbooks were written for the PC world," Lewis told us. Perhaps colleges and universities nationwide should follow his lead.

-IT workers making the switch to cybersecurity are finding the transition more challenging than expected, leading some organizations with high threat levels to experience unexpected turnover.

Our take: Cybersecurity and IT serve very different functions, and are often have conflicting objectives. Not only should IT workers looking to make that switch take it very seriously, and consider some heavy-duty education and training before doing so, but employers should think twice before hiring people without hands-on security experience.

-While some employers have stated policies not to hire black hat hackers, they often are open to doing just that.

Our take: Hiring converted hackers as consultants and asking them to expose security weaknesses is a proven security strategy. Bringing them on full time very well could add a level of perceptiveness that can't be duplicated through other means.

-The healthcare industry is finding that its outdated technologies are preventing it from attracting top cybersecurity talent.

Our take: In a world where organizations are looking at "gamifying" their technologies to appeal to younger cybersecurity workers, being behind the times is a serious disadvantage. This is a huge issue for healthcare providers, and given the amount of time it's taken to build momentum behind the adoption of electronic health records, it's something that's probably not going to be meaningfully addressed any time soon.

-The financial services sector, which is flush with cash and modern cloud infrastructures, is one of the only industries where candidates can expect competition for jobs.

Our take: Cybersecurity pros are just like any other group of workers: They're likely to gravitate toward where there's money and challenging work. Financial firms offer both.

-Recruiters who turn to exploding job offers (or offers that have an expiration date) out of desperation to fill roles quickly are finding that candidates are on to this strategy — and are often turned off by it.

Our take: Any job offer that comes with an ultimatum that it must be accepted within days should be viewed with suspicion. There are simply too many unfilled cybersecurity jobs out there to be strong-armed by a potential employer.

-Employers' stubborn devotion to job boards over search firms is misguided, as the best candidates are much more likely to engage with a professional recruiter.

Our take: A hands-on approach to finding cybersecurity talent is much better than a passive one. That doesn't mean organizations should ditch job boards, but they  shouldn't be relying on them as their primary recruitment strategy.

-The best way to recruit cybersecurity pros who are considering new career opportunities is to network with them at hackathons and other niche security events.

Our take: When hiring for roles in which candidates hold the power, meeting them face to face is the best strategy. When they know they can write their own ticket, jobseekers want to see commitment from potential employers from the get-go, and there's nothing like active networking to get that commitment across.

There's one other key insight about the cybersecurity job market that CSO's headhunter source left out, and it's a longstanding rule of effective recruiting: Namely, that often the best recruitment strategy is to retain current employees. It does no good to hire fresh talent if the existing talent is simultaneously walking out the door.

In other words, before making a big push for an influx of security talent, an employer should take stock of its current roster of security professionals, ensure they're satisfied in their jobs, and are comfortable with their current compensation, and make sure it stays that way.

Tony Kontzer

, RSA Conference

professional development & workforce

Blogs posted to the website are intended for educational purposes only and do not replace independent professional judgment.  Statements of fact and opinions expressed are those of the blog author individually and, unless expressly stated to the contrary, are not the opinion or position of RSA® Conference, RSA Security LLC or any other co-sponsors. RSA Conference does not endorse or approve, and assumes no responsibility for, the content, accuracy or completeness of the information presented in this blog.

Share With Your Community