Recruiting the best cybersecurity talent is an especially difficult task. Good people are very hard to find in a tight labor market where demand effortlessly outstrips supply.
Companies urgently need talented people to fight the rising tide of cyberattacks, which cost billions in damages every year. Being unable to fill vital jobs is becoming perhaps the greatest cybersecurity risk of all, dwarfing the threats posed by ransomware and other attacks.
The challenges are many, but here are the toughest ones:
Finding the right people for the right jobs — within time and money constraints.
Some companies make the mistake of asking too much from candidates — in the hope that one of them will match their needs. For example, when seeking an entry-level person, they ask for years of work experience and specific security qualifications. On the other side of the table, candidates may overstate their capabilities.
Falling into the trap of only selecting candidates with deep resumes.
This is so easy to do, given the slew of responses to certain advertised positions. Faced with possibly hundreds of resumes to shift through, hiring managers tend to cherry-pick the applicants with the best academic and work qualifications — which may result in overlooking those who have superior hands-on skills.
Ignoring talented people who perform poorly in interviews
For many companies, the first face-to-face interview is the acid test for assessing a candidate’s suitability for a position. Not surprisingly, some very talented people get rejected at this stage because they perform poorly due to nervousness, shyness or even neurodiversity. Indeed, a lot of high-tech people are introverted and may not excel in interviews.
Writing job descriptions that precisely define roles and positions.
Imprecision costs time and money, for companies and candidates. Companies need to be precise in terms of the skills they need for a specific role rather than vaguely listing capabilities that may or may not be useful. Each job description should accurately reflect what the job entails today — not what it entailed in the past.
There is a Better Way of Recruiting
As the demand for cybersecurity talent explodes and the supply dwindles, recruiters are realizing that the old ways of filling technical roles are limited, slow, and sometimes expensive. What is needed is a new way of recruiting — one that is precise, inexpensive, and, best of all, highly effective.
The core idea is that recruiters should use a virtual testing environment that enables them to validate and assess candidates’ cybersecurity skills as they perform hands-on exercises. For each position, this approach should allow a recruiter to create a specific evaluation module, choose challenges and assessments that match the job’s skills, and view key performance metrics and completion time. In this way, candidates’ performances can be quickly measured.
Ideally, this new recruiting solution should enable recruiters to assess a variety of skills and functions mapped to frameworks such as NIST/NICE and MITRE ATT&CK. In addition, NICE job descriptions should be incorporated into the solution — solving the challenge of writing precise job descriptions for most positions.
Challenges and assessments should include a wide range of threats, enterprise security products used by the hiring company, and emulated IT infrastructure that mirror real-world environments.
For maximum efficiency, this approach should cover the common topics and functions including .log analysis, addressing CVEs, IoT security, common TTPs, and the ever-changing threat landscape
The benefits of the virtual testing approach to recruiting are clear. Recruiters can quickly and cost-effectively find the best people for the right roles, uncover high-potential talent and expand their pool of qualified candidates.
The challenges of recruiting the best cybersecurity personnel have never been tougher. With the labor market for cybersecurity pros being extremely tight, the old ways of recruiting are rife with weaknesses and biases, while the urgency to recruit people is intense, given the relentless and costly waves of cyberattacks.
Companies need a better way of recruiting — one that relies on a virtual testing approach that enables recruiters to validate and assess candidates’ cybersecurity skills via hands-on exercises.
Jeff Orloff is Vice President of Products and Technical Services at RangeForce, a cybersecurity training company. He has over ten years of experience in cybersecurity, computer and network security and system administration. Prior to RangeForce, he was Director of Product Management and UX at COFENSE, a company specializing in email security, phishing detection and response. He also served as Technology Coordinator for the Palm Beach County Florida School District.Previous Columns by Jeff Orloff:Tags: