Skills Gap – Hiring When There’s No People

By Optiv ·

Where to find them. How to keep them. Alternatives to hiring.

While part of the solution to a robust and complete security program is security automation and orchestration (SAO), do not forget that hackers are human and therefore require white hat humans to think like them. There’s no way to remove human hands to help solve it. But this creates the other problem: finding the right people with the right cyber security skills during a much-lamented skills shortage.  

Security staffing shortages are currently at approximately 747K (Momentum Cyber 2018 Almanac) and projected to hit 1.8 million by 2022 (Global Information Security Workforce Study).  

skills-gap

So how to fix your own shortage? Change your mind set on their backgrounds and educations. Stop looking for candidates who only have computer science degrees. Just like some doctors do not have “traditional” undergraduate degrees, not all security candidates have typical backgrounds. In addition to computer sciences, target non-traditional trainable majors such as accounting, finance, even other technology majors. Critical thinkers don’t always come in the same wrapper.  

Where to look for them? Have HR/recruiting develop all types of partnerships. 

When hiring, create a “test” to check interests and aptitudes.  

  • Focus on traits that are heavily valued and cannot be taught:  
    • Unbridled curiosity, puzzle lovers, strong ethics, and an understanding of risk 
    • Intellectual – Smart, but knows things change fast and willing to learn without ego 
    • Leadership experience 
    • Collaborator – Ability to work as part of a team 
    • Cool head – Ability to work under pressure and with short deadlines 
    • Planning and organizational skills 
    • Familiarity with safety and security 
    • Understanding of protocols and structures 
    • Good work habits – Personal initiative, high personal drive and pursuit of excellence 
    • Other advanced training that may be applicable 
    • Able to think like a “bad guy” 
    • Good communicator 

Then train them, via on job, offering industry certifications, via online and community college courses, etc.   

Once you find them, remember that recruiters call them every day. 

To keep them: 

  • Recognize that the reality is you have to pay them well to both get and retain them 
  • Monitor them and support them by offering mentors, shadow programs, and expose them to various technologies  
  • Create an ongoing learning program (certifications) 
  • Get them out of the SOC/away from their desks (send them to conferences)  
  • Offer tuition payment up front - if they leave early, they pay it back  

The other alternative? Outsourcing. It is no secret that the talent shortage and increasing cyber threat landscape is accelerating the move toward finding vendors that deploy orchestrations and automation tools. Managed security services partners specialize in providing the latest technology, the best people, and most offer robust reporting and recommendations. As experts, they keep abreast of new developments. The other pluses? You don’t have to look for talent, and you leverage a resource’s capabilities. Most allow you to customize the solution and some offer free evaluations, so you know where you stand, where the gaps are, and what they recommend. Working with an expert solution architect that has “been there done that” will provide a jump start for your organization. And finding the right internal hire(s) to manage a partner is less daunting than finding five analysts.  

Any effective security program must include the right people. Despite the cyber security skills shortage, with a little creative thinking, some research and HR/recruiting support, you could discover a quiet pool of both present and future candidates or an MSSP that becomes the perfect partner.  

The E is for Efficiency whitepaper underscores the issues that must be addressed to build a more effective and complete security program. Finding the right solution for the skills gap is just one. Read about all of them here.