Skip to main content

Skills Gap – Hiring When There’s No People

September 13, 2018

Where to find them. How to keep them. Alternatives to hiring.

While part of the solution to a robust and complete security program is security automation and orchestration (SAO), do not forget that hackers are human and therefore require white hat humans to think like them. There’s no way to remove human hands to help solve it. But this creates the other problem: finding the right people with the right cyber security skills during a much-lamented skills shortage.  

Security staffing shortages are currently at approximately 747K (Momentum Cyber 2018 Almanac) and projected to hit 1.8 million by 2022 (Global Information Security Workforce Study).  

So how to fix your own shortage? Change your mind set on their backgrounds and educations. Stop looking for candidates who only have computer science degrees. Just like some doctors do not have “traditional” undergraduate degrees, not all security candidates have typical backgrounds. In addition to computer sciences, target non-traditional trainable majors such as accounting, finance, even other technology majors. Critical thinkers don’t always come in the same wrapper.  

Where to look for them? Have HR/recruiting develop all types of partnerships. 

When hiring, create a “test” to check interests and aptitudes.  

  • Focus on traits that are heavily valued and cannot be taught:  
    • Unbridled curiosity, puzzle lovers, strong ethics, and an understanding of risk 
    • Intellectual – Smart, but knows things change fast and willing to learn without ego 
    • Leadership experience 
    • Collaborator – Ability to work as part of a team 
    • Cool head – Ability to work under pressure and with short deadlines 
    • Planning and organizational skills 
    • Familiarity with safety and security 
    • Understanding of protocols and structures 
    • Good work habits – Personal initiative, high personal drive and pursuit of excellence 
    • Other advanced training that may be applicable 
    • Able to think like a “bad guy” 
    • Good communicator 

Then train them, via on job, offering industry certifications, via online and community college courses, etc.   

Once you find them, remember that recruiters call them every day. 

To keep them: 

  • Recognize that the reality is you have to pay them well to both get and retain them 
  • Monitor them and support them by offering mentors, shadow programs, and expose them to various technologies  
  • Create an ongoing learning program (certifications) 
  • Get them out of the SOC/away from their desks (send them to conferences)  
  • Offer tuition payment up front - if they leave early, they pay it back  

The other alternative? Outsourcing. It is no secret that the talent shortage and increasing cyber threat landscape is accelerating the move toward finding vendors that deploy orchestrations and automation tools. Managed security services partners specialize in providing the latest technology, the best people, and most offer robust reporting and recommendations. As experts, they keep abreast of new developments. The other pluses? You don’t have to look for talent, and you leverage a resource’s capabilities. Most allow you to customize the solution and some offer free evaluations, so you know where you stand, where the gaps are, and what they recommend. Working with an expert solution architect that has “been there done that” will provide a jump start for your organization. And finding the right internal hire(s) to manage a partner is less daunting than finding five analysts.  

Any effective security program must include the right people. Despite the cyber security skills shortage, with a little creative thinking, some research and HR/recruiting support, you could discover a quiet pool of both present and future candidates or an MSSP that becomes the perfect partner.  

The E is for Efficiency whitepaper underscores the issues that must be addressed to build a more effective and complete security program. Finding the right solution for the skills gap is just one. Read about all of them here.

Related Blogs

September 05, 2018

We Want Robots to Do (Part of) Our Job

The job of an information security analyst today is rife with repetitive, sometimes mundane tasks that are performed based on the analyst’s best pract...

See Details

August 28, 2018

Security Operations Efficiency is Not Gained Through a Patchwork of Expensive Security Tools

Cloud, mobile, social media, IoT and big data have profoundly expanded the attack surface in the latest cyber super cycle, and it’s no surprise organi...

See Details

April 26, 2018

Employees’ Contribution to Breach of Trust

General thought: A breach of trust is different than a breach of security. Trust and security, while related, are very different from each other. In r...

See Details

How Can We Help?

Let us know what you need, and we will have an Optiv professional contact you shortly.

Privacy Policy

Stay in the Know

For all the latest cybersecurity and Optiv news, subscribe to our blog and connect with us on Social.


Join our Email List

We take your privacy seriously and promise never to share your email with anyone.

Stay Connected

Find cybersecurity Events in your area.