Cybersecurity expertise is in high demand. Faced with threats like phishing, ransomware and data breaches, businesses need information security staff on their teams to help protect their networks from attacks.
While the intention to build and improve cybersecurity teams is there, recent research demonstrates how businesses often make mistakes when hiring, leading to difficulties recruiting and retaining IT security staff.
The number of unfilled vacancies doesn't just make it harder for businesses to keep networks secure – it also has an impact on the people already working on cybersecurity teams, who are expected to do everything necessary to maintain network security, but with just a fraction of the required personnel.
SEE: A winning strategy for cybersecurity (ZDNet special report)
That's leading to burnout, making it much harder for people to do their jobs at a time when a growing need to secure remote workers is adding to their workload. In some cases, burnout means people could walk away from the industry altogether when their skills are needed most.
So why are organisations struggling to fill vacancies when there's a workforce available, at a time when hiring cybersecurity staff is arguably more important than ever before? Because businesses often don't understand what they're looking for, leading to mistakes when trying to hire.
Job adverts outside of cybersecurity come with requirements for the role, including experience and qualifications. Human resources departments are taking those templates and applying them to information security, which often doesn't follow the same stringent requirements for qualifications.
It's possible to be highly qualified and highly experienced in cybersecurity without formal qualifications, yet many businesses attempting to hire security staff see qualifications and certifications as a requirement.
Alyssa Miller, a business information security officer and public speaker on cybersecurity, has done extensive research into hiring practices in the industry, as well as presenting a TED talk on the issue. She says almost three-quarters of entry-level job vacancies she looked at ask for a Certified Information Systems Security Professional (CISSP) certification, something which takes years of training, costs money to take an exam – and isn't realistic for someone looking for their first job in the industry.
"Of the supposed entry-level job descriptions that I looked at, 71% of them call for a CISSP. That's not entry-level, because you have to have five years of experience to get a CISSP," says Miller.
In some cases, companies are advertising to fill internship positions – something that in usual circumstances allows people to learn on-the-job while also helping the company. However, even when it comes to advertising for internships in cybersecurity, there are adverts that require an applicant has five years of working in the field. People with years of professional experience are being asked to take jobs for little or even no pay.
"If you have five years of experience in cybersecurity, you're not an intern anymore, you're an advanced professional at that point – do you think you're going to get a five-year veteran in cybersecurity for intern pay? No, of course not," says Miller.
SEE: The cybersecurity jobs crisis is getting worse, and companies are making basic mistakes with hiring
Cybersecurity involves a particular set of skills, which people have put in time and effort to learn. The nature of the industry means that, when it comes to skilling up, many information security professionals have ended up in the career path because of a keen interest in cybersecurity – and some are self-taught, showcasing the aptitude required to succeed, even if they don't have any specific certifications.
That can be confusing for human resources departments, which are used to viewing and hiring applicants based on the candidate having certain qualifications that information security people might not have. Someone could have years of experience in the industry, but if HR doesn't see what they perceive as the correct qualifications, their application could be discarded, despite the hands-on experience.
Cybersecurity, in short, is following the same pattern as other careers in computing and technology before it. "We went through all of that with software engineering 10 years ago and now cybersecurity is right at that point," says Adam Enbar, CEO and co-founder of Flatiron School, which teaches on-campus and online bootcamps in software engineering, data science and cybersecurity.
"You have employers who are hiring but they don't really know what they're hiring for, and they don't even know what to look for."
This doesn't just come down to expecting experienced professionals to work for little or nothing – some businesses simply have unrealistic expectations around what's required for the job. In addition to requiring certifications, it isn't uncommon to see job adverts asking for lengthy experience in disciplines that have only existed for a few years.
"Job descriptions have got to get better. They need to be focused on the right things – they can't be asking for 10 years of Kubernetes experience when Kubernetes has only existed for six years. There are plenty of examples of those job descriptions out there that do silly things like that," says Miller.
Then there's the issue of timing. Some companies will go on major hiring sprees in the aftermath of a major cybersecurity incident, or because they fear becoming the next victim of a massive data breach, ransomware campaign or other cyberattack. In this scenario, the hiring companies want instant results from cybersecurity professionals with years of experience in a security operations centre (SOC).
"Most postings are written for people with five to 10 years of experience. This happens because employers often begin to invest and dedicate time to hiring cybersecurity professionals when they're facing a crisis – at which point, you don't want someone with minimal experience, you need someone with experience to come and clean up very fast," says Christine Izuakor, founder and CEO of Cyber Pop-up, a company that provides on-demand cybersecurity services, and a cybersecurity instructor for Udacity.
A strategy that would be better than attempting to panic-hire cybersecurity personnel following an incident would be to have them on staff to begin with – people who know the company well and can help protect incidents from occuring in the first place, or can react in the right way if something goes wrong.
"The solution is for organisations to be more proactive in finding these individuals to build a cybersecurity team, instead of just waiting for a cyberattack or other security crisis to happen. In doing so, employees have time to learn and grow into roles," says Izuakor.
That's going to require a change in attitude around hiring. Companies can't just expect experienced cybersecurity professionals to materialise out of nowhere and accept working on an entry-level salary. Businesses need to accept they must begin hiring people at the very start of their careers. While they may have less experience, they can learn on the job and, if taken care of, can be a positive investment for an organisation – even if they don't have any technical qualifications to begin with.
SEE: Cybersecurity: Let's get tactical (ZDNet special feature)
In her TED talk, Miller explains how someone like a barista could have the necessary skills to thrive in a cybersecurity career. They can do many different things at once making and serving coffee, so what's to say they can't take that experience and use it in a security analyst role?
"I'm looking for somebody who's really good at taking those multiple inputs, like a barista – they can take that myriad of things that comes at them, and synthesise that into tasks and then prioritise and execute on those tasks. That's what I ask a SOC analyst to do," she says.
By expanding the search for cybersecurity staff in this way, organisations have a better chance of diversifying the workforce, which can help improve cybersecurity for everyone by bringing different viewpoints and considerations into the room, as well as being able to respond better to new threats and issues.
"Organisations need to look at recruiting individuals who come from a variety of backgrounds, and can adapt to the growing threat landscape and new challenges. A versatile workforce will assist in battling any cyber threats and maturing current cyber capabilities," says Izuakor, who adds that investing in training these employees is also key.
"Due to the pace at which technology is evolving, constant development of talent is critical. By implementing a robust training and upskilling program, individuals are given the opportunity to learn and progress in their own careers while organisations can get ahead of the growing competition in the industry by building up internal talent."
Cybersecurity is a vital part of modern business, so businesses should invest in hiring the right people. Demanding five years of experience for an entry-level role isn't going to work, neither is a tick-box exercise of demanding particular qualifications in an industry famous for people joining in unconventional ways, and where new threats mean new skill sets are always required.
In which case, businesses need to think ahead when it comes to cybersecurity hiring. Recruitment isn't something to be done just to patch things up after an incident – it's a major part of running a business and should be treated as such. That's why hiring the right people and treating them with respect and care is necessary. Get it wrong, and your existing cybersecurity team could become burned out and walk away – and the only people who will benefit are cyber criminals.