Recruiting Cybersecurity Professionals


Recruiting Cybersecurity Professionals










PDF version of this report
You must have Adobe Acrobat reader to view, save, or print PDF files. The reader
is available for free
download.

Recruiting
Cybersecurity Professionals

by James G. Barr

Copyright 2019, Faulkner Information Services. All Rights Reserved.

Docid: 00021345

Publication Date: 1909

Report Type: TUTORIAL

Preview

The ability of public and private sector entities
to effect cybersecurity depends on their ability to recruit and retain skilled cybersecurity
professionals. While employment opportunities in many IT sectors are
few, cybersecurity professionals are in great demand and short supply.

Report Contents:

Executive Summary

[return to top of this report]

Related
Faulkner Reports
Leading
Network Security Providers Market
Leaders

The demand for cybersecurity professionals – both in public and private
sector arenas – is escalating, especially as new cyber threat vectors emerge and
old ones evolve.

Not long ago, cybersecurity specialists focused on the commercial
consequences of cyber attacks: initially, the theft of credit card and other
personally identifiable information (PII), and the disruption of e-commerce sites through vehicles such as distributed denial of service (DDoS)
attacks. Soon after, the increasing sophistication of cyber attacks
enabled a new vulnerability: identify theft.

Today, cyber network exposures are exploited to:

  1. Conduct economic (industrial) espionage.
  2. Reveal evidence of alleged corporate or governmental wrongdoing
    ("hacktivisim" or "hactivism").
  3. Extort money from citizens and companies via ransomware.
  4. Launch military-style missions in which state-sponsored cyber soldiers craft computer
    viruses capable of disabling critical infrastructure. For example, there is
    compelling evidence to suggest that both the US and Israel collaborated on the
    development and launch of the so-called Stuxnet worm, which was aimed at
    corrupting computers essential to Iran’s nuclear enrichment program.

The ability of public and private sector entities to affect cybersecurity
depends on their ability to recruit – and, just as importantly, retain – skilled
cybersecurity professionals. While employment opportunities in many
sectors are few, highly-qualified cybersecurity professionals are in great demand.

Unlike typical recruiting exercises where enterprise officials might scout
local colleges and universities for top talent, it’s not clear whether
just-graduated computer science majors have the expertise and experience to
battle top-of-the-line Chinese or Russian cyber warriors or block other
determined attackers. To find people with the appropriate skills, enterprise officials may have to
expand their "search pattern" to include:

  1. Reformed hackers
  2. Promising juveniles (persons under 18)
  3. "Ethical hackers" and other contract personnel

Once onboard, enterprise officials should expect to:

  1. Break salary and bonus guidelines (at least for the cyber superstars)
  2. Manage their cybersecurity staff with a "light touch" (remember, these
    are not traditional employees)
  3. "Trust, but verify" to ensure that individual staffers continue to work
    for the "home team" (rogue insiders represent the greatest threat to network reliability and integrity)

Recruiting Challenges

[return to top of this report]

Recruiting Cybersecurity Professionals

The process of recruiting cybersecurity professionals poses a number
of challenges.

Competition – The demand for cybersecurity professionals is high, particularly those professionals capable of
detecting and deterring state-sponsored and other targeted attacks.

Education – Cybersecurity training is often off-target. Analysts William Crumpler and James Andrew Lewis
reveal that, "Many cybersecurity programs appear to be emphasizing cybersecurity
policy planning, compliance audits, and other skills which ultimately have less
impact on the security posture of an organization than the tasks enabled by a
deep technical background. One of the most consistent complaints against cybersecurity education programs
is that an over-emphasis on theory and book learning prevents students from
building the practical skills they need."1

Scouting – Colleges and universities, the
normal incubators of enterprise talent, may not provide the best source for
cybersecurity expertise. In many cases, self-taught hackers and other
denizens of cybersecurity’s "dark side" may make the best prospects – provided
they can be identified and persuaded to play defense instead of offense.

Qualification – Unlike physicians and
attorneys who undergo years of standardized training (and whose competence is
certified by recognized accrediting bodies), cybersecurity professionals may
have sparse credentials to present. Even a computer science degree may have
limited utility or relevance in a world in which new cyber threats are emerging
daily.

Hiring – Governmental hiring practices,
particularly at the federal level, are frequently protracted, with the result that
highly-sought-after job candidates are often unwilling to wait until security
clearances and other pre-employment administrative requirements are satisfied.

Salaries – Highly-qualified cybersecurity professionals are like free agent athletes. They have exceptional
skills for which they expect exceptional compensation. Salaries at private
sector companies and public sector agencies are often tightly prescribed. Getting management to "break the bank," even for a cyber superstar, may be
difficult, if not impossible.

Retaining Cybersecurity Professionals

As with recruiting, the process of retaining cybersecurity
professionals offers a number of obstacles.

Education – Cybersecurity professionals
often request – and require – continuing cyber education, such as learning
how to combat the cyber threats to new technologies like edge computing. Hiring a committed cyber professional means establishing the equivalent of a
cyber university. While creating a continuing education infrastructure may
be expensive, it’s cheaper than recruiting new professionals.

Bonuses – Apart from providing an
attractive salary, cybersecurity professionals should be eligible for special
performance bonuses or "bounties". Such bonuses or bounties would be paid on the
occasion of preventing a serious cyber attack or developing new techniques
designed to render networks less susceptible to attack.

Current
View of Recruiting

[return to top of this report]

Job Statistics

Analysts William Crumpler and James Andrew Lewis report that, "According to CyberSeek, an initiative funded by the
National Initiative for Cybersecurity Education (NICE), the US faced
a shortfall of almost 314,000 cybersecurity professionals as of January 2019."2

Frost & Sullivan predicts that by 2022, the global cybersecurity workforce shortage
will reach
upwards of 1.8 million.3

Cyber 9/11

Just as 9/11 galvanized a nation in its commitment to fight terrorism,
many cybersecurity analysts are convinced that the US and other industrialized
nations will not take cybersecurity seriously until an event of equal magnitude
occurs, such as Iran or other rogue state launching a virus that disables the
emerging US "Smart Grid."

Private Sector

While the federal government’s approach to recruiting, retaining, and
training cybersecurity personnel – its so-called "workplace
planning practices" – demonstrates a
commitment to enhanced cybersecurity, the private sector is not similarly
invested.

Since, by some estimates, 85 percent of the nation’s critical infrastructure
is owned or operated by private sector interests, the enterprise approach to
cybersecurity and cybersecurity staffing should be of crucial concern to both private
and
public sector leaders.

The dynamics affecting private sector cybersecurity recruitment are complex
and, in some instances, disturbing. While corporate America recognizes its
responsibility to protect enterprise information and information systems from
cyber attacks, the trend toward delegating that duty to third parties, often
with limited enterprise oversight, is
undeniable.

The shift from real to virtual organizations began with outsourcing more than
a decade ago and has evolved to cloud computing in which enterprise
customers entrust their information resources to off-premise data centers
run by Amazon, Google, IBM, Rackspace, and others. The effect, of course,
is to relegate various aspects of information security, including cybersecurity, to these external entities – some of which may have secret data
sharing agreements with intelligence services like the US National Security
Agency (NSA).

Even when data center operations are
not outsourced, an increasing number of enterprise IT departments are
outsourcing their security functions to managed security services providers (MSSPs).
Many of these engagements are justified based on the difficulty of recruiting
and retaining cybersecurity professionals.

Recruiting Outlook

[return to top of this report]

Industry Challenge

Absent a major cybersecurity incident – a cyber 9/11 – many cybersecurity
analysts believe the surest way to produce a generation of cybersecurity
professionals is to challenge government and industry in the same manner John F.
Kennedy did when he declared in 1961 that America would land a man on the moon
within the decade.

Given the level of anger and fatigue induced by decades by cyber attacks,
America and other industrialized nations may be ready for such a bold – and
essential – commitment.

Farm System

In the long-term, there is growing consensus that the solution to cybersecurity staffing problems is the development of a baseball-style farm system,
where, to continue to metaphor, "hot prospects" are identified at an early age
and carefully nurtured until they’re ready for "the show" – in this case, an
enterprise IT department or agency cyber unit.

To increase the overall pool of cybersecurity prospects, high schoolers and
first-year college students should be encouraged – for the nation’s sake and
their own – to pursue cybersecurity as a profession.

NICE Framework

The National Initiative for Cybersecurity Education (NICE), led by the
National Institute of Standards and Technology (NIST), is a partnership
between government, academia, and the private sector focused on
cybersecurity education, training, and workforce development.

The mission
of NICE is to create and promote an ecosystem of cybersecurity education,
training, and workforce development. After years of refinement, in August
2017, NICE announced the latest release of the NICE Cybersecurity Workforce
Framework, known as Special Publication 800-181.

Education Exemplars

Analysts William Crumpler and James Andrew Lewis report that based on
their "research and discussions with leading cybersecurity practitioners, there
were several cybersecurity education and training programs that were repeatedly
identified as examples of how to organize and structure workforce development
efforts to align with the needs of employers."

Two prominent examples are:

  • The UK Cyber Retraining Academy, "an effort by the UK government
    to provide an opportunity for those with high natural aptitude, but no
    formal cyber background, to undergo an intensive 10-week program that
    prepares them to transition into cybersecurity careers;" and
  • The National Centers of Academic Excellence program, "a US government
    program that focuses on improving cybersecurity education in the United States
    by encouraging colleges with cybersecurity degrees to meet a set of academic
    standards developed by experts at the [National Security Agency (NSA) and
    Department of Homeland Security (DHS)]."4

Women & Minorities

Women and minorities are underrepresented in the
cybersecurity community,
contributing to the shortfall in
trained professionals. Fortunately, there are multiple organizations dedicated
to resolving this imbalance. These include:

  • The National Center for
    Women & Information
    Technology (NCWIT)     – This non-profit
    community comprises more
    than 1,100
    prominent corporations,
    academic institutions,
    government agencies, and
    non-profits working to
    increase women’s
    participation in technology
    and computing. NCWIT
    helps organizations recruit,
    retain, and advance women
    from K-12 and higher
    education through industry
    and entrepreneurial careers.
  • The
    Center for Women in
    Technology at
    the University of Maryland –
    Baltimore County (UMBC)
    – This
    center was established in
    July 1998 and is dedicated
    to providing global
    leadership in achieving
    women’s full participation
    in all aspects of IT.
  • The
    Center for Minorities
    and People with Disabilities
    in Information Technology (CMD-IT)
    – This center focuses on the
    following underrepresented
    groups: African Americans,
    Native Americans, Hispanics,
    Pacific Islanders, and
    People with Disabilities. The center comprises
    corporations, academic
    institutions, government
    agencies, and non-profits. The CMD-IT mission is to
    ensure that
    underrepresented groups are
    fully engaged in computing
    and information
    technologies.
  • The Women in Cybersecurity (WiCyS)
    – The mission of Women in CyberSecurity is to broaden
    participation in cyber by
    recruiting, retaining, and
    advancing women in the field
    of cybersecurity, and
    improve on the very low 11
    percent participation
    statistic.
  • The Women’s Society of Cyberjutsu (WSC) is a
    501(c)3 non-profit
    passionate about helping and
    empowering women to succeed
    in the Cybersecurity field.

Never-Ending Search

In this most volatile of professions, the search
for cybersecurity talent never ends, as restless employees are ever aware of new
opportunities. According to research by (ISC)2, the world’s
largest membership association of certified cybersecurity professionals, "Only 15
percent of cybersecurity professionals have ‘no plans’ to leave their current employment. This group comprises mostly mid-career professionals who are content with their pay and work in smaller organizations where their opinions are heard."5

Recommendations

[return to top of this report]

To recruit and retain cybersecurity professionals:

Create Carefully-Composed Job Descriptions

The (ISC)2 states that, "Cybersecurity professionals get their cues about whether an employer suits them from things like the job description and whether the role for which they’re being recruited is clearly defined.

"Writing job descriptions to match required skills increases an employer’s chances of finding the right candidate. Not all candidates can deliver every skill, so avoid using a
‘kitchen sink’ approach in job descriptions. It’s a turn-off to seasoned jobseekers. The key takeaway for employers is to recognize that they must be realistic about what a single candidate can bring to the table and be smart about building a well-rounded cybersecurity team
across skillsets and disciplines."6

Cast a Wide Net

As reported by Tim Greene in Network World, Devin Bryan, CISO of the
Federal Reserve System, suggests looking for bright, capable people with an
aptitude for cybersecurity, and then training them, adding that one should not
assume that the best candidate will come from the outside. As for
pre-screening, be careful not to dismiss an applicant too quickly. Mark
Aiello, president of Cyber 360, a cybersecurity staffing firm, says HR should be
instructed to schedule interviews with everyone who meets broad qualifications.7

Consider Hacker Candidates

In addition to interviewing local college grads and other
"conventional" applicants, recruit from the hacker community.

Offer Super-Sized Salaries

Like other professionals possessing high-specialized skills, cybersecurity professionals want to receive a salary commensurate with their
value – value being measured in terms of cyber incidents avoided or
mitigated. As an extra incentive, offer a signing bonus.

Offer Other Perks

Permit cybersecurity professionals to work from home (assuming their
effectiveness is not impaired). Provide them with state-of-art-art
equipment, including forensic facilities. Importantly, provide
bonuses for referring other cybersecurity professionals.

Offer Continuing Education

As suggested by the Disaster Resource Guide, "Make … cybersecurity
jobs more enticing by offering individuals the ability to improve their
skills, and the potential to grow within the ranks of the
[organization]."8

Rotate New Hires Through Cybersecurity

As reported by Tim Greene in Network World,
"EMC rotates recent graduates hired at the company through three-month cycles in
different areas to find out whether a programmer, for example, might have an
interest in incident response."9

Expedite the Hiring Process

Cutting the time from candidate interview to employee orientation is critical
when pursuing in-demand cybersecurity professionals. Bureaucracy is a
major impediment to hiring first choice candidates – especially for federal
agencies.

Appeal to Patriotic Instincts

In response to the November 2015 terrorist attacks in Paris, the hacktivist
group Anonymous promised to punish the perpetrators. ISIS (or ISIL)
has claimed responsibility for the attacks. "To defend our values and our freedom, we are
tracking down members of the terrorist group responsible for these attacks. We
will not give up. We will not forgive. And we will do all that is necessary to
end their actions."10

While cybersecurity officials – both public and private – may be reticent to
endorse the actions of renegade hackers, they should note that Anonymous was
motivated by patriotism, and exhort young IT professionals to become
cybersecurity specialists as a means of serving their fellow citizens.

Sell Your Organization As the Place to Be

Analyst William Chalk reminds recruiters that, "In a saturated job market, you need to make sure your company or client
stands out as an employer of choice for cybersecurity workers. This might
involve emphasizing specific tools or new technologies being used, explaining
how the team has solved a particular security problem, or discussing how
emerging security technologies are being integrated into the organization’s
operations. If the company’s security team is in its infancy, pitch the
challenge of building a system from the ground up."11

Rely, If Necessary, On Security Contractors

Hiring an under-skilled or under-motivated cybersecurity professional
is much worse than hiring no one at all. If necessary, seek cybersecurity professionals through reputable temporary staffing firms.

Taking the contracting route has a number of advantages:

  • Contract Personnel Are Proficient in the
    Latest Cyber Techniques     – While full-time employees can become stale
    technically, contractors are highly motivated to keep up with the latest
    cyber threats and cyber defenses; it increases their marketability.
  • Try Before You Buy – Ineffective cyber
    professionals can be dismissed, often with little or no notice.
  • Contract to Hire – Most staffing firms allow their customers to
    hire their contractors on a permanent basis. Thus, excellent
    contractors can be converted to full-time employees.

References

1 William Crumpler and James Andrew Lewis. "The
Cybersecurity Workforce Gap." Center for Strategic & International Studies.
January 29, 2019.

2 Ibid.

3 Ibid.

4 Ibid.

5 "Hiring and Retaining Top Cybersecurity
Talent." (ISC)2 Inc. 2018:3.

6 Ibid. p.10.

7 Tim Greene. “There’s a War on for Cybersecurity Talent.” CXO Media, Inc.
November 9, 2016.

8 "11 Recommendations for a Safer Tomorrow."
Disaster Resource
Guide. 2012.

9 Tim Greene. “There’s a War on for Cybersecurity Talent.” CXO Media, Inc.
November 9, 2016.

10 Anne Barker. "Paris Attacks: How ‘Hacktivist’ Group Anonymous Plans to Wage Online War to Disrupt Islamic State." ABC. November 18, 2015.

11 William Chalk. "5 Tips for Recruiting Cybersecurity Talent." Recruiter.com,
Inc. December 18, 2018.

[return to top of this report]

About the Author

[return to top of this report]

James G. Barr is a leading business continuity analyst
and business writer with more than 30 years’ IT experience. A member of
"Who’s Who in Finance and Industry," Mr. Barr has designed,
developed, and deployed business continuity plans for a number of Fortune 500
firms. He is the author of several books, including How to Succeed in
Business BY Really Trying, a member of Faulkner’s Advisory Panel, and a
senior editor for Faulkner’s Security Management Practices. Mr.
Barr can be reached via e-mail at jgbarr@faulkner.com.

[return to top of this report]