Unless this is your first day working in cybersecurity, you’ve heard numerous times that we have a hiring crisis — there aren’t enough people to fill the need for security talent. Current projections show that we will have nearly 2 million job vacancies in the security sector by 2022. However, this is a problem of our own making. Fixing this will require changes to the way we hire, train, and retain security pros.

Expectations Don’t Align With Reality

When describing an ideal candidate, recruiters dream of candidates with a college degree from a top 30 computer science program, multiple years of security experience, and who is eager to move across the country to work for the lavish sum of $50,000 (£39,500 GBP) per year.

We all like to daydream. But making hiring decisions based on a fantasy turns what could be a 30-day hiring process into a six-month (or more) ordeal. Let’s dig into some of the reasons for the (imagined) hiring shortage:

  • Candidate pools are too shallow. Recruiters and hiring managers need to be more inclusive and more creative when seeking candidates. Currently, security teams are mostly male. Continuing to recruit the same way and in the same places may only expose your recruiters to candidates that mirror your current staff.
  • Candidates aren’t qualified. We’ve all seen those job postings where the requirements for a role are genuinely impossible to fulfill. While this is usually seen as humorous, it also embodies an industrywide problem of misunderstanding what skills make for a qualified candidate. Ultimately, this leads to many situations where candidates who could likely thrive in a specific position either don’t apply or aren’t considered.
  • Compensation is not competitive. For many employers, there is still the belief that IT and cybersecurity are one and the same and therefore must be budgeted similarly. When viewed this way, offered salaries ignore the growing demand for security skills and the value of a candidate’s experience. It should be no wonder that, under these expectations, employers are struggling to find qualified candidates.

Redefine How You Find And Retain Professionals

The inability to staff and maintain an effective security team is a critical risk because it prohibits organizations from efficiently discovering, investigating, and addressing threats as they arise. Hiring managers should emphasize both finding talented individuals and fostering their professional development.

Unfortunately, this isn’t an easy fix. This approach will require more than just offering higher compensation and more flexible work schedules, although both practices would help. Employers that place a greater emphasis on training talented, creative individuals who may not come with the specific skills required by a position and offer current employees more opportunities to learn new skills and grow professionally will be set up for greater success.

For a deeper dive into strategies organizations can implement to find, retain, and augment talent, read the report “Reverse Cybersecurity’s Self-Inflicted Staffing Shortage” authored by Jeff Pollard, Chase Cunningham, and myself.

Join me at Forrester’s Security & Risk 2019 Forum this September, where I will be speaking about the myths behind the staffing shortage and how they can be combated by focusing on recruiting, diversity, and automation.

(Written with Benjamin Corey, research associate)