CyberSecurity Recruitment Mistakes ??by HR & Businesses-Despite Skill Shortages -How to Solve??

5 years of experience in an entry-level job, 10 years of experience in software that was released just 7 years ago, Asking for certifications that require a minimum of 7 years of experience for an entry-level position, Hiring only engineering graduates, Excluding candidates that have several years of experience because they don't have the latest cyber certification or a college degree, the list of blunders committed by hiring decision-makers and job descriptions for cyber-security roles is long, regardless of whether companies are hiring in Asia, the USA, or Europe.

According to a study, cybersecurity jobs are taking longer to fill — 20% longer than typical IT roles. On average, IT jobs take 41 days to fill, but cybersecurity roles take 50 days.?

There will be 3.5 million unfilled cybersecurity jobs globally by 2021, up from one million positions in 2014. There are 300,000 cybersecurity open jobs on Linkedin as of writing this article, yet several individuals are struggling to get a job in the infosec domain despite experience, certifications, and degrees or all of it. Only 12% of infosec market is open to candidates with zero to 1 year experience.

In the 2007?Movie Ratatouille?Chef Gusteau's?famous motto was: Anyone can cook which was later explained by the character Anton Ego as: Not everyone can become a great artist, but a great artist can come from anywhere

I can't recommend anything else as a catchphrase for recruiters to keep in mind when hiring for cybersecurity roles. Because when it comes to cybersecurity recruitment, businesses and recruitment teams need to think differently compared to recruitment for other IT roles.

The truth is some of today's most brilliant, insightful, and talented computer security specialists, as well as famous and infamous hackers, possess no computer-related certifications. Many of them never attended college or earned a university degree. They got into security because they were passionate about the issue and wanted to learn everything they could about it – mostly by reading, practicing.

More than 80% of ethical hackers are self taught. Less than 6% of hackers have actually learned hacking skills in a classroom even though 33.3% of hackers have undergraduate degree in computers, and 23.3% having studied computer science in high school or before. And yet people are pouring more investment for certifications instead of training

Finding cybersecurity staff with the right skillsets continues to be difficult. Only 27% say that recent graduates in cybersecurity are well-prepared.

CyberSecurity Recruiters also noted the top five skills gaps as

Soft skills (32%), IT knowledge and skill gaps (30%), Insufficient business insight (16%), Cybersecurity technical experience (13%), and Insufficient hands-on training (10%).

See how strange that is; the industry is not after the highly experienced, it's struggling to find and fill even entry-level and mid-level positions.

Once teams achieve the difficult task of finding the right professionals, they then struggle to retain them, with 66% saying it’s difficult to retain cybersecurity talent.

CyberSecurity HR cite main reasons for staff leaving as

Recruitment by other companies (59%), Limited promotion and development opportunities (50%),

Poor financial incentives (50%),

High work stress levels (40%, a 10-percentage point increase from the year prior) and Lack of management support (39%).

56% of poll respondents possessing a CISSP thought it was good for job hunting and acquiring cybersecurity skills. Except for the CISSP, cybersecurity workers are ambivalent about other industry qualifications. This suggests that security certifications should be supported for specific positions and responsibilities, but not for overall career and skill development.

So let's look at the reasons companies are struggling to find the right talent

1. Information Security Job Description blunders

There is a talent shortage in the cybersecurity industry. Industry groups and governments worldwide acknowledge it. Nonetheless, there are countless job seekers with cybersecurity certificates. Therefore, something must be wrong with this image?!

The majority of businesses are demanding credentials that few people possess and years of expertise in new disciplines. Corporations are making missteps when advertising cybersecurity jobs, resulting in understaffed and tired IT, security teams. These frequent hiring blunders make it even more difficult to hire and retain information security professionals.

A report from Information Systems Security Association (ISSA) and industry analyst firm Enterprise Strategy Group??(ESG) found that organisations are committing common errors in hiring and recruiting cybersecurity professionals.

The results were consistent across geographies, and it was revealed that even organisations with an above-average level of sophistication are making mistakes in their efforts to fill the cybersecurity workforce. Over 70% of respondents reported that it was very difficult to find and hire cybersecurity professionals, though nearly 40% claimed that their organisation offers below-average compensation, 29% claimed that their HR department doesn't understand the cybersecurity skills that are needed, 25% claim that their company's job postings are unrealistic. Nearly every month, the security professionals in the study reported being solicited by recruiters.

Therefore, why are organisations having difficulty filling openings if the workforce is available? Because they frequently do not understand what they are seeking, which results in hiring errors.

Human resources departments are using job advertisements with job requirements, experience, and qualifications that are modelled after other IT job roles. Such an adaptation is unfit for information security, which frequently does not adhere to the same set of criteria. That cybersecurity job description you're reading was probably copied and pasted from another job description.

While it is possible to be skilled and experienced in cybersecurity without formal credentials, many organisations looking to hire security specialists see advanced degree credentials and certificates as a requirement, even at the cost of neglecting relevant work experience.

What's worse, the majority of C-level security executives claim that several students with such cybersecurity certifications from newly established training institutions are not employable without extra training.

Alyssa Miller says more than 70% of entry-level job postings she reviewed asked for Certified Information Systems Security Professional (CISSP) certification, which requires years of training and money to sit for an exam – and is therefore unattainable for someone seeking their first job in the business. "Of the alleged entry-level job postings I examined, 71% require a CISSP. That is not an entry-level position, as a CISSP requires five years of expertise. Listen to Alyssa's TEDxTalk about the need for employers to write better cybersecurity job ads

Cybersecurity involves a particular set of skills, which require time and effort to learn. The nature of the industry means that; when it comes to upskilling, many information security professionals have ended up in the career path because of a keen interest in cybersecurity – some are self-taught, showcasing the aptitude required to succeed, even if they don't have any specific certifications.?

That can be confusing for HR departments, who are used to viewing and hiring applicants based on the candidate having certain qualifications that information security people might not have. Someone could have years of experience in the industry, but if HR doesn't see what they perceive as the correct qualifications, their application could be discarded, despite the hands-on experience.?

Human resources and talent managers could consider supporting their organization’s critical cybersecurity needs by implementing programs similar to what’s offered by the National Security Agency (NSA), which offers paid?developmental programs ?to attract, retain and keep employees current in their skills.

ISSA points out that organizations should be made aware of the following alarming statics highlighted in their survey:?

• 29% of respondents said the security team’s relationship with HR is fair or poor.
• 28% said the relationship with line-of-business managers is fair or poor.
• 27% of respondents said that the relationship with the board of directors is fair or poor.

Top ramifications of the skills shortage include an increased workload for the cybersecurity team (62%), unfilled open job requisitions (38%) and high?burnout among staff (38%), leading to resignations. Further, 95% of respondents state that the cybersecurity skills shortage and its associated impacts have not improved over the past few years and 44% say it has only gotten worse.

2. The curse of Automated HR and Recruitment software

Automated recruiting and resume screening techniques eliminate an overwhelming number of potential employees. Companies routinely utilise Applicant Tracking Systems (ATS) to manage job applications and Recruiting Management/Marketing Systems (RMS) to assist and automate the work of recruiters. Over 90% of businesses asked in a study indicated that they use RMS to screen or rank prospective middle- or high-skilled applicants.

Harvard-Accenture study suggests that automated hiring systems are bad for recruitment of skills that are in short supply

The study demonstrates that corporate apathy toward job training programmes, upskilling and automated recruitment processes that overlook potential hires are significant contributors to talent shortages in any role. Consider the magnitude of the impact on a new field such as cybersecurity.

ATS algorithms inefficiently use certain data points—for example, treating a college degree as a proxy for the desired trait, or automatically rejecting potential workers based on a gap in employment, narrowing the application pool unnecessarily.

As a result, these systems disqualify promising applicants whose resumes do not meet the criteria but who may do well with additional training. The study discovered that?88% of businesses feel that qualified high-skilled individuals are screened out of the process if they do not meet the job description's specific criteria. This figure increased to 94% in the case of middle-level skilled individuals."

Do you know that if you use tables to create your resume/cv in word/pdf the automated application systems would fail to read and acquire complete data, and hence will reject profile automatically even if you are qualified

A recruiter spends less than 10seconds reviewing a resume. In India, it is common for employers to discriminate against potential employees solely based on which college they graduated from in the job description itself. The introduction of automated application processing technologies aggravates the situation by filtering out many qualified individuals.

In India Often cybersecurity recruitment at the entry-level starts like -- Engineering Degree - if yes proceed) -- CEH, CYSA, CCNA certifications -(if yes to anyone proceed) -- Work experience -(if yes proceed) to interview.

Hence the issue, often degrees and certifications are considered first and are equated to knowledge, instead of relying upon them as an endorsement of the person's capability to understand cybersecurity concepts when recruiting for an entry-level job, if he/she already has experience.

3. Cybersecurity is viewed as an IT issue and cost rather than a Business need.

Most businesses consider cybersecurity a technical or compliance issue rather than a business one because it requires money but does not benefit the bottom line. Even though a data leak can be terrible for the brand.

Take the case of compliances such as PCI, ISO, ISMS where companies often resort to the route of checklist ticking to adhere to compliance mandate.

Software development shifting to DevOps concept has made it easier to improve cybersecurity in the development phase itself through the SecDevOps ; this would not only bring down the cost of security but would make it easier to release new product versions faster with fewer bugs and security loopholes. Despite that advantage, many companies are yet to adopt cybersecurity as a business benefit.

Cautious estimates suggest One vulnerability per 1000 lines of code, yet most startups and SaaS firms have no dedicated budget or resources for cybersecurity. With Zero cybersecurity personnel, a data leak will cost startups more than cybersecurity testing costs.

Most Products are released with an average of 28% of vulnerabilities unfixed. 86 % of developers hesitate and refuse to invest in Application Security because they says it affect their productivity and ontime code release. Very Serious/Critical Vulnerabilities can take as much as 250 Days to Fix, which is a concern because Data breaches and costs have increased 17% in 2021.

4. The Gender Pay-Gap ????????

According to findings from (ISC)2, women in the cybersecurity industry are paid significantly less than men—an average of?21% less ?globally. In an industry with such an acute shortage of skilled professionals, this gender pay gap and the need for parity is particularly urgent. In India, most companies refuse to even hire women for certain roles.

According to the?2020 (ISC)2 Cybersecurity Workforce Study , gender disparities persist around the globe. The highest percentage of women cybersecurity professionals is in Latin America, with 40%, while in North America the figure is just 21%. The results in Europe and Asia-Pacific are at 23% and 30% respectively.

Law of Supply and Demand: Fewer candidates means better pay.

That often doesn't seem to be the case everywhere, Infosec employees often complain that they are overworked and underpaid for the amount of stress they are undertaking.

According to the study, cybersecurity jobs are taking longer to fill — 20% longer than typical IT roles. On average, IT jobs take 41 days to fill, but cybersecurity roles take 50 days.?

Yet many forecasts show that in India women will make up only around 11% of cybersecurity roles even in 2025.

Research done by?Girls Who Code ?showed that although 74% of middle school girls express interest in STEM subjects, only 0.4% of high school girls choose to major in computer science. You don't need to be a code monkey to excel in cybersecurity. Somehow the cliche of hooded hacker figure as a lone-wolf in a dark room is deterring women from looking at cybersecurity as an ideal career path.

But what's even more, worrisome is that women are also paid less for the same cybersecurity roles. Most women cybersecurity leaders share experiences of being affected by sexism in the industry.

Symantec has instituted a long term plan for recruiting and retaining employees designed to increase the number of women working. One of these policies involves calling candidates before the screening test and monitoring their progress to ensure that their performance is not unduly influenced by stress.

This is but one example of how the cybersecurity industry can rethink the way recruitment and hiring is conducted in order to introduce more women into the fold. Female infosec professionals bring with them their own diversity of thought that can bring new perspectives and skills to the table — but to take advantage, employers may want to consider changing what qualifications they look for, how they write job descriptions, how they interview and test potential talent, and more. Further reading is available here

Singapore is giving 10 awards to female cyber security professionals with the Women on Cyber Singapore Scholarship. 5 of these scholarships will be awarded to the top performers of the 3rd edition of the CTF for Girls competition held from 11-12th of September 2021. The awards aim to build a platform to showcase emerging offensive security professionals in Singapore – those who are not afraid to break boundaries and thrive with courage, hard work, and determination into a male-dominated industry. Registration is open here :

Unconscious biases

Sabna Sainudeen , president of Women in Cybersecurity (WiCyS) India, and defence leader at Schneider Electric says gender bias is a key issue

Yvette Lejins , chief information security officer (CISO) at cyber security firm Proofpoint?, noted that

“I’ve got hundreds of different stories of how biases come through. I’ve sat in vendor meetings, with budget to buy a product with my team, and the vendor – always male – comes in and talks to my male employees, even though I am the decision maker".

Scroll-Down to point 8, Analysis of ideal character profiles of cybersecurity personal clearly shows those characteristics are more evident in females than male, still infosec do not attract or retain enough women.

5. Cybersecurity Tech Budget growing but not at the same rate for Talent ??????

Microsoft President -Brad Smith in a CNBC interview explained the Catch-22 situation in the cyber arms race: increased spending in recent years by public and private enterprises hasn’t resulted in better protection against criminal hackers. But at the same time, Global Cybersecurity Spending is predicted to exceed $1 Trillion from 2017 to the year 2021

Bank of America CEO Brian Moynihan ?mentioned in 2021 June?that his bank’s cybersecurity budget now stand at $1 Billion USD - compared to $400 million in 2015

Most of the money that banks spend on cybersecurity is on talent, which makes it harder for everyone else to find qualified cybersecurity teams.

Unfortunately, spending on cybersecurity products did not (and does not) necessarily correlate to a higher level of protection, according to?findings ?from McKinsey & Co (Exhibit 1, pg. 11). Gartner projected that in 2020, roughly?$123.8 billion ?would be?spent on security for applications, networks, the cloud and infrastructure protection most of which will be under-utilized without relevant experiences resources.

Technology is only one part of the solution, Technology moves fast, but Hackers move faster

The shortage of workers skilled in cybersecurity has led to a situation in which companies are paying for products that in many cases they aren’t even using. But yet Cybersecurity IT spending on products and tools is going up.

In 2004, the global cybersecurity market was worth $3.5 billion ?— and in 2017 it was expected to be worth more than $120 billion. The cybersecurity market grew by roughly 35X over 13 years entering the most recent prediction cycles.

Cybersecurity Ventures predicts that global spending on cybersecurity products and services will exceed $1 trillion cumulatively over the five years from 2017 to 2021.

Worldwide spending on information security (a subset of the broader cybersecurity market) products and services exceeded?$114 billion in 2018 , an increase of 12.4 per cent from 2017, according to Gartner, Inc. For 2019, they forecast the market to grow to $124 billion, and?$170.4 billion in 2022 .

6. Zero Cybersecurity Awareness and Upskilling Investments.

Cybersecurity training is still being neglected by many employers. Enhancing cybersecurity skills for the entire workforce is a must for cyber-resilience.

There is a difference between cybersecurity awareness and cybersecurity vigilance, both are required to attain a state of cyber-resilience.

While most information security training programmes educate the do's and don'ts of cybersecurity and increase user awareness of the risks, they do not guarantee that employees will apply what they've learned in their workdays continuously after training. This necessitates maintaining a state of cyber vigilance.

The?distinction?is?that?awareness?is?recognising?the?possibility?of?a?cyberattack,?but?vigilance?is?anticipating?one?and?acting?swiftly?and?responsibly?when?it?occurs.

People and training are critical in this case: technology advances rapidly and the methods cybercriminals use to break into networks constantly evolve, so it's critical for organisations to invest not only in hiring the right people but also in training them so they can continue to do their jobs while reacting to new threats and dealing with new forms of technology.

A study of 300 IT professionals in the UK by ManageEngine found that 67% of organisations raised employee awareness around security threats, while 66% provided cybersecurity training.

Despite this, 76% of all IT purchases are being made without direct approval from IT teams. Only 47% adapted their company’s security strategy by introducing new solutions or configuring existing ones. Furthermore only 42% monitor employee devices.

With cyberattacks increasing dramatically after the pandemic, TalentLMS and?Kenna Security ?teamed up to gauge employees’?awareness and knowledge of cybersecurity risks

There is another side to this coin. CyberSecurity leaders and Recruiters have their own set of complaints.

1. Cybersecurity Training & Certifications Produce Overconfident Candidates without Practical Knowledge ---The Dunning-Kruger effect ?!

Do Employers Prefer Cyber Degrees or Cyber Skills?.

“Employers report that student cybersecurity preparation is largely inadequate and are frustrated that they have to spend months searching before they find qualified entry-level employees if any can be found,” said?Alan Paller , director of research at the SANS Institute.

Global hiring experts declare huge shortages of cybersecurity professionals, yet many qualified people are still having a hard time finding a job or even getting an interview?

According to CyberSeek , only 19% of entry-level positions in the infosec do not require a Bachelor's degree. According to Rasmussen College's 2019 Cybersecurity Job Report, only 14% of cybersecurity positions are open to non-degree Bachelor's holders.

Many cybersecurity training programmes by private institutions fail to satisfy the actual requirements of organisations, resulting in graduates who cannot be deployed without further company training.

The issue is a simple one: Companies want to employ quickly, but traditional schooling can't keep up. A Bachelor's degree takes three or four years to complete, an MS two more. HR managers are then forced to choose between onboarding only degree holders or those who are self-trained.

Triplebyte research found that self-taught or Bootcamp and university grads may perform well: However, degree college graduates outperformed Bootcamp graduates in tasks requiring theoretical knowledge.

Companies like IBM Security, Cisco, JP Morgan Chase, and Slack says that Security Bootcamps establish “a real world software development environment,” and they are willing to hire graduates from reputable cybersecurity coding bootcamps even if they do not have graduate degree in engineering, According to a?CourseReport Study A large percentage of bootcamp graduates are employed in the field.

This is strange because the same organisations and many like them refuse to hire skilled candidates without an engineering degree outside the US, especially in markets like India, citing several issues ranging from lack of theoretical knowledge to inadequate soft skills among others.

Relevant job experience, sophisticated security ideas, and cybersecurity certifications are the top three priorities for HR managers seeking security talent, According to the International Information System Security Certification Consortium research study

While 59% of all cybersecurity jobs require at least one certification, the industry average is only 20%. This allows entry-level employees to gain valuable skills and certificates quickly. Skills can be verified by qualifications like Security + or CEH, not the other way around

2. Not all Cybersecurity Graduate or Information Security Certificate Holders are equal or Readily Employable.

cybersecurity really isn't for entry-level, you should have atleast minimal Coding/DevOps/Network/Admin experience or talent before investing in any kind of #cybersecurity certification

In previous firms, several cyber certificate holders we had interviewed did not meet the standard expected from these qualifications, which surprised me and my colleagues.

The SANS Institute , surveyed over 500 cybersecurity professionals from 284 firms to find out what talents they value in recruits and what skills they frequently lack. The survey asked respondents to rank various skills from “critical” to “not needed.

Networking was ranked as crucial or “very important” by 85%, followed by knowledge of Linux (77%), Windows (73%), common exploitation techniques (73%), computer architectures and virtualization (67%), and data and cryptography (58%)

The results are shocking

Alan Paller , director of research at the SANS Institute, recommends identifying the talents that companies expected but didn't find in cybersecurity grads would be a good place to start helping to close the cybersecurity skills gap.

The top 5 skill gaps cited against Cybersecurity graduates are

Soft skills (32%),

IT knowledge and skills gaps (30%),

Insufficient business insight (16%),

Cybersecurity technical experience (13%)

Insufficient hands-on training (10%).

56% of poll respondents in a study; by the Information Systems Security Association (ISSA) and independent industry analyst firm Enterprise Strategy Group (ESG), possessed a CISSP and thought it was good for job hunting and acquiring cybersecurity skills. Except for the CISSP, cybersecurity workers are ambivalent about other industry qualifications. This research suggests that security certifications should be supported for specific positions and responsibilities, but not for overall career and skill development.

The most acute technical skills shortages identified are

Cloud computing security (33%), Application security (32%), Security analysis and investigations (30%).

If you have passed certifications at least start participating in bug-bounty programmes to gain practical experience from real-world scenarios. A cyber certification alone will not get you a job. Being able to program in languages like?Go ,?Java ,?Perl ,?Python ,?C ?or?Ruby ?may or may not be at the top of the list of skills demanded, but knowing how to programme in one or more of these languages will make you a more appealing hire and allow you to expand your knowledge and proficiency.

Dan Lohrmann -CISO at SecurityMentor in his blog explains why many qualified applicants with cybersecurity qualifications and degrees are unemployed despite the alleged high need for talent.

Here is a partial list of reasons, according to his personal experience:

1. People are living or looking in the wrong places. They want a local job and do not want to move.
2. The pay scale is too low for their (perceived) skills.
3. Lack of experience – at least on their resume.
4. Timing. Or, that "perfect job" was just filled - after you learned about it yesterday.
5. Limiting their “desired” role or companies/governments considered.
6. Insistence on remote work. While this is easier during the pandemic, some people want 100% remote without travel, which can limit options.
7. Company discrimination due to older worker applicants. Yes, I agree with my colleagues that this is alive and well in 2020. Other forms of discrimination exist as well, such as race and gender. From personal experience, I have seen women are not prefered in most companies for roles in Security Operation Centre (SoC)
8. Lack of professional networking – especially true during Covid-19. They don’t have personal connections and have a hard time meeting the right people who are hiring or can help them find the right job. Many potential job seekers I had come across do not even have a Linkedin Profile or a professional-looking resume
9. Attitude, Character, Work Ethic, Humility, etc. For more on this topic, see Dan's blog for more interesting insights

3. Larger Organisations use Startups and SMBs as Recruiting grounds for Personnel they've spent Time and Money educating.

Startups and small firms are often concerned about the exodus of experienced candidates to bigger companies after they gain experience for better pay. Essentially smaller companies become the training grounds for fresh graduates which benefits the bigger organisations.

Thanks to WFH many small firms are shifting to smaller towns to stop losing resources to talent poaching.

many CIOs are planning to alter their strategies to make the company "less dependent on employee institutional knowledge," says PwC

PwC's Next in Work ?survey said 65% of respondents reported they were looking for a new position and 88% of executives were seeing comparatively high turnover.

To Find Cybersecurity Talent, Poach From Other Fields?and Departments internally

What Are the New Sources of Talent?

A recent survey found that less than one-half of cybersecurity professionals started their careers in the field. Of those who transitioned into cybersecurity from another profession, many came from careers in mathematics, business, finance, sales and customer service, among others. Here is a simplified depiction of the cybersecurity skill profile:

Existing algorithms can identify high-growth, high-demand occupations to which workers from low-growth, low-demand occupations can transition. Employers can use these algorithms to locate occupations from which to hire qualified workers.

IT Administrator, System Administrator, Network Administrator are amongst the most under-rated, under-valued, under-paid, underutilized, stressed out, and most outsourced roles within IT. Start with upskilling them to cybersecurity roles as they can absorb those skills much faster than any other candidate.

4. High Attrition Rates -An ERA of GREAT RESIGNATIONS

Retention is not a one-size-fits-all initiative. According to CompTIA and Cyber Seek, a job-tracking database from the U.S. Commerce Department, there were?nearly 500,000 open positions ?in cybersecurity nationwide as of Q2 2021,

In India Analysts anticipate 22-23% attrition rate for Indian IT industry in 2021, which works out to 1 Million resignations on a projected base of 4.6 million IT employees, it would be worse for the cybersecurity domain already witnessing talent poaching between companies

65% of cybersecurity professionals struggle to define their career paths—leading to a high turnover rate that opens up big security holes within organizations according to the Information Systems Security Association (ISSA) and independent industry analyst firm Enterprise Strategy Group (ESG). 56% of respondents said their current workplace does not give adequate cybersecurity training to stay up with business and IT risks.

56%?of?poll?respondents?possessed?a?CISSP?and?thought?it?was?good?for?job?hunting?and?acquiring?cybersecurity?skills.?Except?for?the?CISSP,?cybersecurity?workers?are?ambivalent?about?other?industry?qualifications.?This?research?suggests?that?security?certifications?should?be?supported?for?specific?positions?and?responsibilities,?but?not?for?overall?career?and?skill?development.

CISOs tend to seek new jobs after a few short years,

1. (31%) CISOs tend to move on when their organizations lack a serious cybersecurity culture
2. (30%) Leave when CISOs are not active participants with board executives
3. (27%) CISO's leave for higher compensation

5. Explore new ways of Recruiting Talent -Redesign your hiring practices and pay scale for cybersecurity professionals.

The US Department of Homeland Security (DHS) has done away with the usual job posting route to fill cyber security positions

Employees hired under the US Department of Homeland Security’s new cybersecurity service will see different career paths, benefits and salaries compared to their colleagues on the traditional General Schedule through the newly introduced cyber talent management system (CTMS)

DHS published?interim final regulations ?describing the new cyber talent management system Thursday, and which will go into effect on Nov. 15.

The Pentagon in used direct-hire authorities to?onboard 4,200 new hires ?between 2019 and 2021 as part of the cyber excepted service.

With the new cyber talent management system, DHS will create a new kind of job in the excepted service known as a “qualified position.” Individuals appointed to these positions will serve in DHS’ Cybersecurity Service. New cybersecurity service hires will work for the Cybersecurity and Infrastructure Security Agency or directly for DHS CIO.

Under the cyber talent management system, the DHS secretary has the discretion to create and appoint individuals to as many qualified positions as he chooses, as long as there’s appropriated funding available.

To recruit new hires to the cybersecurity service, DHS can forego the usual job posting requirements and strategically target candidates to apply for a qualified position. It’ll ask prospective candidates to participate in simulations, tests and other interviews to demonstrate their expertise.

When I was writing this, I couldn't but think how such a system, if adapted might be interrupted by nepotism in several countries.

The US state governments are struggling to hire cybersecurity talent, The Department of Homeland Security alone has 2,000 cybersecurity job vacancies, and the Biden administration promoted 300 new hires this summer, the state government on the other hand needed to fill nearly 9,000 cybersecurity jobs as of this summer. For local and state governments the problem is paying the $95,412 average salary of a local or state government cyber employee is lagged by $25,000 or more in 2020 compared with the pay in the US federal government.

?If you want to compete as an employer of choice in cybersecurity, it may be necessary to build a new career path and pay scale that is separate from other technology roles. The new system for hiring and pay adopted by the U.S. Department of Homeland Security (DHS) has seen great results, exceeding their hiring goals by more than 50 percent.

6. Pure Cybersecurity versus Hybrid Cyber Positions: There are differences in salary and required expertise.

Job descriptions for cybersecurity professionals are divided into two categories: pure cybersecurity positions and hybrid positions. Often, the responsibility for cybersecurity is integrated into other jobs such as network administration in large corporations. The abilities required, as well as the income, are somewhat different. Because of increased demand, pure cybersecurity positions pay around 10% more than their counterparts.

7. Self Trained, Experienced in BugBounty- But Not A Culture fit for Full-time Cybersecurity Role!! ?? ??

This was a shock to me, even if job seekers have successful experiences from bug-bounty programmes with several credits to showcase, graduates with no full-time employment history are often rejected by many companies as cultural misfits.

I can understand that in bug-bounty, it is possible to have multiple attempts at solving issues or take time to capture the flag, which is not the case when working on a full-time job with time constraints to provide results.

This behaviour is counter-intuitive, on the contrary, Deneen DeFiore CISO,?United Airlines ?says that "when it comes to hiring hackers we want to hire honest people who can think like criminals"

Ashish Gupta CEO of crowdsourced bug-bounty platform BugCrowd is confident in the concept's future; as even the Pentagon has endorsed the implementation of crowdsourced security for their defences. Bugcrowd has written a blog on how-to-succeed-in-bug-bounties-as-a-pentester and another article that explains why becoming a bug-bounty expert is not an easy task even for experienced infosec professionals.

Adam Grant , an author and professor at Wharton Business School, offers an insightful take on why hiring for culture fit suits agile high growth startups,?but tends to negatively affect company culture and business when a company goes public. Listen to his presentation

This is extremely true in the case of cybersecurity especially for pen-testing, as it's always possible to find new flaws in any system reviewed by two individuals, rejecting an ideal candidate based on a presumed cultural bias or cliches is a huge mistake or not.

Karl Sharman ?makes an argument whether cultural fit in cybersecurity hiring plays an important role or not. Karl and Adam have opposing views, I agree with both; in startups and small groups it's essential to adhere to a common cultural identity, but hackers are supposed to have out of the box lateral thinking too.

8. Cybersecurity is the latest "Buzz!" Does the Hype Attract Candidates without the Right Aptitude- Ideal Personality Profile of an Infosec Professional!

Headlines that consistently tout cybersecurity and artificial intelligence as the next "it" attracts the wrong talents too, or is it?!

It may be debatable as there is no scientifically audited evidence to show; if we run a personality profiling on a large pool of cybersecurity professionals using DISC or Myers-Briggs, common patterns of character, behaviour, attitude and aptitude.

But an analysis by Hogan Assessments and interview's of CISOs by Cybint solutions now part of HackerU and other studies single-out certain critical Personality Traits mandatory to Succeed in Cybersecurity

1. Confidence. Security consultants will have to deal with all employees starting entry-level staff to CEOs and board-level executives. There’s no time to second guess yourself.
2. Modesty.?Those who excel in cybersecurity usually avoid the limelight. A successful cybersecurity agent is not egotistical or vain.
3. Altruism.?Cybersecurity?experts?should?want?to?help.?Protecting?and?assisting?individuals?at?the?centre?of?this?job.?They?should?avoid?isolating?themselves.?Fighting?attacks?will?require?teamwork?and?trust?among?coworkers?who?share?the?same?security?aims.
4. Composure.?The?enterprise?systems?they?defend?are?continuously?in?danger.?While?cybersecurity?agents?must?have?a?sense?of?urgency,?they?must?also?remain?calm.?Unnecessary?outbursts?under?pressure?can?distract?them?from?the?issue?at?hand.
5. Curiosity. Anyone who becomes repetitive in defending threats in almost the same way every time will quickly become outmoded and vulnerable. To succeed, you must be interested and seek out fresh flaws.?The only way to stay ahead is to constantly study and update.”
6. Analytical. The ability to identify and solve complex problems requires an analytical mindset that involves traits such as the ability for critical thinking, data analysis, research, and communicating ideas effectively.
7. Scientific.?The?ideal?cybersecurity?expert?uses?data?and?analytics?to?solve?challenges.?Increasingly?complex?cyber?threats?necessitate?highly?technical?employees?who?appreciate?evidence-based?decision-making.
8. Inquisitive.?Cybersecurity is a dynamic field. When risks are eliminated, new ones develop, requiring a new set of skills. So to be a successful cybersecurity candidate?must be quick to learn has creative thinking skill, be experimental, curious, and open to new ideas.
9. Sceptical.?In an era shifting towards "zero-trust security," the cybersecurity professional's motto must be to trust no one. In a world full of constant threats, innocence can be deadly, when infosec professionals need to think like a hacker, to stay ahead to prevent attacks.
10. Perceptive. You should be able to see both sides of a situation. They must think like the corporation and safeguard what they want to protect. But think like a hacker to seek for flaws or attack points. Having both perspectives aids in developing an effective defence strategy.
11. Responsive.?Cybersecurity Professional has to win every time, while the hacker needs to win only once. Things can go wrong rapidly in cybersecurity, and you may be blamed for unintentional breaches. You may be held liable if a coworker opens a phishing email and discloses sensitive data. A cybersecurity professional needs to be open to criticism and avoid passive-aggressive behaviour.
12. Attention to detail. The ability to provide consistent and reliable accuracy in decision making when work demands real-time response at speed, under pressure.
13. Diligent.?In a high-stress atmosphere, an infosec employee must be detail-oriented and relentless in completing tasks in time. A single omission can lead to an attack, thus cybersecurity experts must pay close attention. They must also value achievement and impact.
14. Persistence. Can you keep at it until you found the answer? Persistence is crucial in the cyber security industry because problems are always changing and getting more complex, to begin with.
15. Ability to look at the Big Picture. Cybersecurity is not all about technology and tools, it involves people, process, compliance, and governance too. So the ability to express concepts in non-technical words to business users and management is a must for leadership positions in cybersecurity.?Along with strong technical skills, business acumen and communication aptitude make the leader.

On other hand the most obvious common 'personality' characteristics of hackers are?high intelligence, consuming curiosity, and facility with intellectual abstractions. And The ability to mentally absorb, retain, and reference large amounts of ‘meaningless’ detail, trusting to later experience to give it context and meaning.

Also, most hackers are 'neophiles', stimulated by and appreciative of novelty (especially intellectual novelty). Most are also relatively individualistic and anti-conformist. Which I think is incorrect as the term "Hacker" now denotes a wide variety of personas. Most hackers especially at least white hackers and bug bounty hunters wouldn't agree to some of the above assumptions. Further reading is available here and here

9. Tech companies are investing in Free Training and Upskill Programs for undergraduates

Microsoft ?announced a collaboration with NASSCOM ,?EY ,?GitHub ,?to prepare undergraduates job-ready in cloud computing, cybersecurity, artificial intelligence and data science using?the Microsoft Learn ?platform.

The initiative called Future Ready Talent through its 9-week virtual internship aims to train and prepare 150000 higher education students?ready to join the workforce?between 2022-2024. Details are now available on the FutureReadyTalent Website

10. Alternative Approaches to Cybersecurity Hiring

Paid Apprenticeships While Studying: Take the case of?CloudSEK ?an AI-powered dark-web monitoring and digital risk management SaaS vendor.

CloudSek runs a summer internship for graduates called “Earn While You Learn”. As part of their internship program, gives candidates the opportunity to continue working for them remotely even after the internship is over and they’re back in college. Not only that, the students are actually paid a generous monthly stipend of Rs. 25000 ($340) while they work remotely with CloudSek. That's almost 20% higher than most #cybersecurity vendors pay to fresh graduates for full-time cyber positions roles in India. And once they graduate from college, interns end up getting a full-time offer to work with the company.

Training Candidates from Other Departments: Another example is the SIEM vendor?Rapid7 ?with its Security Consultant Development Program, the program offers Rapid7's salespeople to move into an information security career if they wish to.?Rapid7's metasploitable is a great place to start learning.?Metasploitable? is essentially a penetration testing lab in a box that contains several intentional vulnerabilities for you to exploit.

In Ireland, where more than 6,000 security professionals work – a robust cyber training movement is being led by the nation’s Cybersecurity Skills Initiative (CSI).

In Europe especially in Norway, Sweden, Denmark, Finland extensive efforts are underway to train large numbers of Cyber Security professionals for careers in such critical areas as enterprise and network security, cloud security, application security, penetration testing and malware. Sweden is opening new schools to produce more STEM-focused technologists, with a strong focus on cybersecurity positions.

The idea of abandoning traditional requirements like industry certifications and college degrees is gaining steam. Instead, analysts are advising clients to identify candidates that demonstrate an interest in security and willingness to learn the issues. Spending on a fancy college degree or training certification isn't enough because the industry doesn't just need people who know how to use the tool, but the real demand is for security professionals who can also code and think like a hacker.

10. Can AI and Automation help

Security Operation Centre (SOC) resources are the ones that automation can help immediately, but that too only in L1, L2 levels thanks to SOAR and increasing use of RPA in SIEM. But automation is not the answer to talent shortage it cannot close the cybersecurity skills shortage gap.

According to Daniel Clayton, VP Global Security Services and Support at Bitdefender "Effective threat hunting and incident response are reliant on informed decision-making about what has happened, what is happening now and what is most likely to happen next. Decision-making is reliant on context and context comes from multiple sources (telemetry, threat intel, knowledge bases etc.) and getting it in front of the analyst fast enough for he/she to make an informed decision. That is what automation can help solve"

"Automation is not the answer to the cybersecurity professionals shortage, but it can deal with much of the lower-skilled repeatable work to enable analysts to focus on the tasks set them apart from technology-driven solutions".?that simply means automation is most likely to take away more and more entry-level jobs from fresh graduates and increase the pressure on experienced candidates to become experts and invest in continuous educations. For fresh graduates, this means without pre-training and investing in learning there is no hope to get into infosec roles.

11. Have a Practice Lab for Entry-level Employees

Have a practice lab for entry-level employees. This practice lab would allow new hires to get used to working with sensitive data while also learning about cybersecurity best practices.

The cyber security skills gap in North America has reached 3 million positions. Entry-level employees are not being trained on cybersecurity practices, leaving the organisation vulnerable to security breaches. Implementing a Cyber Security Practice Lab will allow your new hires to learn the ins and outs of cyber security from seasoned veterans. In addition, it will provide them with hands-on experience before they start their job.

• Create cybersecurity awareness programs.
• Promote education opportunities.
• Recognition:?Schedule a time and make a concerted effort to recognize the efforts of team members, whether they be great outcomes or even just demonstrations of positive behaviours. Everyone needs and wants to know that their contributions are valued. It’s often difficult to fully appreciate the impacts you are making in infosec: we don’t celebrate the absence of an incident or a vulnerability or how much faster or effectively we’re handling them.
• Offer incentives to existing employees for gaining certifications.
• Create cybersecurity learning modules on the company intranet.
• Offer virtual training courses or partner with educational institutions.

Inspirations from Outside Infosec Industry-Perceptroship Programs

I think if the Infosec industry wants to look outside for inspiration it should look at Pharmaceutical and Healthcare and its method of Training Medical Representatives and Nurses.

Pharma companies often relied on Preceptorship programmes to train new medical representatives and Key Opinion Leaders. Adopting the same method for new hires in entry-level is one way to speed up the onboarding of fresh graduates.

Preceptorship is a time-limited, education-focused?model for teaching and learning within an active environment that uses an experienced staff as role models.

12. Long Term Recruitment for Cybersecurity

Symantec has instituted a long term plan for recruiting and retaining employees for the long term, while also increasing the number of women working within the company’s walls. One of these policies involves calling candidates before the screening test and monitoring their progress to ensure that their performance is not unduly influenced by stress.

This is but one example of how the cybersecurity industry can rethink the way recruitment and hiring is conducted — but to take advantage, employers may want to consider changing what qualifications they look for, how they write job descriptions, how they interview and test potential talent, and more.

Data is now compared to oil and roles like?Chief Data Officer?and?Chief Digital Officer?is gaining momentum, acknowledging data as a strategic and valuable corporate asset that can be used to generate value. The CISO and the security apparatus will soon be in cross-hairs in a multi-cloud corporate IT environment, with skill shortage looming in the background instead of collaboration it would soon war inside the corporate boardroom.

What is Your Opinion on the subjects discussed? Feel free to agree or disagree and comment or Like

We have found ways for both job seekers and employers to address these challenges, most of them are discussed above but if you need?list of actions recommended connect with me or Wattlecorp, no need to buy anything from us. If you are facing any of the issues mentioned above, whether you are a startup or a growing organization perhaps @Wattlecorp can help you with our cybersecurity expertise? ??

Feel free to reach out and connect with me, I will be happy to share how we can help or just to pick my brain over some other similar infosec topic.