Four ways to use open data sources to find cybersecurity candidates

Publicly available data from government and other sources can help you find the right security talent.

hiring software developers

It’s tough to grow a tech business in Silicon Valley when you’re competing against “sexier” companies like Lyft, Airbnb, Facebook and Google for the same cyber talent, says Mai Ton, vice president of human resources at OneLogin. But that’s the harsh reality for the identity and access management provider.

The ongoing cyber skills shortage isn’t helping matters. By 2021, 3.5 million cybersecurity jobs will go unfilled, up from 1 million openings last year, according to Cybersecurity Ventures.  

To find new talent, OneLogin considered moving some of its operations into different U.S. cities with more target-rich environments for available cyber-skilled workers.  Conventional wisdom told HR leaders that they could find engineers in Seattle and New York, but after researching publicly available data online, “We found that was actually not the case,” she says.

Public data, including data tools from the U.S. Bureau of Labor Statistics (BLS), showed that the concentration of engineers was largest in the San Francisco Bay area, followed by Texas and Massachusetts. “Our initial hypothesis around where the talent was turned out to be totally wrong,” Ton says. “Thank goodness we didn’t [move some operations there] because they didn’t have the talent that we were seeking.” The company ended up hiring five remote workers in Texas.

Plenty of publicly available data from U.S. agencies such as the BLS, Census Bureau, National Center for Science and Engineering Statistics, Office of Personnel Management and even the IRS can help hiring managers pinpoint new tech talent pools by county, city or state.

Unlike LinkedIn and traditional tech job boards that are well-suited for finding one-to-one matches, “Public data can help give you intelligence on identifying communities where you might be able to find a whole set of people” to choose from, says Adnan Mahmud, founder of LiveStories, a Seattle-based software company that collects and analyzes hundreds of government or “civic” data sources, collecting information on 1,000 indicators at more than 40,000 locations. HR leaders can also use the data to build stronger job postings with a better sense of salary requirements, among other factors, he says.  

[Related: Companies ramp up recruiting veterans as cybersecurity urgency grows]

Research experts offer tips on how to mine free, publicly available data to find cyber talent.

Locate the talent

Recruiters can use public data to find states and cities with a surplus of specific cyber talent that may be going unnoticed. Labor data tools are a good place to start, Mahmud says. For instance, the BLS publishes a location quotient that describes number of jobs in a specific skill set vs. its national average. For example, if security engineers represent 2 percent of the jobs in Seattle and 1 percent of all jobs in the U.S., then Seattle has a location quotient of 2, or 2 divided by 1. 

The location quotient also identifies where there are shortages of a particular skillset. If the location quotient is less than one, a higher number of jobs are available in that location. While people with security engineering skills might be present, “Those people might be looking for something more challenging. They’re in a little pond, so to speak, and they want to be in the big pond,” Mahmud says.

Mahmud searched for “information security analysts” using public data and determined the position’s median salary in each state (from $55,140 in Montana to $119,560 in the District of Columbia), the states with the highest opportunities and salaries (Virginia, Maryland and D.C.), the locations with the most people holding that title (Virginia, Maryland and Minnesota), and projected increase in future job openings for the position. Data shows an increase of almost 20 percent by 2024. That data can be cross-referenced to zero in on the best pool of job candidates, he says.

Define 'security worker'

Some users of public data argue that the BLS underestimates the number of professionals with cybersecurity skills, says Tim Herbert, senior VP for research and market intelligence at CompTIA. While the BLS reported 93,000 cyber professionals nationwide in 2016, CompTIA puts the number closer to 780,000 because many professionals with non-security titles have cybersecurity responsibilities. For example, computer support and help desk staff report to CompTIA that 25 percent to 30 percent their jobs involve security.

The categories of cyber workers are also somewhat dated and narrow, Herbert says. CompTIA began looking for more accurate data, and in November 2016 it launched CyberSeek, a free website that offers interactive tools and data for finding pockets of cyber talent. The website 

combines job demand data from labor market analytics firm Burning Glass Technologies and workforce supply information gathered from five skills-certifying bodies that together formed the Cybersecurity Credentials Collaborative.

While there’s no one source that keeps tabs on every certification, Herbert says, “We’re relying on security certifications as our proxy for identifying workers [who are] in security in some capacity. They could be a network engineer, and security could be 50 percent of their responsibility.”

Go granular

CompTIA’s supply/demand heat map compares the number of jobs available to the number of cyber-skilled workers by state or metro area. “Looking outside of [the areas] we know to be tech hubs around the country is a good place to identify untapped areas with a very high ratio of workers relative to the number of jobs there,” Herbert says. “It could potentially be an indicator that this could be a spot for recruiting.” 

Data on midsize cities reveal several hidden pools of talent. Midsize metro areas with favorable ratios of candidates to security jobs include Jackson, Miss.; Charlottesville, Va.; Boise City, Idaho; Tulsa,Okla.; Amarillo, Texas; and Youngstown, Ohio, according to data from CyberSeek.

Herbert plans to refresh data more frequently than some government sources, which update information annually or bi-annually. The CyberSeek website will update its data in July, and then information will be updated quarterly going forward.

Factor in data on average salaries and cost of living

Even if HR leaders identify a target-rich environment, they should also compare data on average salaries and cost of living in the job’s location. “If in their home community the median salary [for the position] is lower than the U.S median salary, then you can attract them with higher salary, although it may not cover living expenses in some cities,” Mahmud says.

OneLogin found itself in a similar situation when trying to hire employees to relocate to Silicon Valley. “We initially started our [hiring] efforts in Texas, but we were just not able to lure them over to the Bay Area and convince them to take that big pay increase because it still wouldn’t have been enough to maintain their cost of living,” Ton says. The company did hire five workers in Texas who now work remotely, she adds.

[Related: 4 places to find cybersecurity talent in your own organization]

Publicly available data should not be used exclusively to find cyber talent, Herbert says. “This is not intended to replace a job board or some of the other recruiting techniques that an HR person would use, but it’s a competitive intelligence tool and a way to hone your [recruiting] strategy.”


Copyright © 2017 IDG Communications, Inc.

7 hot cybersecurity trends (and 2 going cold)