Hiring Tips for CISOs Closing the Cyber Skills Gap

digital binary code concept picture id1032524356
iStock

Professionals in the cybersecurity space are well aware of the skills gap, which has already left 4 million global jobs unfilled, and that promises to continue to grow worse. CISOs are already feeling the effects across their team, especially in their efforts to hire experienced professionals.

Closing the skills gap at your organization is becoming increasingly challenging as intense competition means many companies are priced out of hiring experienced talent based on their ability to get a higher salary elsewhere. Moreover, because the security space, and the responsibilities of those working within it, are changing so rapidly, it is becoming increasingly difficult for CISOs and hiring managers to articulate exactly what they need in a candidate.

To close that workforce gap within the organization, CISOs need to amend their strategies for finding, interviewing, and onboarding talent. Doing so will enable them to fill gaps on their team faster, while addressing the essential and evolving skillsets required for managing today’s complex, distributed networks.  

Cybersecurity Recruitment Changes and Challenges

Determining the qualifications essential for a security candidate and assigning responsibilities across the team was once a fairly standard practice. Security was often integrated with broader IT functions, requiring familiarity with a few key systems and practices and a rather static network environment. However, this has all changed due to digital innovations and increased regulations from various compliance bodies.  

The global move towards digital transformation means that multi-cloud platforms, SaaS and other business-critical applications, IoT and mobile devices, and more have now become essential across every department in the business. Data is being stored in more locations, creating opportunities for data leakage or improper use. And at the same time, regulatory bodies have begun imposing strict rules on how data can be used and stored, such as PCI, the EU’s GDPR, the California Consumer Privacy Act (CCPA), which just went into effect in January of this year, and others.

Together, these trends call for specialized security roles that can enable digital transformation efforts while ensuring that security and compliance requirements are being met. Roles such as cybersecurity architect, cybersecurity analyst, and security engineer are now essential, requiring specialized skillsets. And the candidates that fill these roles are also collaborating more than ever with different departments and divisions, calling for an expanded set of soft skills such as leadership and communications. Also, the evolving networking needs of digital transformation call for additional technical skills, such as adding prevention to detection and remediation capabilities, establishing Secure DevOps, and the ability to manage a variety of point products. This broader range of skills must also be accounted for in recruiting practices.

Best Practices when Hiring for a Cybersecurity Role

To ensure the candidates being considered to fill these positions are prepared with the essential skillsets, CISOs must be strategic and specific during the recruiting, hiring, and onboarding process. Below are some factors to consider.

Recruiting

  • Job Descriptions: Candidates generally spend less than 60 seconds reviewing job descriptions to see if they are a match. And in such a competitive market, that means that CISOs need to ensure that the job descriptions they distribute not only clearly and succinctly state the skills needed, but also sell the opportunity. The goal is to get the right candidates interested in working at your organization specifically. A side benefit of clearly defining the roles of prospective workers is that the job description also helps team members internally organize which responsibilities will fall to the new hire. And finally, given the highly competitive nature of hiring experienced and skilled cybersecurity professionals, if salary is a gating factor due to budget constraints be prepared to offer options that appeal to today’s candidates, such as flex time, leadership opportunities, paid training, etc.
  • Posting Strategies: While you want your listing to be posted on as many channels as possible, it is important that you are posting to job boards that attract professionals with a security background. Don’t ignore general job sites, but make it a point to find and post on niche sites as well, such as Dice. Beyond job boards, leverage your network to spread awareness of the opening through word of mouth, social media, and other tactics.
  • Screening: Despite the skills gap, you will likely receive a good number of applications for your job posting. Of course, recruiters should evaluate candidates based on past responsibilities, relevant certifications, and presentation style, to understand if they are a fit. But don’t discount the value of soft skills. Look for candidates with experience in areas such as negotiation, leadership, team building, and creating consensus as well as more traditional security skillsets.

  • Think Outside the Box: Diversity – both in educational and professional backgrounds, as well as in more traditional areas such as gender, race, and sexual orientation – can bring new value to the team, with new ways of looking at and solving problems, and should be a top priority during the screening process. Fortinet CISO Phil Quade, when discussing his years as a cybersecurity leader at the NSA, remarked, “One of the most effective cybersecurity analysts I’ve worked with wasn’t a mathematician, computer scientist, or data scientist. He was educated in anthropology – the scientific study of humans, human behavior, and societies. His diverse perspective added unique insights that were key pieces of the overall puzzle on high-end threat actors.” 

Hiring

  • Interviewing: This is a chance for the candidate to learn about the role, in addition to the organization learning about the candidate. To ensure CISOs get the information needed and provide a positive interviewing experience, prepare different questions for each round of interviews, with the goal of moving from a shortlist of 6-10 candidates to three finalists. The questions should not only be geared toward ascertaining how candidates will use their role to advance the organization, but in uncovering the unique skills and abilities each candidate brings to the table.
  • Vetting: After interviewing your three finalists, it is important that you select and make an offer to the right candidate. This is as much about ensuring the candidate fits the culture of the organization as it is about their specific skillsets. CISOs should work with the hiring manager and HR team to evaluate each candidate on how they meet the needs of the organization. Once you have decided on a winning candidate, contact their references to verify skills and experience. 

Onboarding

  • Engaging: Well executed onboarding programs impact efficiency, productivity, and retention. Most organizations have an onboarding process that includes amenities and benefits, IT tools, and processes, along with getting to know the organization. But CISOs should ensure programs are also in place specific to the cybersecurity team and its responsibilities.
  • Training: A large part of retention and closing the skills gap will occur through making sure these new hires have access to training and hands-on learning experiences to continue to increase their skillset in the security realm. This is especially true for lower-level security employees who can be trained to take on more responsibility in the company as they progress. Regular training in the latest tools, intelligence, and strategies, combined with a thoughtful and planned mentoring program, will ensure your organization stays a step ahead of cyber criminals and enable a focus on prevention, as well as detection and remediation.

 

Closing the Skills Gap

Between digital transformation, compliance regulations, and heavy competition in the space, finding the correct fit for the security team can be a challenge for CISOs looking to close the skills gap at their organization. Keeping these best practices in mind when hiring can assist in minimizing the effects of these challenges, while getting the talent needed to build a strong cybersecurity posture at your organization.

Learn more about Fortinet’s education and training initiatives and efforts to close the cyber security skills gap. Read about Fortinet’s NSE Institute programs, including the Network Security Expert programNetwork Security Academy program and FortiVets program.

 

Find out more about how CISOs can effectively address modern cybersecurity challenges in this Forbes Insights report.

Related:

Copyright © 2020 IDG Communications, Inc.