Filling cybersecurity jobs is getting so hard managers need to think outside the box if they hope to fill critical positions, experts say.That means redefining jobs, training human resources departments to screen resumes differently, seeking latent talent already inside the organization, and hiring bright, motivated people who can grow into critical roles, according to an expert panel speaking at the recent Advanced Cyber Security Center conference in Boston.Talent is so scarce that it typically takes eight to 12 months to fill cybersecurity jobs, says Mark Aiello, president of Cyber 360, a staffing firm specializing in finding cybersecurity skill. So employers need to be flexible about who they will consider.\u201cThe goal is to hire someone not perfect for the role,\u201d because you likely won\u2019t find them, Aiello says. \u201cThe Goldilocks candidate does not exist.\u201d He says organizations need to get their managers to be managers by managing how critical tasks are divvied up and training their staffs so all those tasks are accomplished. For example, he says hire a new person to handle lower-level tasks and realign existing staff to absorb the duties of the higher skilled person who left.+More on Network World: FBI snags group that allegedly pinched 23,000 or $6.7 million worth of iPhones+Look for bright, capable people with the aptitude for the skills needed for open positions, and then train them, says another panelist Devin Bryan, CISO of the Federal Reserve System. He says the 12 banks in the system had 78 vacancies for cybersecurity posts, the oldest being unfilled for a year. \u201cThere certainly is a war for talent,\u201d he says.Janet Levesque, CISO for RSA, says she works with her human resources team to flag candidates with critical-thinking and problem-solving skills and writing and communications talent, not just the technical competencies they tend to list on resumes.\u201cWe have a responsibility to help HR sift through the pile of resumes from Monster,\u201d says Bryan. And job seekers need to do more to help themselves by describing how their skills and competencies can help the hiring organization.Aiello says HR should be told to set up interviews with everyone who meets broad qualifications. Managers should hire the smart people who meet those qualifications, even if they don\u2019t have all the specific skills required so long as they are willing to learn and show enthusiasm for the open position. \u201cIf they have the right attitude, they will be a good employee,\u201d he says.Aiello says employers shouldn\u2019t insist on a set of certifications or even a college degree when hiring. \u201cThat shouldn\u2019t matter,\u201d he says, just whether they have skills and brains.Carla Brodley, dean of Northeastern University\u2019s College of Computer and Information Science, agrees, but says that once they have jobs and want to move up the food chain, they will likely need to acquire formal credentials. \u201cThey can do that while they\u2019re working for you,\u201d she says.To help in that training Northeastern has programs to give software engineers cybersecurity skills, and has extended that to students with undergraduate degrees in non-tech subjects like history, English and math.Don\u2019t assume that the best candidate will come from the outside, Bryan says. The best qualified candidates may already work for the hiring organization, and managers should be creative in finding those people.Levesque says EMC rotates recent graduates hired at the company through three-month cycles in different areas to find out whether a programmer, for example, might have an interest in incident response.It\u2019s often tough for applicants and employers to succinctly describe skills and requirements, respectively. Aiello says that\u2019s because cyber security is still an immature profession that lacks basic standards for what job skills are needed for what job titles. A job with the title security analyst at one organization might have a different set of tasks associated with it than a security analyst at another organization. \u201cIt\u2019s hard to say, \u2018I want to be this,\u2019 when \u2018this\u2019 doesn\u2019t have a title,\u201d he says.Bryan says that the National Institute for Standards and Testing (NIST) is trying to create standardized titles and job descriptions to do just that with its National Initiative for Cybersecurity Education (NICE). The project \u201cprovides a common language to categorize and describe cybersecurity work,\u201d with the goal of helping businesses identify, recruit and develop appropriate talent.Because of stiff competition, employers may have to compete with salaries and perks. Levesque says she\u2019s seen corporations offer work-at-home options to strong candidates who don\u2019t want to relocate.Bryan says that the Federal Reserve System can\u2019t offer the big salaries major private firms can so it operates at a disadvantage.Universities face similar challenges finding the top security pros to teach, says Northeastern\u2019s Brodley. \u201cIt\u2019s hard to get Ph.D.s in cybersecurity. We have the same problem that\u2019s going on in industry, and we can\u2019t pay what industry pays,\u201d she says.Aiello says the average age for cybersecurity practitioners is 41. He recommends that when younger people are being considered, enlist younger current employees to help interview them. The motivations of boomers and millennials are very different, and having someone in the same age bracket can make the process go smoother.Brodley says that 75% of people who try computer science like it enough to take a second course. She\u2019s hoping computer science is made a high school requirement so more students get that initial exposure that might encourage them to major in it in college.