It’s understandable that the talent pool has practically gone dry. Demand for security professionals continues to soar while new talent production ekes by, and seasoned talent are already contently employed. Recruiting security talent at any skill level seems an impossible task under such circumstances.

“There aren’t many fields where the majority say they’re happy with their profession — except for cybersecurity. Overall, 83 percent say they’re satisfied with their jobs. When it comes to the future, 80 percent feel secure about their role, and 86 percent would recommend a cybersecurity career to new college graduates,” says Stephen Moore, chief security strategist at Exabeam, a security intelligence company (SIEM).

Nonetheless, you need security professionals – you have to have them – and you need them up and running as of yesterday. There’s no workaround or back-order process, nothing you can do but go find them and convince them to join your cause and your payroll. So where do you find these elusive professionals?

Where to Look

“There are three places to find security professionals – in other companies/agencies, at the beginning of their career journey, or hidden in your organization,” says Amjed M. Saffarini, CEO of CyberVista, a Graham Holdings Company. It’s a cybersecurity training and workforce development company.

Finding and recruiting talent from other companies is a tricky business. In many cases they are content where they are and not really interested in entertaining other offers; however, there are established security pros who will be open to an offer than meets their current needs, such as better life/work balance, more interesting challenges, and/or increased opportunities to learn.

Obviously, you can’t just go knock on other companies’ doors and ask to meet their security team. Look for these professionals at conventions, social events that your current security people enjoy, in open-source projects, on speaker bureaus, as authors of blogs and professional posts, attending or competing in security challenges, and other online and real-world hangouts where security-minded people are known to gather.

Finding talent that has not yet fully bloomed, meaning those people who are just beginning their career journey or starting to make a career change, is a bit easier. Look to universities, technical training programs, veterans’ groups, and even high schools and middle schools for talent you can train to your specific needs and their individual capabilities.

“It’s a good idea for organizations to hire from advanced technical training and certification programs where qualified candidates have already been put through a rigorous interview process. This not only reduces the recruiting/hiring cycle but also reduces training and certification expenses that would otherwise come out of the company’s budget,” says John Maddison, SVP of products and solutions at Fortinet.

Don’t overlook military veterans, as most already have a finely tuned security mindset and the discipline necessary to succeed at defending their charges.

“Veterans are already trained in cybersecurity and understand the idea of militarization better than any civilian. Each year over 200,000 members of the U.S. Military change from active-duty positions back to civilian life, facing unemployment once they are done with their service contract,” says Craig Hinkley, CEO of WhiteHat Security.

“Organizations can attract these individuals by continuing to foster programs that train veterans in cybersecurity and provide certification programs. Businesses can also take place in mentorship programs put on by the Department of Defense and any placement opportunities,” Hinkley added.

Finally, look internally for talent you can develop into security professionals. Odds are you’ll find more candidates than you realized were already on your payroll.

“Those employees with the right attitude and desire to learn should be considered for vacant, more senior roles. Assigning an internal mentor, establishing a formal training program and incorporating a little TLC can translate into growth and internal mobility within a company,” says Samuel. “This also sends the right message to the staff that internal promotion is a true and real possibility. Additionally, creating longevity with internal staff is a great sign of a good company that takes care of its own.”

One quick caveat of note: if you’re hoping to recruit ex-government workers, you might need …

… a change of plans because that supply chain is reversing flow.

“Historically there has been a steady flow of talent ready to jump from government work into the commercial sector, but that pipeline is constraining as the government hiring authorities ramp up to compete with some of the commercial counterparts,” says Saffarini.

Whom to Look For

Take a hard look at the job descriptions you’re advertising to, because you’ll likely need to revise them if your goal is to hire good security talent fast.

“Most job descriptions are unrealistic, listing too many requirements that are not core to the role, but rather are nice-to-have qualifications. Rather than limiting your potential pool of candidates, simplify the job description to include your core requirements to entice applicants to fill open roles,” advises John Samuel, executive VP and head of IT and digital transformation at CGS, a global provider of business applications, enterprise learning and outsourcing services.

Most managers would rather hire for attitude and train for aptitude than the other way around. Keep in mind that not all who work in white-hat jobs have white-hat mentalities. Insider threats are still a real thing. But that doesn’t mean hire someone with no tech skills at all, either.

“Within your organization, you’ll often find that looking at adjacent roles gets your further than you might imagine — a star system admin already knows your networks, systems, architecture, people and process, but needs training in cybersecurity constructs to tie much of it together. Over time these individuals become cyber superstars,” says Saffarini.

Make a Plan that Actually Works

But before you run to all these places with flowers and chocolates and perks-a-plenty in hand, stop and develop a security workforce plan so that you hire what you need now and develop the workforce you need in the future too. You need a strategy supported by specific actions to ensure that you’ll get these talented people’s attention, let alone sign them up for a prolonged stint at your company.

“Putting the time and resources into a security workforce plan, and then actively executing and managing that plan, has one of the best ROIs of any security spend,” says Saffarini.

Don’t think you can just dust off one of your company’s workforce plans designed for other fields, because the same tactics aren’t likely to work with this group.

“Organizations need to identify and implement more modern approaches and apply them to recruiting and retention in the cybersecurity industry workforce to fill the void and create more diversity,” says Jason Albuquerque, CISO at Carousel Industries, a national IT, managed services and cloud solution provider.

Those modern approaches means diversifying not only in terms of genders and cultures, but also in job roles and descriptions, remote as well as flexible work options, and personalized perks. It might take some experimentation and long conversations to discover what works best in recruiting and retaining security pros for your company, but the effort will pay off handsomely in even the tightest employment markets.