ISC2: Recruiters Can Do More to Address Cybersecurity Talent Shortage

In other cybersecurity news …

ISC2 this week published findings from its 2022 Cybersecurity Hiring Managers research that shed light on best practices for recruiting, hiring and onboarding entry-and junior-level cybersecurity practitioners.

The research, reflecting the opinions of 1,250 cybersecurity hiring managers from the United States, Canada, United Kingdom and India, highlights the need to build effective job descriptions, and assign appropriate roles and responsibilities, along with the importance of non-technical skills and investing in career development.

Key report findings include:

• Forty-two percent of participants said training costs less than $1,000 for entry-level hires (those with less than one year of experience) to handle assignments independently.
• Nearly a third said it takes less than $1,000 in training cost for junior-level practitioners (one to three years of experience) to handle assignments independently.
• Thirty-seven percent estimate entry-level practitioners are considered “up to speed” after six months or less on the job. Half said it takes up to a year.
• Ninety-one percent of hiring managers said they give entry-and junior-level cybersecurity team members career development time during work hours.
• Certifications are considered the most effective method of talent development for entry-and junior-level practitioners, followed by in-house training, conferences, external training and mentoring.
• Fifty-two percent work with recruitment organizations to find entry-and junior-level staff. This approach is followed by looking to certification organizations, colleges and universities, using standard job postings, and apprenticeships and internships along with leveraging government workforce programs.
• Eighteen percent of hiring managers are recruiting individuals from within their organization working in different job functions, such as help desk, HR, customer service and communications.

Hiring managers also revealed their top five tasks for entry-level cybersecurity staff:

• Alert and event monitoring.
• Documenting processes and procedures.
• Using scripting languages.
• Incident response.
• Developing and producing reports.

Tara Wisniewski is ISC2‘s executive vice president of advocacy, global markets and member engagement.

“Hiring managers are struggling to bring younger and first-time professionals into the industry,” she said. “The study shows us that, with the exception of the smallest organizations, employment levels for entry-level cybersecurity professionals trail far behind every other experience level. It’s also a particularly notable challenge in the United States and United Kingdom, compared to Canada and India, where entry-level employment levels are higher overall. Entry-and junior-level staff members help their organization, bringing new perspectives, ideas, creativity, critical skills in new technologies, enthusiasm and reinvigorating energy, as well as being a valuable next generation to transfer knowledge to. This shortage of talent in this area has increased the reliance on costly external recruiters to try and fill vacancies.”

The top priority is to review and rethink job descriptions and hiring criteria, Wisniewski said.

“Ensuring that qualification and experience expectations are appropriate for the role is of paramount importance and is the area where most hiring managers have been struggling,” she said. “When it comes to entry-and junior-level roles, it’s all too easy to fall back on experience as an easy measure of competence. But it doesn’t work for these first-time career positions and instead creates a chicken-and-egg paradox that ultimately deters and prevents many young professionals from entering the cybersecurity field. For these roles, qualifications are a far more viable way of verifying foundational competence and an ability to learn.”