The cybersecurity talent shortage is a major problem. Sixty percent of organizations struggle to recruit cybersecurity staff, and 52% struggle to retain qualified people, according to a Fortinet report.
"I'm not seeing a lack of talent available for entry-level jobs, the problem is in the five-to-10-year experience level," said Helen Patton, an advisory CISO at Cisco and a senior faculty member at Digital Directors Network.
Job descriptions only further the problem, Patton said. Qualified candidates are often deterred from applying to a job due to unreasonable job posting requirements. "You've got hiring managers who don't know how to write job descriptions, and you've got recruiters who don't understand the role," she said.
In her book, Navigating the Cybersecurity Career Path, Patton offered advice to help security leaders build a security team, including how to recruit the right talent with good job postings.
In this excerpt from Chapter 18, Patton suggests tips on how to write a cybersecurity job posting. Learn which skills to include, as well as the importance of using inclusive language and explaining how the role will benefit the candidate -- and not just the organization.
Of all the challenges with security job postings, the skills mismatch causes most candidates to skip your posting and look elsewhere. The industry has a skills gap, yet our job postings require too many skills and too many certifications. Also, there is an assumption that the successful candidate must arrive in the new job fully trained to do whatever is needed. Before you sit down to write your posting, fully consider the skills that are absolutely required from a new hire, as well as the skills you are willing to help the candidate develop on the job.
When you are considering skills, you should also consider what formal education you expect in your candidates. Don't ask for a four-year degree unless you truly believe it's a necessary requirement. (Most security leaders do not.) Be careful about the certifications you require; do they really support the role you are hiring for? Are there equivalences you are willing to consider, such as work experience in place of formal schooling? Must all the training you require be security-specific, or can you let candidates demonstrate skills through another path? How do you feel about self-taught candidates?
Benchmark yourself against other postings and resources, such as the U.S. National Initiative for Cybersecurity Education (NICE) Workforce framework. Make sure you're not asking a junior candidate to have senior-level skills. Make sure the senior level job posting isn't asking for too much experience or technology mastery. Just because it is a senior position doesn't mean the role requires expert-level mastery of every skill!
Differentiate between general IT skills (such as programming languages) and security skills (assessing applications for insecure code), and make sure you're not labeling a job "security" just because it sits in the security organization. It's perfectly fine for a CISO to hire a generic application developer, project manager, or data analyst without making them a "security engineer," "security manager," or "security analyst."
Interestingly, when you talk to hiring managers, it is often not the technical skills that are hard to develop on the job -- it's the professional skills like empathy, teamwork, and communication. When you read the job description, which "required skills" are listed first? The technical skills! If you think you can train the technical skills on the job but want to hire the professional skills, list the professional skills first.
Don't ask for skills or experience you are willing to live without. Even putting unnecessary skills in the "optional" or "preferred" section is enough to turn high-quality candidates away -- so make sure the skills you put into your job postings are ones you truly require.
Read a Q&A with author Helen Patton for tips on finding your niche in the industry.
No job is created in isolation. If you're hiring someone into a role, it is because your organization needs that role for some purpose, and that purpose aligns with your security strategy and the organizational business goals and mission.
So, when you're creating a job posting, let potential candidates know the "why" of the job. Why does this job exist? What purpose does it fill? How does it fit into the company, the security team, the security function? Is the role focused on one single line of business in the company or the whole company? Is the role going to be part of a revenue-generating team or a product support team, or will it be an administrative function? What are your core values, and how does this position support them? Include a link to the important parts of your company website so a candidate can quickly see general information about working at your company.
Don't just talk about what the job is; talk about how the company will support the development of the candidate. Tell the candidate what they become, as well as what the job can become. Do you invest in training employees on the job, send them to conferences, or pay for industry memberships? Then say so! Let them know that you will be helping them grow when they join your team, not just assessing their job performance. Let them know that the risk they are taking to apply for your job is worth it.
You should give candidates some context because it allows them to see themselves in the role. Candidates want to be excited about a new opportunity. If all you can do is tell them that they will be monitoring vulnerabilities, pen testing an application, or writing policy, you're not giving them the full picture.
Giving candidates the "why" allows them to fill out the role in their imagination and allows them to imagine their success as part of your team.
Context will allow candidates to be better prepared for interviews, ask better questions, and be better prepared to do what you need.
When you're creating a job posting, you are creating a vision for the candidate. You're telling a story of what the role can be and what their role in it will look like. So, just like any good storyteller, you need to put the reader in the center of the story -- not as a passive observer, but as the whole point. To do this, you need to use the first-person language.
Instead of saying, "The candidate will monitor systems and follow playbooks to respond to incidents," you might choose to say, "You will use your powers of observation to identify anomalies and attacks against your company."
Instead of saying, "Applicants will be part of the Security team," you might say, "You will be a key member of a highly professional and inclusive group of people who ensure the security of the entire company."
When you write your job postings, you should be careful to avoid language that is seen as gendered, biased, or otherwise promotes negative stereotypes. Some people want to be "rock stars," but for others, this is seen as a masculine, high-competition standard that automatically excludes women or other minorities. There is free software available to check the language you plan to use. Search for "bias language applications" to see some options. Please use them. Candidates will not apply for your job if the language you use prevents them from seeing themselves as being successful in the role.
If you can, try to avoid using filter Q&A as the first step in the application process. Companies love to do this -- it helps their algorithms "weed out" unqualified candidates. But security jobs aren't cookie-cutter, and these algorithms often do more harm than good because they filter out qualified candidates who lack exactly the right kind of experience or use the wrong words in their résumés. Our algorithms aren't ready for the lack of structure currently existing in the security profession. If you must use these, ask your recruiter to see the reject list as well as the selection list. You'll be surprised who gets left behind!
About the author
Helen Patton is an advisory CISO at Cisco, where she shares security strategies with the security community. Previously, she spent eight years as CISO at The Ohio State University, where she was awarded the 2018 ISE North American Academic/Public Sector Executive of the Year. Before joining Ohio State, she spent 10 years in risk and resiliency at JPMorgan Chase. She serves on the State of Ohio CyberOhio Advisory Board, the Manufacturing and Digital USA Cybersecurity Advisory Board and the Ohio State University College of Electrical and Computer Engineering Industry Advisory Board. Patton is also a faculty member for the Digital Director's Network and for the Educause Leadership Institute.