Best practice for finding and keeping cyber-talent
By Sophie Harrison
There are currently four key market forces impacting the cyber-market – increasing scrutiny by regulators, an explosion in security tools, a bigger attack surface and scarcer security personnel. According to (ISC)2, the global IT security skills shortages has now surpassed four million and the global security workforce needs to increase by 145 per cent to cope with a surge in hiring demand.
The UK government has recently announced plans to conduct its second audit into the state of the country’s cybersecurity workforce.
As a cyber-company that has scaled from five employees to fifty in just four years, we are well placed to advise upon how best to attract and retain the best cyber-staff. It’s a hard climate to recruit the best and brightest the industry has to offer, particularly when speed is important. After all, in the last year, according to ESG, over half (53 per cent) of its survey respondents reported a problematic shortage of cybersecurity skills at their organisation.
So, what have we done that has worked well, and how can you ensure you don’t fall foul of the cyber-skills shortage? Firstly it’s important to stay true to your company values and make sure you are completely clear on what type of person would fit in well with your company culture. This is fundamental – fast tracking the process and making compromises is a complete false economy. You might recruit more people, but they won’t stay with you and the impact of having the wrong personalities on the team could be detrimental for employee morale.
The best place to start is by thinking from the candidate’s perspective. Why would those talented people want to work for your organisation? What’s in it for them and how does it align with your company’s goals or what you’re trying to achieve in areas you’re recruiting for? Answering these questions will help you ensure that the recruitment strategy is strengthened from the beginning. A job advert may say all the right things – but if you don’t have the right working environment to back it up, you’ll still find it hard to hire and retain the best candidates. So, ask yourself whether your organisation is set up to help all kinds of people thrive.
Taking the right steps
It’s also crucial to ensure that you are working with a broad, diverse talent pool. Building a more inclusive element into hiring practices will inherently help you attract a more diverse range of candidates. You’ll start to find talent you may have otherwise missed. Assuming you are working on making your organisation more inclusive generally there are a few steps you can take to try to attract more cyber-talent, such as:
- Throw out your perceptions of what a “typical infosec candidate” is going to be like and focus on the top non-negotiable things you need them to be able to do on day one and ensure it’s just these non-negotiable things that go on a job advert.
- Identify the values you need them to exhibit – make sure these are specific, such as ‘the ability to own up to mistakes’
- Find ways for candidates to show that they have the aptitude to learn and be clear during the recruitment process on how you will support them to upskill and support their career growth.
- Forget about certifications, degrees and set number of years’ experience– there are other ways people can demonstrate their core skills to you. Having strict education and skills experience can create artificial barriers to entry for many people.
When it comes to non-material incentives in a job advert, flexible work-life balance is a huge draw. People work effectively in different ways – remote, flexible hours, part time, job-shares, improved parental leave are all huge benefits. All of these may make your role attractive and suitable to even more candidates who could do fantastic work. So, if you do offer these, make them prominent on your job advert.
There is a wide range of options when it comes to where to advertise your open roles. So many companies just rely on the organisation’s network on LinkedIn, but how diverse is that network really? Other options could be to engage with communities (meetups, schools, universities, local clubs) who may not usually see your job advert – ideally well before you need to hire – by paying to advertise on their job boards or sponsoring their events. People will remember companies that sponsored their first CTF or security meetup when they’re ready to find a position!
Once you have candidates through the door another key area to address is how best to reduce unconscious bias. Having a score card-based interview process to assess how candidates are showcasing soft skills is extremely useful. Also, before offering any roles, ensure that the team who will be working directly with the new recruit get an opportunity to vet and talk to them.
Once on-board the onus must be on retention. The foundation for this must be clear company values, which enable a consistent language for how you act and treat one another. We also have a variety of initiatives that are designed to ensure our staff feel listened to and valued.
We have a Peakon weekly survey to give employees a voice, supported by functional Peakon working groups who have direct involvement in how to improve the way we run the company from office layout to product updates. There is also a huge choice of groups that employees can get in, ranging from Sanctus to yoga, meditation club and sports clubs – not to mention regular company celebration events!
The skills shortage is exacerbated by the evolving cybersecurity landscape, which means recruitment is becoming an ever-greater strategic business priority. By putting the time in to educate yourself and your organisation, continually trying to improve your processes, challenging your own assumptions and biases, you can ensure you are in a position to successfully keep and grow your teams.