The Information System Security Certification Consortium (ISC2) recently released a report which said that there is a void of cybersecurity talent worldwide, with approximately 3.1 million professionals needed within the field to bridge the gap and meet security requirements. We asked Natlee Green, our global director of Human Resources, for her pulse on this and what follows is an astute and insightful account of how we can all respond to the call for more talent in this industry.
I started and led the Human Resources departments for three different cybersecurity companies during the past five years. I have hired over 200 people from different backgrounds with various experiences and skillsets. I have increased employee headcount by more than 150% in as little as six months at each company. My experience as an HR leader in cybersecurity has been quite an adventure. The people I have had the pleasure to meet, hire, and work with along the way have been some of the most innovative and driven people that I’ve ever encountered. I’ve not witnessed a shortage, if anything there is an abundance of talent, I just haven’t had the chance to meet them all yet – although not for lack of trying!
The fact of the matter is that there are more than enough qualified people to work in cybersecurity at all levels. One of the mistakes that I have seen is companies requiring a specific education level and industry-standard certifications for entry-level positions.
When I initially began to search for cybersecurity talent five years ago, I asked the hiring managers what experience the ideal candidates should have. For the most entry-level position, the answer was almost always the same; they wanted to see candidates with a bachelor’s degree in technology and at least one industry-standard certification. For them to even look at a candidate applying for a mid-level position and a six-figure salary, they wanted the job to require a master’s degree and at least two certs!
One dilemma that I faced in a previous position, was that most of the candidates who applied with those kinds of credentials weren’t interested in the entry or mid-level pay offered. They knew their value and demanded top dollar. The hiring managers were so desperate for that level of talent that they’d pay way more for the position than what was warranted, only to lose the employee a few months later to a competitor who’d pay a 25% higher salary and give them an inflated title. Candidates with the relevant degrees and at least one cert knew that the demand was high for them, and some of them took full advantage of the situation. I can’t say that I blamed them.
It was incredibly frustrating to find and hire the right talent and try to retain them in such a competitive industry. So, I had to think of some creative ways to source the right talent. I also had a goal to reduce the cost associated with recruiting talent that would stay in a position they were overqualified for just long enough to get poached by an outfit with more money.
I decided to start a 90-day paid internship program to recruit people who had a passion for cybersecurity but did not have a degree or a certification. They didn’t even have to be in school I’d bring the interns on board and have them spend 90 days learning everything they could about the role they wanted. Pending a positive review at the end of the term, I would hire the intern as a full-time employee. Over the next 90 days in their entry-level position, I would require them to study for and pass a cybersecurity certification test to get promoted again.
Every few months, I had employees who started with the company just a few months earlier with no experience, training a new set of interns with this plan. By the time they were teaching the new interns, their resumes had shown six months of cybersecurity experience and an industry-standard certification. Add to that, they were now able to include training to their experience, setting them up for a stable career in the field.
The internship program accomplished two important goals. First, hiring individuals who just wanted a chance in the industry was not very expensive. While many people offered to work for free, it was not our intention to get free labor just because we could. With that said, we saved significantly on salaries by employing interns.
Second, retention rates increased. In large part, interns who became employees and received a promotion in their first year on the job had a sense of loyalty and were not easy to persuade to jump ship. A few more dollars didn’t appear worth the risk of losing the support they experienced during their first year.
This example is just one of several initiatives that I implemented, which was designed to develop and support talented people who wanted to break into the cyber world. I hired people who were previously bartenders or worked at electronics stores, who held degrees in horticulture or maybe didn’t finish college at all, who are currently senior-level players in the cybersecurity industry.
People in charge of hiring cybersecurity talent must recognize that talent isn’t necessarily based on degrees, certifications, or even previous experience. The best cybersecurity professionals are those who have a passion for it, who thrive on learning and teaching others how to become better at what they do.
I’m excited for the programs we are pulling together under the new CyberClan Academy to help provide the environment for training and growth! There isn’t a shortage of cybersecurity talent; there are many people out there with the drive and determination to not only succeed in the industry but to excel and innovate with others; they need the chance to prove it.