According to Cisco, there are currently 1 million vacancies for information security professionals. Symantec predicts that, by 2019, there would be more than 1,5 million such vacancies. The high demand for cyber-security expertise complicates the process of hiring properly qualified employees. To illustrate, in Israel, job seekers interest in cybersecurity positions meets 28.4% of the employer demand for such positions. In this article, we provide guidelines on how companies interested in attracting cyber-security talent can find (Section 2), select (Section 3), and hire cyber-security professionals (Section 4). In the end, a conclusion is drawn (Section 5).
2. Finding cyber-security experts
In the light of the observations mentioned above, one can reasonably argue that most experienced cyber-security experts are employed. Hence, the publication of job offers on job search websites is likely to attract inexperienced candidates who are searching for entry-level positions. While such candidates can be suitable to join large cyber-security departments as entry-level staff, they will not be of much value for organizations searching for people who will be on the front line of their cyber-defence. Another method that is unlikely to attract talent is approaching people in professional social network websites (e.g., LinkedIn). Since most highly-qualified cyber-security professionals having profiles on social network websites receive daily requests for job interviews from HR officers, they are often reluctant to participate in interviews.
Below, we discuss three methods for finding cyber-security experts which are likely to be successful, namely, approaching candidates in universities, training courses, and public events. Each of these three methods will be examined in more detail below.
Last year students enrolled in disciplines, such as information security and computer science, often have extensive working experience and actively look for job opportunities to complete the transition from academic to professional life. This makes universities a pool of qualified and available workforce. In this regard, a representative of the Seattle-based company f5 noted: “It is surprising the level of talent you can find at a university, I’ve seen people applying for an internship that could easily be a senior software engineer.”
B: Training courses
Cyber-security professionals willing to keep up to date their skills often attend specialized classes. Such classes provide talent-seekers with the opportunity to meet and discuss job opportunities with highly qualified people interested in a wide variety of cyber-security areas. For example, InfoSec Institute offers more than 95 online and offline courses in fields ranging from introduction to information security to secure coding for C/C++. Since its establishment in 1998, the organization has trained over 15,000 individuals.
C: Public events
Public events, such as hackathons and information security conferences, allow recruiters to meet with potential employees in person and informally discuss job opportunities. Such discussions may often be a substitute to job interviews. Jason Collins, the director of the software developer Quick Left, described the recruitment potential of hackathons as follows: “At a hackathon, if a team is constantly hitting a wall and there is someone who is constantly bringing new ideas–that’s someone who could be good for the team.”
3. Selection of candidates
After identifying job applicants, employers need to pass through another tough stage, i.e., selecting the right job applicant. The complexity of this stage is caused by the fact that people who do not have expertise in the field of cyber-security are not suitable for selecting cyber-security experts. Since cyber-security is a very specialized field of computer science, the average HR officers will not understand the meaning of indicators of experience, such as “Microsoft Certified Solutions Associate (MCSA) Certification” and “Microsoft Certified Solutions Expert (MCSE) Certification.” Obi Ogbanufe points out that, to become a technical recruiter, one usually needs to have the following qualifications: (i) Bachelor’s degree; (ii) 2+years recruiting experience; (iii) excellent communication skills; (iv) knowledge of MS Word, Excel, Outlook, and the Internet.
Because most recruiters (even technical recruiters) do not have technical backgrounds, companies willing to make sure that they make a good selection of job applicants need to either involve cyber-security experts in the selection process or hire external HR consultants who specialize in the field of cyber-security. According to Ayub Shaikh (author of a book on IT recruitment), a skilled recruiter would be able to quickly assess the suitability of an applicant for an IT job. More specifically, Mr. Shaikh states:
“Thirty seconds is all it should take for you to scan a programmer’s CV… and understand what it is all about. What they do, which part of the application this candidate has developed and whether they are truly the super-creators of elegant code that they claim to be.”
The people selecting job applicants need to take at least three factors into account, namely, academic degrees, certifications, and working experience. A discussion of these three factors follows.
A: Academic degrees
Nowadays, an academic degree in the field of computer science or a related discipline is not a prerequisite for working as a cyber-security specialist. However, such degrees clearly show that the candidate has a general educational background which allows him to quickly acquire cyber-security skill-sets.
Undoubtedly, a degree in cyber-security is the most suitable academic degree for an individual applying for a job in the field of cyber-security. Various universities offer such degrees. For instance, the American Military University in West Virginia offers a Master program in Cyber-security Studies, whereas Carnegie Mellon University in Pennsylvania offers a Master program in Information Security. Some of the academic programs are fully online. The University of South Florida (USF) offers an online Master program in Cyber-security. The program includes courses in information assurance, cyber intelligence, and digital forensics.
Certifications are clear indicators that the candidate has theoretical knowledge about specific areas of cyber-security, e.g., incident response, reverse engineering, and computer forensics. Certifications also indicate that the candidate is motivated to learn and develop in the field of cyber-security. According to Forbes, 35% of cyber-security jobs call for an industry certification, whereas only 23% of IT jobs require such certification.
We will briefly discuss four of the most popular cyber-security certifications. Namely, the Certified ethical hacker (CEH), Certified Information Systems Security Professional (CISSP), Certified Information Security Manager (CISM), and Certified Ethical Hacker (CEH).
Certified ethical hacker (CEH) indicates that the certified persons has the ability to identify weaknesses in computer systems by using the tools used by unethical hackers. By identifying such weaknesses, ethical hackers help organizations to avoid becoming victims of cyber-attacks.
Certified Information Systems Security Professional (CISSP) indicates proficiency in a large number of cyber security domains, including, but not limited to, telecommunications and networking, cryptography, access control, security models and architecture, and security management practices. Since CISSP requires extensive knowledge in a variety of domains, it is often regarded as the crown of cyber-security certifications.
Certified Information Security Manager (CISM) demonstrates that the certified person has the ability to develop information security programs and respond to information security incidents.
Certified Information Systems Auditor (CISA) attests that the holder of the certificate has the ability to identify and eliminate vulnerabilities in computer systems.
C: Working experience
Working experience is the most important factor which recruiters need to consider before making their final decision. It not only shows that the candidates possess certain skills but also demonstrates their ability to quickly and effectively resolve practical issues.
If a candidate does not have actual working experience, recruiters need to consider whether he/she puts efforts to acquire practical experience through do-it-yourself activities. Such efforts will indicate that the candidate is strongly motivated to apply his/her theoretical knowledge. Stephen Tullos, manager at My IT (an IT firm in New Orleans, Louisiana), stressed the importance of do-it-yourself activities by stating: “When we interview inexperienced applicants who have the ‘book smarts,’ a home lab shows passion, hunger, and hands-on knowledge.” In a similar vein, Ben Landers (CEO of the digital marketing company Blue Corona) noted: “Build something. Buy some servers or get some donated from a company and do something with them. The best way to learn is often to stop contemplating and to take action.”
Ethical Hacking Training – Resources (InfoSec)
4. Hiring cyber-security professionals
Once the job applicant is selected, the employer needs to complete the final stage of the hiring process, i.e., preparing and signing an employment agreement. A short-term agreement or a low remuneration may lead to employee’s refusal to enter into an employment relationship even if the employee has verbally accepted the offer. Furthermore, competitors may later use the unattractive contractual terms to persuade the employee to join their businesses. In this context, it is worth mentioning that many countries restrict the applicability of non-compete clauses, thus increasing the competition between companies for highly-skilled workers. The fierce competition has led to a significant increase in the salaries of experienced cyber-security experts.
The IT job board DICE noted that the average salary of a lead software security engineer is USD 233,333. According to Silverbull.co (a U.S. company specialized in IT and cyber-security recruiting), the average salary of a chief information security officer (CISO) is USD 204,000. IDC, a market intelligence firm, predicts that by, 2018, 75% of chief information security officers (CISOs) and chief security officers (CSO) will report directly to chief executive officers, not the chief information officers. Thus, the CISOs and CSOs will join the group of the highest-level executives, such as chief operating officers and chief financial officers. We can expect that the salaries of CISOs and CSOs will increase in line with the increase of their rank.
In the recent ten years, there has been a steady increase in the number of job offerings in the field of cyber-security. Organizations prefer to pay hefty salaries than becoming victims to cyber-attacks which may not only cause financial damages but also harm their reputation. More and more organizations start to realize that the careful selection of cyber-security experts is as important as providing them with good compensation packages.
In this article, we provided recommendations on how organizations can find, select, and effectively hire cyber-security professionals. The recommendations can supplement recruiting strategies. Such strategies, if well prepared, can avoid weak hires and wasted resources.
1. Dickson, B., ’10 Hot Cyber Security Certifications for 2017′, ITCareerFinder, 5 October 2016. Available at http://www.itcareerfinder.com/brain-food/blog/entry/10-hot-cyber-security-certifications-for-2017.html .
2. ‘Indeed Spotlight: The Global Cybersecurity Skills Gap’, Indeed.com, 17 January, 2017. Available at http://blog.indeed.com/2017/01/17/cybersecurity-skills-gap-report/ .
3. InfoSec Institute, “Our History”. Available at https://www.infosecinstitute.com/company .
4. ‘IT recruiting: Where to find top IT talent today’, Highfive. Available at https://highfive.com/blog/it-recruiting/ .
5. Kauflin, J., ‘The Fast-Growing Job With A Huge Skills Gap: Cyber Security’, Forbes, 16 March 2017. Available at https://www.forbes.com/sites/jeffkauflin/2017/03/16/the-fast-growing-job-with-a-huge-skills-gap-cyber-security/#52440cfe5163.
6. Moreira, P., ‘Ace the IT Interview‘, McGraw Hill Professional, 2008.
7. McGrew, W., ‘The Victims of Cyber Security Training’, CIO, 23 May 2017. Available at http://www.cio.com/article/3197681/security/the-victims-of-cyber-security-training.html .
8. Morgan, S., ‘Top Cyber Security Salaries In U.S. Metros Hit $380,000’, Forbes, 9 January 2016. Available at https://www.forbes.com/sites/stevemorgan/2016/01/09/top-cyber-security-salaries-in-u-s-metros-hit-380000/#4431916c7ef8 .
9. Mulder-Williamson, K., Taylor, E., ‘Simplify Social Media for Recruiting: A Step-By-Step Handbook for Implementing Social Media’, iUniverse, 2013.
10. Pankl, E. (Ed.), ‘Recruitment, Development, and Retention of Information Professionals: Trends in Human Resources and Knowledge Management: Trends in Human Resources and Knowledge Management’, IGI Global, 2010.
11. Schmidt, P., ‘Don’t Sweat It… Hire It!: An A to Z Guide to Finding, Hiring and Managing Home Improvement Pros’, Creative Pub. International, 2007.
12. Shaikh, A., ‘The Complete IT Recruitment Survival Guide: The Definitive Handbook for IT Recruitment Consultants, Resourcers and HR Professionals’, Troubador Publishing Ltd, 2012.
13. Ogbanufe, O.., ‘Technology Made Simple for the Technical Recruiter: A Technical Skills Primer’, iUniverse, 2010.
Rasa Juzenaite works as a project manager at Dimov Internet Law Consulting (www.dimov.pro), a legal consultancy based in Belgium. She has a background in digital culture with a focus on digital humanities, social media, and digitization. Currently, she is pursuing an advanced Master’s degree in IP & ICT Law.