The cybersecurity skills gap could hardly have come at a worse time. According to a study by the Centre for Strategic and International Studies (CSIS) focusing on IT decision-makers across eight major countries, 82% of employers have a shortage of employees with cybersecurity skills. Similarly, the 2019/2020 Official Annual Cybersecurity Jobs Report reported a 350% growth in open cybersecurity positions between 2013 and 2021.
By Russ Kirby, CISO, ForgeRock
Meanwhile, the threat posed by malicious actors is also growing and evolving. The head of the UK’s National Cybersecurity Centre warned in June that the danger posed by ransomware hackers to businesses and society now outranks the threat of cyberattack by hostile states. This echoes findings in ForgeRock’s own recent research, which found that UK ransomware attacks increased across all sectors in 2020, with the financial services sector being particularly badly hit, with a 471% increase in attack volume.
This confluence undoubtedly poses challenges: how can businesses build a strong – and crucially adaptable – cybersecurity team amid an acute skills shortage? I think a better perspective is to view it as an opportunity to take a new approach to hiring within the cybersecurity sphere, focusing on soft skills and personality traits rather than technical skills and experience, as a route to long-term resilience.
Using the Interview to Get Under the Hood
What does that mean in practice? The first stage of the process is usually reading CVs, but, looking through this lens, CVs aren’t that helpful. They tell you where someone studied and what experience they have, not who they are and how they operate.
So, I recommend using interviews to get a sense of who a candidate really is. Don’t treat the interview as a technical assessment. Instead, ask questions that tell you about the candidate’s personality type and their communication style. I like to go off-topic in interviews so I’m seeing the person rather than the practiced and polished professional. I ask questions like “If you won the EuroMillions, what would you do with the money?”
These kinds of questions might sound trivial but they help answer perhaps the most important question of all: how would this candidate work and interact with the rest of my team and the wider business? In my view, having a well-functioning team who works effectively together is far more important in the long-term in creating cybersecurity resilience than any single technical skill.
It’s not just a question of employees getting on with each other. Modern cybersecurity increasingly means building a culture across the business in which every stakeholder prioritizes data security and feels empowered to act. If you hire a team who are technically gifted but introverted, you’re going to struggle to engender that approach very meaningfully. Personality matters.
Soft Skills Have Hard Benefits
The interview can also be a good moment to identify those candidates who have the other most important attribute in my alternative to traditional skills-based hiring: solutions-focused adaptability.
It’s almost a cliche to say that technology is changing all the time, but it’s true. When I started my career, the skills we needed to do our jobs were very different from those needed now – and in five- or ten years’ time they’ll be different again. If you hire inflexible candidates who have the single piece of experience you think you need today, you’re not building resilience for tomorrow.
Core knowledge of cybersecurity is of course necessary but don’t be dazzled by CV unicorns over the promise of a candidate who demonstrates open-mindedness and the ability to apply their knowledge to problems in a proactive and inquisitive way. That kind of professional will take you away from having ad-hoc technical skills you need to fill and towards a team who can mold their work to fulfill any emerging need.
Problems and Pitfalls
Of course, this all sounds perhaps more straightforward than it is in reality. There are a number of common stumbling blocks. Some are common to the more ‘traditional’ approach to cybersecurity hiring. For example, inflated expectations on the part of junior candidates. Some unscrupulous recruiters feed ambitious young professionals’ fantasies about astronomical salaries and starting on day one in senior positions of responsibility.
My antidote is total transparency, from the very beginning of the process to the end. I include salary ranges in job descriptions and I’m always happy to discuss them in interviews. Candidates’ expectations might be warped by geographical disparities too. It’s not uncommon for a junior role in San Francisco to pay more than a senior position in the UK, but that’s a reflection of differing local economies and living costs – not a golden ticket.
A Roadmap to Success
As far as expectations about responsibilities and progression go, the best thing you can do is set out a roadmap for the candidate’s professional development over a number of years. Yes, they’ll start in junior position X but with Y years’ experience doing A, B and C tasks, they can expect to be in position Z.
Turning this plan into reality will require time and effort. You’ll need to arrange for them to shadow more senior colleagues in other functions and to build up experience across a range of skill areas. But, if you’re hiring adaptable and proactive candidates, the team member you’ll end up with at the end of the process will be stronger professionally and the team as a whole will operate more smoothly and effectively.
Some hiring managers may be reluctant to shift their focus from technical experience to soft skills and character traits. In normal circumstances, they’d be free to do so. But with those very technical skills in such short supply – and the need for well-oiled cybersecurity teams to be able to switch up and adapt to new threats – the case for a new approach is growing. Adjusting hiring practices now will help address the cyber skills shortage in the near term and create a more adaptable team over the long run.
About the Author
Russ Kirby has more than 15 years of experience in security and compliance for very large enterprise organizations as well as startups. Based in the UK, he is in charge of ForgeRock’s comprehensive security strategy that encompasses managing information technology, global risk and compliance and security operations. In his most recent role, Kirby served as CISO at CreditSafe, a global provider of company business intelligence. Before CreditSafe, he was at Hewlett Packard Enterprise Services in a variety of global security roles including head of payment card security strategy and global head of information security.
Views expressed in this article are personal. The facts, opinions, and language in the article do not reflect the views of CISO MAG and CISO MAG does not assume any responsibility or liability for the same.