What if the current handwringing around a cyber skills shortage was overdone? What if the problem facing cybersecurity isn’t the lack of the right training or the correct academic degree, but the failure to apply the best lens through which to assess those entering the field?
This question urgently matters for business and our country because last month the federal government launched a $26.5 million grant scheme to support the cybersecurity workforce. Companies are scrambling to understand what skills they need to bolster their cybersecurity capacity.
Hats off to the government for recognising the importance of Australia’s cybersecurity workforce and actively working to strengthen it.
But who exactly is this workforce?
Almost every company in Australia needs to know the answer to this question because it will influence whether we have the right workforce in place to handle our cybersecurity future.
And here’s the answer: it’s probably not who you think it is.
If the first image you have in your mind is a hoodie-clad basement dwelling hacker with a sticker bedecked laptop, pizza in hand, you’re thinking of only a small part of the actual cybersecurity workforce.
Sure, these people exist, but after three decades in the industry, I’d argue that very few of today’s cybersecurity luminaries took anything that remotely resembles what most people would consider a normal cookie cutter path into this industry today.
Here’s the reason cookie cutter doesn’t cut it: cybersecurity is an ever-changing landscape of threats, challenges and opportunities that requires adaptable, fluid and creative thinkers and doers. It also requires a mix of people who are good with other people, diplomats and those calm headed in a crisis.
Well-rounded humans have thrived in cybersecurity from the beginning because while coding is literally binary, cybersecurity is not. In the face of a cyber degree explosion, we’re still hiring humanities grads, lawyers and those told they must learn to code but never did, because the optimal cybersecurity team is a truly diverse one.
As the old adage goes, “science can tell you how to bring dinosaurs back to life, humanities can tell you why not to”.
I’m writing this now so that we don’t have a deficit of these kinds of people later because we fall into the trap of being too afraid to hire outside the box. What we’re seeing is too many organisations looking to close the cybersecurity resource gap the wrong way. Instead of diversifying their hiring set, they are narrowing it.
Ultimately, it’s a diversity of thought and perspective that gives the balance, depth and insights to crack the problem.
Here are some tips for building this diversity in a cybersecurity staff.
- Start with referrals from people you know and trust, and the people they know and trust.
- Avoid narrowing your search to the same people with the same cybersecurity degrees or backgrounds. An army of clones is a predictable foe.
- Forget about perfect. Instead, ask if you can build upon this person and skill them up in the areas that their background or experience is lacking.
- Even if specific technical requirements are indeed a part of the hiring criteria, on-the-job experience should usually outweigh professional certs and degrees.
- Age is no indicator. We’ve hired people as young as 21 and seniors. Different learning styles and different perspectives are all valuable contributors
- Remember to write your job description carefully, and avoid gender-charged terms like empathetic, or aggressive.
- Don’t use the same job description for a recently vacated role. The former employee whose role you’re trying to fill likely grew into that job and you want their replacement to do the same, so you may actually need to delegate some of the responsibilities the former employee had taken on during their tenure.
- If you’re using a recruiter, ask for all the resumes (sometimes the recruiter’s filters and personal biases mean you may miss the right candidate).
- Work closely with your Talent Acquisition (TA) team. We have our our TA team annotate every CV with their thoughts, and the hiring manager reviews almost every application.
Get the interview right
- Stay consistent with your interview questions, don’t rely solely on gut feel.
- Look for evidence of empathy, awareness, innovative thinking, creativity and problem solving.
- Ask what they do in their time off and how they keep across what’s happening in the cybersecurity industry.
- Probe a little to see if someone expresses a strong opinion on cybersecurity and then see how they handle this expression — are they impassioned, excited, engaged, expert or too over-the-top?
- Identify the non-negotiable skills and test for them. One of our specific tests? We test to see if people can really write.
- It takes a panel. Never let one person do all the interviewing.
Hiring cybersecurity talent from within
- Consider using staff from other departments if you have them. Try them out. A secondment is a great opportunity to see how someone performs on the cybersecurity coalface.
- Think hard about whether you actually need to hire. You might be able to get better use out of what you already have, both people and tools. There might also be jobs that are better outsourced.
- If you do need someone to hit the ground running, think about further delegating parts of the role to lighten the load for a new starter. If that’s not possible, maybe you need a consultant.
The future of cybersecurity talent concerns all of us and we need to get it right.
Cybersecurity is broad and we need our approach to cybersecurity talent to be broad too.