Hiring Managers: Be Realistic Around Cybersecurity Profiles

Hiring Managers: Be Realistic Around Cybersecurity Profiles

Looking for hybrid profiles that cannot exist is just fuelling the perception of a cybersecurity skills gap

Commenting on one of my Linkedin posts, one of my readers mentioned “absurdly dissonant requirements” in CISOs role descriptions, mentioning as an example “serve as the point person for contact with regulators; proficiency in Python, Golang, or similar dynamic programming language”.

Sadly, this is all too common, and I am sure most cybersecurity recruiters would concur: It is a situation that goes a long way beyond the anecdotal and reflects in my opinion a real dimension of the cybersecurity skills gap problem.

It is often the sign of a lack of understanding – or an overly simplistic view – of the transversal challenges around cybersecurity, and how it is actually delivered across an organisation.

Many hiring managers end up complaining of an acute cybersecurity skills gap after several months of search and countless hours of interviews, without realising that they are simply looking for hybrid profiles that never existed – and simply cannot be engineered, irrespective of the current market conditions.

In fact, it is not new, and as early as in 2018, as we were working on our “First 100 Days of the New CISO” series, we were already commenting on the fact that many hiring managers “may not be sufficiently cybersecurity-savvy to frame and express precisely what they are looking for in a CISO”, leading to a sense of disconnect between expectations and reality for incoming CISOs, which in turn was fuelling their short tenure.

Since then, the continued acceleration of the digital transformation pressures and the COVID pandemic have exacerbated the demand for cyber talent: Now that every firm in every industry must be responsive to cyber threats, finding candidates with relevant cybersecurity skills is difficult enough; looking for an impossible skills blend is doomed to fail.

Another problem quite common with cybersecurity role descriptions is the level of experience demanded.

The cybersecurity profession, as we know it today, has no more than 25 years of existence in some industries (finance, pharma, energy), and considerably less in many others.

It has evolved constantly over the past two decades, and continues to evolve, as we have put in evidence with the Security Transformation Research Foundation in 2019, but it remains a young field.

Insisting on 10 years of experience in middle-management or senior analyst positions ignores the history of the industry and the way people develop; it simply creates unnecessary barriers, fuels tensions on the recruitment market, and aggravates the perception of a skills gap, which is in fact an expectations gap.

Hiring managers have to be more realistic about not just the cybersecurity skills market, but the state of the cybersecurity industry at large. They need to give opportunities to younger profiles, simply because this is a young industry, and understand that they may have to offer packages to train, develop and retain cyber staff.

And finally, there is also a role to play for recruiters, in my opinion, in pushing back on unrealistic search specifications, or at least in educating the hiring managers in relation to the reality of market conditions and the skills structure across the cyber industry.

Have Your Say: