Recruiters looking to fill vacant cyber security roles cannot afford to wait around for the perfect “unicorn” candidate, and need to adopt a more pragmatic approach to hiring policy, according to data produced by security professional association (ISC)² in its 2021 Cybersecurity career pursuers study.
Based on the report, which was compiled from data from interviews with security pros and jobseekers, (ISC)² called on recruiters and hiring managers to adjust the tactics they use to identify external and internal candidates for cyber roles.
“One of the biggest challenges we have in cyber security is an acute lack of market awareness about what cyber security jobs entail,” said Clar Rosso, CEO of (ISC)2. “There are wide variations in the kinds of tasks entry-level and junior staff can expect. Hiring organisations and their cyber security leadership need to adopt more mature strategies for building teams.
“Many organisations still default to job descriptions that rely on cyber security all-stars who can do it all. The reality is that there are not enough of those individuals to go around, and the smart bet is to hire and invest in people with an ability to learn, who fit your culture and who can be a catalyst for robust, resilient teams for years to come,” she said.
Based on the near-universal lack of skilled cyber security pros, (ISC)² said more pragmatic approaches to building security teams might now be more appropriate, relying less on the recruitment of all-star talent with years of IT experience, cyber certifications and deep technical acumen.
Instead, it said, it is better to look more towards curating role-specific requirements, investing in the security team’s training and professional development, and upskilling and reskilling internal talent to translate more generalised, tangential skills into risk management and security know-how.
The report also found evidence of shifting pathways into cyber security careers. For example, while cyber pros do tend to be more highly educated than average, only just over half have a degree in computer science or information services, and less than half believe a dedicated security education is a prerequisite for a cyber career.
The sector also appears to be moving away from recruiting from IT jobs, with half of those with less than three years of experience in security coming from the IT sector, compared to 63% of those with three to seven years under their belts.
One factor that does remain constant, however, is that at some point a cyber security role will demand some kind of technical expertise, and the report also lists the most in-demand technical concepts that aspiring security pros should be able to grasp.
These are cloud security, data analysis, coding and programming, encryption, risk assessment and management, intrusion detection, access management, malware analysis, administration, and backup and storage.
In terms of soft skills, problem solving, and analytical and critical thinking are both highly sought after.
The full report can be downloaded from (ISC)², while Rosso will be discussing some of the trends and data in more detail on an upcoming webinar, scheduled for 18 May.