Four challenges in finding cybersecurity talent and what companies can do about it

By Randy Purse, PhD, CD, CTDP

As Canada’s talent shortage remains relatively unabated, and cyber attacks continue to substantially increase, too many organizations continue to look at cybersecurity as an afterthought, rather than as a critical function to conducting business in the digital economy. The ongoing pandemic has highlighted the fact that regardless of sector, cyber skills are in demand. Companies of all sizes need to get a handle on the fact that recruiting qualified cybersecurity talent is table stakes in the digital economy – and their participation in addressing workforce development challenges is integral to Canada’s overall success in this field.

As Canada struggles to fill the cybersecurity talent gap, it’s clear that there are several common issues that must be addressed. Certainly, we need to do a better job at creating pathways for those interested in the cybersecurity field; but there are also a few things that employers themselves can do to help as well.

Below are four of the most common issues that we are experiencing across the cybersecurity labour market and the role employers can play in helping reduce the demand on this critical talent.

1. Avoid Unrealistic expectations.

Numerous employers are looking for cybersecurity employees for entry level jobs, yet are unwittingly asking for several years of experience. For example, one of the most requested certifications for entry level workers within the Canadian job market is the Computer Information Systems Security Professional (CISSP). Like most professional certifications, the CISSP demands that candidates “pass the exam and have at least five years of cumulative, paid work experience in two or more of the eight domains of the (ISC)² CISSP Common Body of Knowledge (CBK)”. By asking for this certification, employers are actually requiring five years of experience for an entry level role.

Cybersecurity aspirants need entry level roles through which they can learn and gain experience from others in their field. Asking for experience is certainly an employer’s right, but the consequence is that doing so for an entry level role, creates a barrier to entry and is counterproductive to the growth of the field.

What employers can do? For entry level roles, create a job posting that is attractive to those who are coming out of cybersecurity training and education programs or have self-developed. The TECHNATION CareerFinder tool provides a job description writer that employers can use as a starting point to craft a job posting that is directly aligned with industry expectations.

2. Asking for talent you do not need.

Related to the above, is the challenge of employers asking for talent that they simply don’t need – either because they don’t know or because they’re thinking of potential scenarios where perhaps, someday, they might need that capability. We often see this when hiring managers ‘cut and paste’ job postings from other organizations. This has several negative impacts. For example, your organization is looking for a someone to do the job of a cybersecurity operations analyst to help your IT team out in traffic analysis. At the same time, you think it would be good if they were able to do digital forensics, even though you realize that it is very unlikely that they would have the opportunity to use those skills very often. This is similar to you asking to see an ear, nose, and throat specialist to get advice on preventing the common cold. Not only do these capabilities come at an additional cost, including organizational costs for the tools and systems that a digital forensics analyst uses, but it is unlikely that a highly qualified specialist will be impressed spending most of the day conducting traffic analysis and adjusting security settings. The larger impact is that you are drawing down on a very limited and specialized talent pool.

What can employers do? Conducting even a cursory job analysis to identify the required work tasks will help ensure that job postings reflect what is needed, versus ‘nice to have’. The TECHNATION CareerFinder job description writer can help in the creation of job postings for a wide-range of roles within the cybersecurity team. If you plan to scale up your team, then feel free to add additional qualifications and certifications, but in the process make it clear that you are looking for someone to help you build this capability. You should also consider what additional leadership or managerial competencies might be needed within your hires.

3. Asking for technical cybersecurity expertise when they are not required. 

There are many jobs within cybersecurity that require specific technical expertise or qualifications. However, there are as many cybersecurity ‘adjacent’ roles or generalist roles where some knowledge of cybersecurity is needed to perform the role, but cybersecurity technical skills are not required. If, for example, you require someone to run cybersecurity training and awareness within your organization, this typically does not need a cybersecurity qualification, but rather the emphasis should be on competencies needed to develop and manage effective and efficient training. Asking for technical skills that aren’t needed for the role may:

• Cause you to ignore someone with ideal role-specific skills needed for the job;
• Result in the recruit being dissatisfied in the lack of use of their technical skills; and
• Draw down on the technical talent pool within the labour market.

What can employers do? Carefully consider what organizational capability or function you are trying to fill. Use the TECHNATION-developed Cybersecurity National Occupational Standard as a reference point for defining adjacent and generalist roles to help identify the primary competencies needed for the desired role.

4. Discounting candidates that may not (yet) have a formal credential.

It is not a myth – there are individuals who have literally become cybersecurity experts on their own without any formal training. Despite evidence of attaining cybersecurity knowledge and skills, because they lack any formal credentials, these individuals often are discounted by employers from opportunities where they may be a good fit. A credential is only one indicator of an individual’s capability and capacity to do the job. If removing a credential from a job posting would open up a whole other stream of potential applicants, would you be interested? There are many who aspire to cybersecurity jobs but are limited because they have not had access to the right education or training. There are many other ways that you can assess the talent of an individual, particularly one that has demonstrated the motivation to work in cybersecurity, an interest in continuous learning, and the drive to develop the type of expertise on their own. Are these characteristics your company would value? It’s very likely.

What can employers do? The TECHNATION CareerFinder Job Description and the National Occupational Standards can help. Even if formal training and education are suggested, you can use the information in these documents to inform your job description. Instead of making credentials ‘essential’, suggest that they are preferred. In absence of a credential, indicate that ‘evidence of relevant experience and skills will also be considered’.  If during the selection process you are concerned about their ability to perform in those tasks, there are various mechanisms such as online assessments, peer assessments, probation periods, performance agreements, on job assessments – and more – that you can use to ensure that you have the means to assess and manage their performance.