In today’s world, organizations are constantly on the verge of getting attacked by cybercriminals. Attackers don’t care about the size, location, or even industry of their target. In fact, the latest statistics by the Verizon Data Breach Report reveal that 43% of attacks target small businesses.
In 2019, we saw information from thousands of Capital One clients be exposed, municipalities all around the country falling victim to ransomware, and a major data breach to the American Medical Collection Agency, a massive health-care-related debt collector, exposed some of the most intimate information of families across all sectors of the economy. As daily occurrences demonstrate the risk posed by crafty attackers, from individual, malicious hackers, to professional and organized groups of cybercriminals, boards of directors must take on the task of ensuring the organization understands the cyber risks they are facing and how to respond.
Hiring cybersecurity professionals with the same outdated skillset is a recipe for disaster.
Cybersecurity is no longer “the IT department’s problem,” it is a business issue. If you want your organization to be prepared to manage in an effective way your cyber risks, then you need to put in place the right governance and the right supporting processes, along with the right enabling technology and a diverse workforce.
There is a common misconception among business leaders “we are safe as long as we invest in best-in-class security tools”. But the reality is that effective cybersecurity is less dependent on technology and more dependent on humans using it. The adage of “People, Process, and Technology” holds as true today as it ever has… People are #1.
Overcoming the Challenge of Hiring Cybersecurity Professionals
While best-in-class tools are essential for basic security, they are not the most important piece of a comprehensive, robust cybersecurity strategy. In fact, tools should be a participant, not the driver, of an effective cybersecurity plan. A solid program starts with developing a diverse, talented line of cyber-defense. You guessed it! We are talking about humans.
The human factor is and remains, for both IT professionals and the end-user, the weakest link in relation to cybersecurity… any type of security for that matter.
Once an organization understands the need of hiring experts to take care of their cybersecurity plans and policies, they face a new challenge: finding the right candidate! Cybersecurity is a field that has over 500,000 vacancies in the United States, too many for too few candidates.
It’s so hard to find the right person for this role that, according to ISACA, 55% of organizations take up to 3 to 6 months to fill a cybersecurity vacancy, while 32% can spend even more time to find the right candidate, and what’s even worse is that almost 30% claim they cannot fill their empty positions at all.
CyberWarrior Academy has tips to improve your odds of success:
- Take time to fully understand business needs and what defines the right candidate. It’s very common for organizations to struggle to find the talent because they aren’t clear on the job description nor on the responsibilities and goals of the role. To avoid wasting time hiring the wrong candidate, it’s highly recommended to consult the NICE Cybersecurity Workforce Framework (NICE Framework) as a starting point to identify which exact Cybersecurity role you are sourcing for.
- Offer career growth opportunities to attract and retain talent. You want people who aspire to keep growing, to improve their knowledge and skills, and who have a burning desire to change their lives and that of their extended family. Offer them a clear growth path with defined metrics and goals so both parties know what they are up to and when someone is ready to move forward to the next level.
- Incorporate cybersecurity experts in your organization’s decision-making process. When hiring someone for a cybersecurity job, you first need to recognize that they are there to help your organization mitigate risks, if you are willing to hear and follow their advice then you need to set the expectations and their responsibilities in their hiring process. Let them know that they will be an important contributor to the senior leadership team – it will create greater engagement and loyalty to the business.
- Offer continuous training. Cybersecurity is constantly evolving, and attackers are developing new and more sophisticated ways to penetrate the security of organizations around the globe. As a leader, it’s in your best interest to have staff that’s fully aware of new risks and how to mitigate them. Offer them continuous training to update their skills and knowledge. CISA explains that it’s very common for employers to sponsor their employees in the pursuit of advanced degrees and industry certifications. “Accepting an entry-level position and gaining practical work experience while earning additional credentials is a win-win for both sides. The individual is paying little to enhance their qualifications, while the organization is investing in skill strengthening of its human capital.”
- Consider an attractive compensation package. In a field with this level of competition, it’s a must for companies to offer a very attractive compensation package and to retain the employees they fought so hard to find. When developing cybersecurity compensation plans, keep in mind it’s not only about monthly salaries, but other benefits such as attending conferences, local networking events, and a bonus schedule.
The key element of your cybersecurity strategy is understanding that even the most sophisticated tools won’t work if you don’t have a team trained to use them. The human factor is the most important piece of success in this field. Moreover, consider the value and impact of hiring diverse candidates to fill the vacancy in your organization. The cybersecurity workforce gap is big and there are large groups of underemployed individuals with a lot to offer.