Hacking the Cyber security skills shortage
Shirin Fahri, Cyber AppSec & PenTest recruiter at Outsource UK, gives her opinion on how to hire in a candidate-short market
Hearing about the Cyber Security skills gap is becoming for me like hearing about Brexit. We know it’s a problem but we’re fed up of hearing about it; we stick our head in the sand or jump on the bandwagon to crusade for businesses to consider employees from other talent pools.
Diversity in InfoSec is something I feel very strongly about and I have supported a number of service leavers into the industry as well as a number of women, at the same time there’s another issue in the industry that not so many people are talking about.
After a recent article and skills matrix published by someone that I respect very much, I have started to see a few more comments about it, mostly though from hiring managers launching shameless self-promotion campaigns, and some recruiters doing the same! I am aware of the irony here, but those of you who know me know that I love a bit of that.
For those of you that don’t, I’m about to launch into a brutally honest, hopefully insightful, rant as to why understanding these skills is just as important and what I believe from my experience in hiring we can start doing about the lack of it. Bear with me if you can. These are the problems that I see every day; impacting an organisation’s ability to hire, and a lack of technical knowledge is a huge part of that.
Communication and Teaching Others
Some companies either don’t have budget for, or prefer not to use recruitment agencies. They have in-house teams or HR to perform search & select processes, to write job descriptions, and in some cases they also do the initial ‘screening’ interview with applicants. This makes sense; hiring managers are busy, and recruitment is about 1% of their job so it needs to be done by someone else.
What we often forget is that there’s a bit of a conflict here:
- Hiring managers and their teams have the need, they are where the pain point is, it’s those guys and girls in the coalface who are directly affected by having a vacant position on the team.
- HR and Talent Acquisition also want to fill that position; they’re often given targets based on doing so but they’re bloody busy. They, unlike me, have to fill one hundred positions in that business from Administrator to CISO and they have another ten hiring managers nagging them about their vacancies. People have approached me about internal positions and agency recruiters joke that they are ‘failed recruiters’, but there’s no way on earth I’d do that job.
The problem then is that even if a company can offer a great package and working environment, in-house recruitment teams simply don’t have time to learn about the skills each technical role requires. I’m not saying that some don’t learn – but it’s usually in businesses that have enough funds to allocate people to specific requirements who in turn have the time to do this. That’s where we come in, but like I said, where we’re talking about the Public Sector, start-ups and others with budget restrictions that would rather allocate what cash they have to securing all of the things, it’s not always possible.
This is where Mark Carney’s Skills Matrix is an absolute dream! It tells you exactly what skills are needed for each role, he’s updating it regularly but right now, it is still an excellent way to support someone you’re working with. If you’re a technical person reading this, send it to your Talent/HR team.
I think wherever possible it does wonders for the candidate experience if someone at the first point of contact makes the effort to learn about what they do. Where there isn’t time, this will help them on their way.
And if you do have the time, sit down with them, when you give them the vacancy brief, explain these concepts to them. It’ll save everyone so much time and frustration.
Job advertisements…I mean really?
*Deep breath*, I’ve seen some awful ones. This follows on from the idea of understanding the people you’re trying to hire but it’s worth a mention on its own. I took what we call a ‘qualification call’ for a vacancy last year and I asked, after taking a long list of what they wanted, “why would people want to work at JoeBloggs Ltd?”. The response was, “I don’t know, what do Penetration Testers usually look for in perks and benefits”. I mean, I was flattered that they valued my opinion but firstly, if you don’t know and you own the company, how on earth do you expect people to apply? Also alarm bells ring when I hear things like this, it’s sometimes a lack of understanding about the recruitment process, but my main concern is that they’re just about to make a load of stuff up off the back of what I’ve said people tell me they want.
Job descriptions and job advertisements are two separate things; keep your list of ‘wants’ for your back office team. If your job advert starts with a list of desired experience, it’s not attracting anyone. It’s important to set a standard for what type of applicant you want but there’s a few basic things that you need to know:
- In a SKILLS SHORT industry, where your target audience is more desirable than your job – what can you offer them?
- What skills are actually needed to get the job done?
- Who decided these skills? Were they taken from an old job description/ a CV of a current employee or more importantly, an assessment of what actually needs doing and what can be taught on the job or quickly picked up?
Too many times I’ve seen companies do this too late in the process where they feel like they are compromising because they haven’t found anyone and by then they’ve been looking for 6 months. Everyone I speak to about the role says something along the lines of “ah yeah, JoeBloggs Ltd, they seem so desperate to hire, something must be wrong there”. We’re dealing with an industry of people who are trained to be paranoid!
- Does it really matter if they have a degree from a red brick university, or any kind of formal education for that matter, as long as they have those skills? Remember to note where conscious or unconscious bias creeps in…
- Do you really care if they aren’t acronymed-up to the eyeballs if they can do the job?
- If you were looking for this job, what would you want to know? E.g. Security Consultants always ask me for utilisation rates but I’ve yet to see one on a job advert. (Yes, we know this can vary, but an approximate or average from this year’s scheduling is fine.)
I could wax lyrical about this but this was only meant to be a short blog post! If you want to know about this in lots more detail and learn how to make sure you’re not alienating any potential candidates speak to Outsource UK’s Inclusion & Diversity Lead, Claire Farrow.
Honesty during the recruitment process
You’d think this was an obvious one but so many companies start to bend the truth, or even worse lie to candidates, because they are so desperate to hire people that they’ll do anything to get people in the door.
I imagine this is in large part due to the competitive nature of the industry. It’s a candidate’s world where skills are in short supply, but this is not the best way to hire. You’ll get found out. Being so skills short, people in the industry talk and your company name will be dragged through the mud faster than you can say ‘we have a great work-life balance and will make sure you get research time’.
If your utilisation is high because you’re short of staff or you’re growing the team, then be honest about it; it’s perfectly reasonable that things aren’t amazing in your business all of the time! If you know that your interview process is a bit drawn out, tell them; people are usually fine as long as they’re prepared and you’ll keep their interest a lot longer rather than going radio silent (which is also just rude) and giving them the excuse to interview elsewhere in the meantime.
There is no perfect job! People understand that, so be open about things you’d like to improve, because in such a candidate-short space, they don’t need to stick around anymore if they find out you’re lying, and your retention rate will suffer.
From an ethical perspective, it’s an awful thing to do to be honest. I had the misfortune of working with a company last year who told me that they were working with a cutting-edge, advanced, Red Teaming automation tool that would actually simulate targeted attacks and rule out false positives. This sounded innovative and exciting, so we told people about it and they hired a very talented Security Consultant…It turned out to be a very well-known automation tool. The employee realised very quickly that they had fed us all a load of rubbish, the candidate who’d been promised a highly technical role working with ground breaking technology, naturally wanted to leave within a few weeks. I promised you brutally honest so here’s a bit of insight into how recruitment works if you aren’t aware already:
If a candidate leaves within what is called the ‘rebate period’, we usually pay a portion of the fee back to the company, so most consultants are encouraged to mediate and try to support the retention of staff. I’m happy to do this where I think a resolution can be found. I won’t though, for a business that is dishonest and thankfully at Outsource, I’m supported in this. I completely agreed with this person’s decision, they left the business, we paid the fee back, and I helped the them to secure a new role.
Don’t be that business! I can’t imagine they’ll get a strong PenTest Team up and running for some time.
‘Cyber’ is NOT a niche!
My colleagues reading this will be nodding or laughing but it’s true, people! If you’re an internal Talent Acquisition Manager, a Hiring Manager, or a HR Manager and you’re using an agency that says they have a ‘Cyber Security Specialist’ recruiter and wondering why you’re not filling your vacancies, you need to call BS!
Cyber Security is an enormous area of differing expertise. If they have one person or even three that say they are recruiting in the ‘niche’ that is Cyber Security, they must be absolute geniuses. I have been working in this space for three years and have a reasonable grasp of what everyone does and where their roles sit within a security function, but there’s no way on earth that I could keep a constant network of professionals at my fingertips and understand in enough detail what they do to show them the respect they deserve if I tried to work every cyber vacancy going!
I recruit exclusively in AppSec and PenTest, this makes sense to me because they cross over a lot or (at least they should do if you’re doing it right) and I love it. Both areas of security interest me and I like to think I know enough about the skills that are required not to insult the potential candidates I’m contacting. I also have a good awareness of what it takes to do these jobs and I genuinely care about the people in these fields – not just because I have ethics and have made lots of friends over the years, but because some of these people are protecting me every day.
This is not an exaggeration, they protect me from loss or theft of data in the web and mobile applications I use, they keep my card details safe when I buy things, they protect the networks of companies that hold my data, they protect my company from data leakage and theft and they protect the critical infrastructure that I rely on to keep me alive on my commute to work – to name but a few things!
Working in a small part of the Cyber community means I am well placed to help the companies I work with find the best people, and the candidates I work with to take the next best step in their career. I couldn’t do this if I suddenly started to work Cloud Security vacancies, or Incident Response roles - we have other people in the team that do that.
In all honesty and this is where it gets brutal…I only know of two recruitment agencies in the country who encourage this way of working and have a good model for cyber security recruitment, Outsource UK who I work with now and – get ready because I’m actually about to recommend another recruitment company here – Advanced Resource Managers (where I was trained by Ryan King).
Unfortunately, lots of companies jumped on the skills shortage bandwagon and the market is saturated with ‘specialists’. And that’s a huge contributor to the struggle to hire.
Solutions, not problems
So what can we do about it, to help, even a bit? Well, on the evening of Thursday 9th May, we’re bringing together some of my favourite people at our SkillSec event to offer FREE guidance to employers and employees at 111 Piccadilly, Manchester.
There is one small caveat to this event:If you attend and you meet someone there that you interview…we’d like you to please donate to either The InfoSec Hoppers, who’ll use the money to sponsor someone who can’t afford it to go to a security conference. Either that OR to an organisation of our choosing that will pay for someone without the means, trying to up/cross skill to take a training course or sit a qualification. More details of this to come.
And if you’d like to know more, let’s connect! You can get me at firstname.lastname@example.org