Burning Glass Technologies, a labor market analytics firm, says demand for cybersecurity professionals has grown more than 3.5 times faster in the past five years compared with other IT jobs, and about 12 times faster than demand for all other jobs. The company's CEO, Matt Sigelman, questions whether there's sufficient supply to meet demand. "Over the past two years the number of jobs requiring a Certified Information Systems Security Professional certification has jumped from 19,000 to more than 29,000," Sigelman told The Wall Street Journal. "When you see 10,000 new job postings in a two-year period in a field that has just over 50,000 CISSPs, there is a question of availability."
Indeed -- and if you find these pros, paying for and retaining them is a challenge. InformationWeek's 2013 Security Salary Survey shows salaries for experienced security managers rising $20,000 since 2011, to $120,000 on average, and poaching is commonplace.
Does that mean it's impossible for an average company to hire and retain a top-notch cybersecurity specialist? Not at all, if you're willing to shuffle the deck and play the hiring game in a smart way.
First, why must every new hire be an ace? What's wrong with a king, queen or jack? The key is potential. Ask, "Will this candidate be able to do the job, maybe not immediately, but eventually? Is the candidate likely to grow into the role?"
No growth, no hire. I find that the vast majority of cybersecurity professionals (and IT pros in general) are smart people. They're usually highly educated, well-trained and certified, and they come with track records of success. Admit to yourself that your opportunity is not so unique and special that you'll have a half-dozen CISSPs fighting over it. At one time in your career, weren't you in the dark about something that you now know pretty well? The answer is yes. Remember, a queen beats every other card but two.
Now Go Fish
In the movie Weird Science, two young men build the woman of their dreams (Kelly LeBrock) using a Barbie doll and a car battery. That only happens in the movies. When scoping a position, focus on needs, not wants. Eliminate the superfluous; whittle experience requirements to what is critical -- not desired, not hoped for, not imagined. Develop probing questions to ascertain whether the candidate has the essential skills to do the job well enough, right now, and whether that person has the potential to become an ace. Stop thinking Weird Science and start thinking real science.
Group interviews, multiple callbacks, mandatory social events -- all a waste of time. We do these things to make sure everyone likes the candidate and the candidate fits our "culture." News flash: It's difficult to get four people to agree on where to go to lunch. What makes you think a difficult hiring decision can be done better by committee? The "personality" threshold for hiring should be simply "Can stakeholders work with this person every day?" Don't listen to Toby Keith's advice about drinks after work. You don't need to vacation together, become family friends or hang out on weekends. You need people to get their jobs done and treat one another respectfully.
Hurry up and make a decision. Cybersecurity professionals are in high demand; smart hiring managers know this and don't give the candidate a chance to receive another offer. If you meet someone you like, move fast. Make it contingent on a background check, sure, but make an offer. Be bold.
On the flip side, if the person isn't right for the job, cut the interview short and save both of you some valuable time. Don't commit to a lengthy meeting because you want to be "nice." It's not nice to waste someone's day when you have no intention of hiring him. Cutting it short does not mean being impolite. It's OK to let someone know that you don't think he's the right person for the job. Just make sure it's for the correct reason -- that he cannot perform the critical tasks or shows no growth potential.
When you do find the right candidate, understand that you might need to sweeten the pot. The good news is that the one thing I find that cybersecurity professionals care most about benefits you as well: training. Cybersecurity tools, technologies and policies change rapidly, and these people know that frequent and ongoing education is the best way to keep up. You might decide to pay for some training or simply allow them time off with pay. I know many cybersecurity professionals who cover the cost for their classes while their employers give them the time off. It's a win-win.
Check And Call
When a player checks or calls in a game of poker, it means he or she is passing or matching a bet. In the game of hiring cybersecurity professionals, it means background checks and reference calls must be made. According to the Ponemon Institute's 2012 Cost of Cyber Crime Study, cyber attacks by malicious insiders were the second most expensive on a per-attack basis. Full criminal background checks should be done annually and updated every 90 days. Reference checks should be done thoroughly to make sure there are no red flags in a candidate's past. In addition to the standard questions (Is she eligible for rehire?) ask questions like these:
-- Did she have any altercations or issues with any other employee?
-- Did you allow her to work remotely from home?
The answers might surprise you and make you feel better about your decision -- or stop you from making a bad bet.