70% of cybersecurity professionals claim their organization is impacted by a shortage of skilled cybersecurity workers. This shortage is fuelled by the fact that it’s difficult to find experienced and qualified individuals to fill those positions. Many of the roles require some combination of technical knowledge, legal knowledge and soft skills that can be difficult to find. Companies typically want to hire proven candidates and since many areas of technology change so rapidly this can cause challenges for recruiters and job seekers. Hiring professionals have a hard time finding candidates that they are sure can do the job and job seekers can be frustrated by jobs that require high amounts of experience or certifications, that often eliminate them even though they are more than capable of doing the job. This article is meant to be a guide on approaching recruitment for cybersecurity that includes elements other than just years of experience and formal education.
This is the most obvious thing that people look for when hiring. People want to pay for people who have done the job before, it’s the most direct way of knowing that someone is capable of doing the job effectively. However, it’s important to not just focus on formal corporate experience. There’s many ways to gain experience in security outside of working a regular job. One example of this is platforms like HacktheBox or Vulnhub. These are platforms that allow people to test their hacking ability by completing challenges on different servers of varying difficulties. Platforms like this are good ways someone can demonstrate their ability to perform pen tests in a practical way. Looking for alternative types of experience like this can say a lot about a candidate. Not only does it show that they are proficient at that skill, it also shows they are able to do self-directed learning and demonstrates a higher level of dedication than someone that only does the work on the job or as part of a formal education program. Most of these platforms have ranking systems that allow you to see how often someone contributes and you can contact the top performers to ensure you are getting the top talent they have to offer.
Education is a great supplement to experience that shows overall knowledge in a particular area. The common forms of this are formal education institutions like high school, college/university and certification programs. I would say these definitely show a certain level of knowledge, which more so depends on the program that the candidate has taken. Some programs/certifications have much better reputations than others and this should be considered when trying to assess how much someone really knows. For example the Offensive Security Certified Professional (OSCP), is known to be a very tough certification to pass and someone that completes it should probably be given more credit than a purely theory based certification. In addition to these traditional forms of education, informal education should also be taken into consideration. There are many good online courses and books that have great content and these should also be used to assess a candidate. One good example I’ve used is “Automate The Boring Stuff With Python” both the book and online udemy course. I learned more about programming and Python in 2 months than I did during my entire university program. It also demonstrates that person’s ability to find information as needed. In tech jobs it’s rare that someone knows how to do everything in advance, even when they have large amounts of experience. So someone that has the ability to teach themselves and do self directed research is more valuable than someone that needs structured learning.
Tech Portfolios are a practical demonstration of what a candidate can do. This can include Github coding portfolios that demonstrate your ability to code in different languages. Podcasts/Blogs where candidates share their expertise and teach others, this a good way of seeing how that candidate thinks on different topics and their ability to effectively communicate that with others. It also shows a certain level of work ethic, commitment and independence for someone to consistently push out content over a long period of time.
Use Security Competitions
Security Competitions are a good way to find people that have a good technical skillset. It also eliminates a lot of the doubt of whether that person can actually perform the job because you get a chance to see the results of their work. Which means you can focus on assessing them for the soft skills component of the job.
Use Specialized Recruiters
If you don’t have a solid network of security professionals and are struggling to find some, it may be worth it to look for a good recruiter in your area that specializes in tech or security. They will have connections with good potential candidates and can save you a lot of the time it would take to find those people on your own.
Use Network Events
Attending security focused network events is a good way to find potential candidates. Even if you’re not looking to hire right away building a network now will make it much easier for you when it’s time to fill a position.
Given the talent gap in cybersecurity finding good candidates can be a challenge. It’s important as a recruiter that you don’t just passively put out job applications and wait for results. The best of the industry are in high demand and you need to get good at finding them. Some of the best places to find them are platforms like hackthebox, vulnhub, bugcrowd, hackerone and other platforms where security professionals are actively practicing and competing. Additionally, you should be creative in how you define experience and education, to cover a wider range than just traditional education. Lastly, you want to build a network that you can leverage whenever you need to fill a job posting and if not, consider outsourcing this function to a third party that specializes in connecting security professionals with employers.