With the never-ending increase in cybersecurity risks, sophistication, and proliferation of cyber-threats, information security has never been more critical. It is vital that organizations understand its dangers, threats, and vulnerabilities before attackers do. For that, leadership must commit to governance, ensuring a robust IT infrastructure and assuming the costs of implementing a security-in-depth strategy and continuously identifying, detecting, protecting, responding, and recovering from security incidents. But leadership are not the only ones responsible for making that happen. A robust, skilled workforce is vital. But there is not enough talent. No! The talent is out there waiting to be found. Work experience in Information Technology (IT) alone does not always equal talent. This statement is based on both personal experience, research, discussions with highly successful cybersecurity professionals, recruiters, and from conversations with several people who are struggling to enter the field or to transition to work with what they have been training to do. One of the reasons? Many employers do not know the workforce needed so they cannot be on the same page with recruiters. So next, the recruiters. Some recruiters are highly qualified to find cybersecurity talent, but many recruiters do not know how to distinguish the different sources and methods of knowledge job seekers have. Many recruiters do not even know how to identify IT from Information Security (IS); therefore, they do not really understand the type of knowledge that equals what the hiring managers want. How to fix that? First, one must understand cybersecurity. Cybersecurity is not only about technology. A significant part of it is planning, it is business, it is risk management, it is governance, cybercrime, cyberlaw, and compliance. It includes more than only an organization’s IT assets; it involves the privacy and security of all citizens of the world. It is about people, processes, and technology.Here is an example: Olivia has been working in a role other than IT or IS for twelve years where she accumulated many leadership and soft-skills. Then Olivia has half a dozen years of both continuous self-learning and formal education. That includes planning and developing information security (IS) policies, such as cryptography and critical management plan, and disaster recovery plans. Olivia also performs hands-on penetration testing, forensic analysis, and network security assessments. Additionally, Olivia knows how to manage projects, knows how to program, knows IT architecture, knows everything about cybersecurity frameworks, and everything about risk assessment and risk controls. Well, maybe not everything since it is impossible to know everything about cybersecurity that changes as we speak. But that is much more valuable than hiring someone who fits the old cookie cutter; for example, Chuck who has been working in IT for years but only with the technology part, not the IS, and has limited training, education, and does not bother to continuously self-learn. Also, Chuck has no passion and is only interested in a nice paycheck. Then there is Walter, who has no formal education but experience in IT, but again, not in IS; however, unlike Chuck, Walter spends his day self-learning, he participates in webinars, reads a lot to keep informed, and is passionate about cybersecurity. Why is Walter without a job?Companies want the education, but do not want to hire someone without experience, hence the reason talented people like Olivia and Walter are waiting to work with what they love. Companies also want someone with experience, but they do not want to hire someone without a formal education. That kind of contradicts itself, does it not?Cybersecurity is an always-evolving, always-innovating field and the hiring process that has been working for IT and other departments for decades is not working anymore, especially in cybersecurity. The old job requirement is the main reason that companies are not finding cyber talent. It is time to make a change. Dozens, if not hundreds of people write these endless reports and initiate conversations about the lack of talent, and that is one of the reasons why there are too many jobs unoccupied. And then several people join the conversation by stating that they are out there and how to find them. And then nothing changes. Perhaps hiring people who do not fit the cookie cutter, but who could have training and mentorship is not such a bad idea? They say, “but listen, they have not worked with cybersecurity tools.” Says who? Many of these tools are free or are offered by their schools, or they can download a trial, or buy it. And talents do have hands-on experience. This is not surgery. Nobody should hire a surgeon without work experience. This is technology. A surgeon does not have bodies at his home with which he can practice hands-on medicine (at least we hope!), but cybersecurity enthusiasts do. Also, do not overlook that a person’s education and self-learning equips them to do great work the same way, if not more, than a person who studied for a test and earned certification. Certifications are valuable, but they are not always more valuable than the education that one continuously receives. The U.S. needs people who want to work because cybersecurity is fantastic and because this country needs a newly improved posture for cybersecurity. The cyber talent will stay with the company that gives them an opportunity to shine, knows how to appreciate them, and wants them to succeed. Better than hiring someone who only sees the job as a means to make money or someone who does not have proper knowledge. And definitely better than hiring nobody. More brains equal better chances to break the cyber kill chain.This is no joke. Take it seriously. Look at the map: 301,873 job openings. We must end cybersecurity unemployment. We must fix it!Here is the ugly truth: many companies prefer not to hire anyone instead of considering someone talented but who do not fit the cookie cutter. So, besides knowing how to find talent, companies must understand who they need to hire, their roles and responsibilities, and what knowledge they must have. Consequently, the first step is to get help, such as by using a framework such as NIST NICE used for the hiring of talent.National Initiative for Cybersecurity Education (NICE)Many individuals and organizations are helping with this issue; and so is the government. NICE is a framework
developed by the National Institute of Standards and Technology (NIST) of the Department of U.S. Commerce with the intent of improving the cybersecurity posture of organizations through an effort of the government, academic institutions, and industry partners to help to keep this Nation secure. NICE provides an approach to handle cyber-threats by identifying the cybersecurity workforce needed, recruiting highly skilled cybersecurity talents, educating and training, and retaining and developing experienced cybersecurity professionals. The document NIST SP 800-181
proposes a very comprehensive list of categories, specialty areas, and work roles to consider when hiring someone:Seven different categories grouping cybersecurity functions33 Specialties Areas, such as:- Customer Service and Technical Support, - Training Education and Awareness,- Legal Advice and Advocacy, - Strategic Planning and Policies- Incident Response, - Threat Analysis, - Digital Forensics- Test and Evaluating, - Risk Management46 Work Roles (WR), such as:- Software Developer, - Enterprise Architect, - Cyber Legal Advisor,- ISS Manager, - I.T. Project Manager, - Privacy Officer,- Vulnerability Assessment Analyst, - Target Network Analyst,- Cyber Ops Planner, - Cyber Ops Investigator,- Systems Developer, and - Research and Development Specialist. KSAs (Knowledge, Skills, and Abilities) and Tasks- Systems security testing and evaluation,- Countermeasure design for identified security risks,- How to use network analysis tools to identify vulnerabilities,- Developing and applying security system access controls,- Cybersecurity testing of developed applications/systems, and- Security reviews, identifying gaps, and risk management planning.NICE is a more than “nice” way to find talents with the knowledge and experience needed to help organizations control cyber risks. A framework can aid with some of the difficulties that organizations are facing. The most significant barriers are the employers, and the recruiters who sometimes do not know understand how to find talents, the automated machines that scan resumes that only fit the cookie cutter, and the lack of awareness that there are alternatives to the cybersecurity talent shortage. This article serves the purpose to educate those who need to find cybersecurity talent. Look at the state of cybersecurity. Have faith in people. The ability is out there. Invest in those who want to use their passion for cybersecurity and are committed to helping improve the cybersecurity posture of this country. They will be loyal to those who believe in them. Take a leap of faith and revolutionize the cyber world. Remember, cybersecurity is about continuous innovation, so innovate starting with people.