Organizations should take a fresh look at their recruitment policies, hiring processes and interview techniques if they want to tackle current cyber skills shortages and gaps, according to a panel of experts.
The UK currently faces a shortfall of nearly 57,000 cybersecurity professionals, while on a global scale the figure is over 3.4 million, according to ISC2 figures.
Read more on skills shortages: Cybersecurity Workforce Gap Grows by 26% in 2022.
However, there are things that organizations can do to mitigate the impact of current shortfalls, experts told attendees at Infosecurity Europe this morning.
Chartered Institute of Information Security Professionals (CIISec) CEO, Amanda Finch, urged organizations to begin by understanding what kind of team they need.
“We encourage our members to take stock of the team they have already and look at how they can develop the talent they have, and then look at where their gaps are,” she explained.
“A lot of the gaps aren’t necessarily very technical roles. There’s a really high requirement for analytical and communication skills, and this is where we’re encouraging them to take from the business rather than employing experienced hires.”
Hiring from an internal talent pool for non-technical roles means cybersecurity teams get someone who knows the business, who can be trained really quickly and is keen to get involved in the function, she added.
Transport for London (TfL) CISO, Jools Gascoigne, agreed, arguing that there’s a tendency for technical roles to focus on skills and experience, which is often the wrong approach.
“The thing we try and do is focus on the character and the person, and the attitude and the aptitude of that individual, rather than the skills and experience, which might be very important but are perhaps secondary,” he added.
ISC2 director, Ed Parsons, argued that hiring managers also need to take more personal responsibility for job descriptions.
“We often rely on HR to do this, but it’s very easy for those job descriptions to inadvertently contain language which is either exclusive or includes specific responsibilities and certification requirements that aren’t really needed,” he said. “This leads to a lot of great potential candidates being filtered out, often by automated means.”
According to Finch, the interview process itself may also be letting down both jobseekers and employers.
“When we recruit in CIISec we have two or three of us speaking to the individual, and we tend to be quite relaxed in order to get the best out of the candidate, rather than putting them under a grilling session,” she added. “That way you can see the potential of the person rather than getting stock answers to set questions which they prepare.”
Finch argued that a pre-interview challenge may also be a good idea, to understand not only candidates’ aptitude but also how much they want the role.