Using a Risk-Based Approach to Cyber Recruitment

Sourcing cybersecurity professionals has never been more challenging. The positions most in demand are those in middle management and at the board level, according to a DCMS report. These are roles requiring a minimum of three years experience. 

There’s also a growing deficit, with only 7500 new entrants entering the sector annually, all of whom need to gain those three years of expertise. Indeed, the annual shortfall in the workforce now stands at 14,000, 40% higher than estimated a year ago. Additionally, the UK market saw a 73% increase in the workforce gap during 2022, equivalent to 56,811 unfilled vacancies, according to (ISC)2.

This talent shortage presents businesses with some real challenges because there isn’t sufficient resource available to fill all the roles being recruited for. That, in turn, elevates risk, with the (ISC)2 finding that 20% thought their organization was at “extreme risk” and 54% at “moderate risk” due to staff shortages. Some have resorted to drastic measures to fill their vacancies, combining job sets to create ‘unicorn’ posts or poaching staff, with up to 60% resorting to the latter tactic, according to ISACA. But this desperate scrabble to fill senior roles may be misguided. 

Quick to Learn

What many fail to realize is that new entrants into the profession don’t take nearly as long to get up to speed as one might expect. Over a third of hiring managers said it took just six months or less for entry and junior-level hires to be able to work independently and that the roles they performed took significant pressure off those higher up in the business, according to another (ISC)2 report. 

So, if the business doesn’t need to focus on filling those senior roles and top-down hiring, how should it approach recruitment? One compelling strategy put forward by McKinsey is to instead look at what it calls ‘Talent to Value.’ This sees the evaluation of the most important cybersecurity roles that promise to deliver the most significant reduction in risk rather than a hierarchical approach. 

Using a risk-based approach means the business can construct a hiring roadmap so that expertise is hired at the right time, as needed, and those priority roles are likely to be dispersed throughout the business, from base level roles through to medium as well as top tier jobs. This means there’s less competition over that top talent and more opportunities to recruit lower down and nurture talent in-house.

Aligning Recruitment With Risk Scoring

Identifying the roles that will reduce the most risk can also be achieved in concert with risk methodology frameworks, i.e. NIST or ISO27005 etc. The National Initiative for Cybersecurity Education (NICE) provides guidance on the skillsets needed for priority controls, for instance. The same risk modelling and scoring used to create the risk register can then be used to identify where resource is needed and at what level and help create the job descriptions for those roles. 

Honed job descriptions will, in turn, lead to much more targeted recruitment campaigns that accurately match the requirements of the position, something which is badly needed in our sector. The same DCMS report found that many recruiters ignore the job specification they are given and contact the hiring manager directly to write their own, bypassing HR because job posts are so out of tune with the market.

Application of the Talent to Value approach will differ depending on the size and maturity of the business. Younger companies will need to focus on executing security strategies by filling management roles rather than leadership ones. Established businesses will need to focus on high-impact or frontline employees, while those undergoing business transformation will need to protect their high-value assets through new hires and specialist talent. 

Because this strategy effectively creates a roadmap, it can help businesses prioritize and plan their recruitment strategies more selectively. Indeed, McKinsey claims the Talent to Value approach can result in 50% fewer new hires because it enables targeted recruitment, upskilling and outsourcing while still delivering the same risk reduction as a hierarchical hiring strategy. 

Of course, there’s another metric to consider here and that’s retention. Professionals who feel under pressure and overwhelmed are much more likely to seek employment elsewhere, with 45% citing stress at work and 34% lack of support as reasons for leaving in the ISACA report. Allocating human and technical resources where needed the most prevents these pressure points from building up in the business and reassures teams that they will be given adequate support. 

Businesses that focus their recruitment strategies and concentrate on retaining their existing staff through career development programs are, therefore, far more likely to bolster defenses and reduce the exposure that skills shortages will inevitably cause.

What’s Hot on Infosecurity Magazine?