Faced with significant obstacles to build their cybersecurity teams, organizations increasingly are looking within to find transferrable talent for cybersecurity roles. It’s a practice strongly endorsed by (ISC)² in the recently published Cybersecurity Career Hiring Study and the Cybersecurity Workforce Study.
The problem is that a substantial number of organizations aren’t up to the task of developing in-house talent for cybersecurity. Nearly half (45%) of companies in a recent study say they are not capable of doing it.
And the problem doesn’t end there. The study, conducted by IT recruiting firm Hays US, also found that only 39% of respondents believe their organizations “have the ability to retain cyber staff.” So the problem is twofold:
- Building a strategy and infrastructure to recruit talent within the organization to fill cybersecurity positions
- Establishing conditions to keep cybersecurity professionals happy in their posts so they don’t seek employment elsewhere
Findings from the (ISC)² Cybersecurity Career Pursuers Study make a strong case for developing a strategy to identify employees who demonstrate skills that would provide a natural fit for cybersecurity tasks. Those include oral and written communications, creativity, problem-solving ability and critical and analytical thinking.
Such skills are transferrable and take the pressure off recruiters and hiring managers to find cybersecurity “all stars” in a highly competitive job market. “All-star” candidates are extremely scarce at a time when the cybersecurity industry is grappling with a skills shortage of 3.12 million professionals worldwide.
It explains why the recruit-from-within approach is gaining traction. Cybersecurity expert Alyssa Miller, for one, is a strong advocate. “We have to start looking at which folks within our organization have a desire to expand their skills into security. We should start looking at how to develop those people, how to enable them, how to provide training and how to provide them with opportunities that show what they can do in security,” she says.
But as Hays found out, it’s easier said than done. Still, it isn’t a lost cause.
Companies must also address the retention problem if they are going to succeed in recruiting from within for cybersecurity. It hardly makes sense to go through the trouble of finding talent if you can’t prevent people from leaving once they acquire the desired, and desirable, skills.
A Tripwire article about the Hays US study makes several recommendations for retention, including offering upskill opportunities by partnering with “respected IT security training providers.” The article also recommends reevaluating cybersecurity job requirements to make it easier to find skills and relevant work experience elsewhere within the organization.
Hays also recommends offering competitive salaries, fostering a culture that promotes cybersecurity practices and investing in the latest technologies.
Organizations that take this advice to heart should find that recruiting from within isn’t beyond them. It just requires some discipline and good planning. For more help on how to build a robust cybersecurity team, click here.