Hybrid recruiting approach against security skills shortage: With currently 86.000 vacancies, the shortage of IT specialists in Germany is still at a high level, according to a current study by the digital association Bitkom.
In order to counteract this problem, however, especially in the area of cybersecurity, hiring new talent for companies is only part of the solution. Once these employees have been recruited, they need continuous development opportunities in order to keep their cybersecurity skills up to date. Companies should also develop an internal strategy for finding and long-term retention of top talent in order to support their employees in their roles and to offer them long-term career opportunities. In addition, even organizations with high budgets will have difficulties in purchasing all the skilled workers that are needed to close the qualification gap in the security area.
Build cybersecurity workforce
Building a sustainable cybersecurity workforce therefore requires a hybrid approach that focuses both on attracting new top specialists with specialist knowledge and on retraining and upgrading existing employees. Companies should therefore also consider potential internal candidates who are suitably qualified.
In many cases, the most difficult positions to fill are those that require extensive hands-on experience, such as Senior Threat Hunters and Incident Responders, as it takes many years to become an expert in these areas. Attending the SANS Institute's annual training courses can be beneficial and is highly recommended, but cannot replace the knowledge gained through investigating and responding to incidents in a real company. It becomes even more difficult when trying to find qualified candidates with experience responding to government-sponsored attacks. Understanding a threat actor's approach and knowing what to look for in terms of Tactics, Techniques, and Procedures is a tremendously valuable and sometimes difficult skill to acquire.
Alternative recruitment routes
Many companies typically use the same conventional job postings and recruiting channels to fill all types of cybersecurity positions. In doing so, they overlook the less obvious, but often abundant sources of potential candidates who have the exact skills or experience required for the advertised position.
Many IT executives are already active participants in a variety of knowledge networks and communities, which represent an extensive source of opportunities when it comes to getting to know and assessing potential candidates who are ideally suited to their company - whether at Infosec conferences, threats Intelligence forums or platforms like Twitter. In most cases, these alternative ways of finding the specialists the business needs are very targeted and productive.
Developing internal talent
Before companies advertise a position, they should also take a look at the existing team to see whether there are candidates who can be further developed to take on the position in question. As these employees are already familiar with the company and its work culture, they can quickly familiarize themselves with the system as soon as they have acquired the additional skills and abilities required. Because ensuring that everyone in the existing team has a defined career path, complete with development plans designed to further develop their technical skills, is ultimately the key to retaining a highly motivated cyber workforce.
Security teams can also help fill the talent gap by identifying internal candidates who may not have a security background but have all the appropriate attributes required to take on a cyber role. Since they are already familiar with the way the company works and often have non-technical skills such as teamwork and communication, speeding up these candidates' skills acquisition can pay off in the long run.
Employee retention: salary isn't the only factor
Salary is an important motivating factor for every employee, but many applicants are also looking for positions in which they can expand their knowledge and advance their careers as much as possible. Completing the same tasks every day quickly puts too little demand on skilled workers and can quickly lead to fluctuation, which is the last thing a company wants when qualified employees are already few and far between. When employers offer their employees the opportunity to work with the latest technology and security tools or on various small, interesting projects, these professionals not only stay engaged, but also improve overall teamwork skills, resulting in a more collaborative environment. This not only helps attract additional new talent, but also helps keep them.
Structured personnel management
In addition, companies should invest in well-structured personnel management to ensure that they get the cybersecurity specialists they need and retain them in the long term. According to a recent global study by ESG and ISSA, 70 percent of cybersecurity professionals still do not have a clearly defined career path. 29 percent of respondents would like their company to offer more cybersecurity training, and 44 percent think hands-on experience is just as important in becoming competent in a new area. Companies should therefore examine the way in which they develop the skills, roles and skills of their teams in order to offer employees opportunities in theory and practice to expand and refine their skills.
With talent shortages across the cybersecurity industry, finding and retaining top talent requires a holistic and adaptable approach. In addition to alternative recruiting channels to attract new specialists, the chances are good that many cybersecurity talents are already working for the company and can take on new positions within the organization with appropriate support. With this hybrid recruiting approach, with special attention to the further development of employees, companies can actively counteract the shortage of skilled workers in the security area.
More at Sophos.com
Via Digital Guardian Digital Guardian offers uncompromising data security. The data protection platform provided from the cloud was specially developed to prevent data loss from insider threats and external attackers on the Windows, Mac and Linux operating systems. The Digital Guardian Data Protection Platform can be used for the entire corporate network, traditional endpoints and cloud applications. For more than 15 years, Digital Guardian has made it possible for companies with high data volumes to protect their most valuable resources using SaaS or a fully managed service. With Digital Guardian's unique policy-less data transparency and flexible controls, organizations can protect their data without slowing down their business.