Given the crazy year we have had so far, and it still continues to be that way, there are still glimmer of hopes out there on the horizon.  First, is are the financial markets here in the United States.  True, they have been many more gyrations in it than we probably have ever seen before, but if you look on the whole, the DOW is on the upswing.  As far as I know, even the NASDAQ has made record highs as of late as well. 

Even though the data could be highly skewed from the standpoint of statistics, at least the job reports that come out each month are looking better for the last two months, consecutively.  Also, last Thursday, the total number of people filing for unemployment benefits actually saw its first decline ever since COVID19 hit with full force back in February.

So, this brings up yet another issue on which I have written about before, not only for my blog site, but even for other clients as well.  That is, the lack of workers in the Cybersecurity Industry.  Even to this day, with the sheer amount of attacks that are happening on a daily basis, there is still a huge shortage.  There are literally millions of jobs on a worldwide basis that still need to be filled.

So, this begs the question:  Is it because there is just nobody that is truly qualified to fill these jobs, or are there really a lot of people out there that are actually qualified, but they simply are not getting hired for whatever reason? 

Unfortunately, according to the latest reports I have been reading, it is the latter.  Believe it or not, there are a lot of people that are really qualified, but Corporate America does not want to pick them up because they feel that they are not qualified enough.

Rather, businesses want to only hire the seasoned professionals because of the deep experiences that they have to offer.  Yes, there is some merit to this argument, but keep in mind, if you the hiring manager are going down this route, then not only will you have to pay an exorbitant salary, but you will also have to pay for benefits, etc. 

A typical example of this are the roles of the CIO and the CISO.  In today’s times, nobody wants to offer full time positions because who has the cash to do so?

As a result, many companies are now resorting to hiring vCISOs, which are essentially CISOs on demand, for a fixed term contract and fee agreement.  But hiring contractors can only go so far.  Eventually at some point in time, you will want to hire to some degree or another, a full-time staff, to whatever your budget permits to do so.  So, here are some tips in achieving this task:

*Forget about the degrees:

Yes, we all get allured by the degrees that somebody has.  Yes, education is especially important, but look at myself.  I received an MBA in Management Information Systems, and guess what, it did not do me anything.  I just should have stuck to the one Master’s degree that I already had in hand.  There are many companies out there who have, unknowingly, greatly increased the bar of hiring somebody genuinely great by requiring an advanced degree.  But truth be told, in the world of Cybersecurity, degrees do not really mean anything.  It all comes down to experience.  Heck, even some of the podcasts I have interviewed do not even have college degrees.  But yet, through their deep experience in Cybersecurity, they have been able to build great startups.  In fact, there is a great pool of ethical hackers out there who know much more about breaking and fixing a s system in just a matter of minutes versus somebody who has a Master’s in Cybersecurity.  In other words, keep the amount of education that somebody has in mind when you interview them, but that should not be only factor.  Experience has far greater value in this industry than just education.  Look at their experience and how much of that they can bring to your company if you were to hire them.

*Do not hire just on certifications:

Out of any industry I have ever come across, it seems to be that Cybersecurity has the greatest number of certs that are available and can complete the entire alphabet.  Worst yet, it seems that there are more of them coming out.  Unfortunately, because of this sheer amount, the value of having a cert is fast eroding into the limelight.  But still, employers are still wooed by them.  Yes, it is quite impressive to see that list of acronyms after somebody’s name, but guess what?  It only lasts for a fleeting moment.  I view certs the same way as having a Master’s in Cybersecurity.  I am not trying to diminish the value of getting a cert, but in my opinion, how do you know if it is really a true measure of somebody’s knowledge and skill?  Yes, they are expensive, and the requirements to take them are rigid, but most of the people that I have talked that have received, say the CISSP, only got it because they went through a weeklong bootcamp.  So once again, yes, keep those certs in mind as you interview a candidate.  But don’t make that the breaking factor.  For example, what if you hire somebody that has a CISA, but they cannot do an audit of the security controls that you have in place?  In order to gauge the true value, you need to associate that with the total amount of experience that the candidate has with it. 

*Give the candidates a real-world problem to solve in their interview:

This is probably one of the best ways in order to gauge a candidate’s true level of skill by putting them on the spot. After all, Cybersecurity is never a planned event, but rather, it is always changing, and we always have to keep thinking on our feet on a daily basis.  So in this regard, pose a hypothetical case study to the candidate.  Of course, they will not have the time to solve it in the allotted time for the interview, but at least you will get to see their thinking process as to how they would actually solve it by having them illustrate it on a whiteboard.  If it was me, I would be much more prone to hire somebody who can demonstrate a cool and clear-thinking process than rather if they simply possessed a CISSP or a Master’s degree.

*Hire across all boundaries:

When you are interviewing candidates, just don’t keep a stereotypical image in mind.  By doing it this, way, you will truly miss out on hiring a great person for the job.  With this mind, you should look at both men and women equally.  In fact, IMHO, I think women in this regard are greatly overlooked, and I think the can make great Cybersecurity professionals as well, especially when it comes to filling the role of the CIO and/or CISO.  At the present time, only 24% of the Cyber workforce are made up of women.  There have been many initiatives that have been launched to combat this, one of the more notable ones is the European Commission.  So, try to make more of an effort to hire women, and to bring on more candidates in the interviewing process.

*Forget about geographic location:

In today’s COVID19 environment, Work From Home (WFH) will be the norm.  So, when you advertise for a job posting, forget about saying anything about commutable distances.  Of course, it is important to meet with your new Cybersecurity hire from time to time, but just keep in mind the new ramifications of the remote workforce.  All that matters in the end is that if they can connect remotely, are abiding by your Security Policies, and are productive, that’s all that really matters in the end.

My Thoughts On This

So long story short, just don’t simply be impressed by a candidate just because they have a long list of certs by their name, or even have an advanced degree.  Rather, you need to favor very seriously the amount, depth, and breadth of the experience they have to offer to the table. 

Keep in mind that some of the greatest candidates are those that have no degree, or maybe just one or two certs at most.  Believe it or not, a huge pool of candidates can be found from those Cyberattackers that have turned over to the proverbial “Good Side” and are now ethical hackers.

Obviously, it is this grouping of people who will have the best real-world experience when it comes to hacking into systems and fixing them back up again.  Also, don’t overlook the talent even amongst the students that are in high school. 

Kids at this young age are very impressionable, and in today’s world, in order to move them into the right direction, you should consider sponsoring Cyber related summer camps and even real-world Pen Testing exercises. 

Try to find a good student and become their Cyber mentor for the long term.  Who knows, if you end up hiring that young kid in the end, they will probably bring a lot more value and ROI than hiring a CISO who will likely quite in less than two years away (which is now the industry norm).