The cybersecurity skills shortage requires businesses to have a well-honed recruitment process. Jamal Elmellas, chief operating officer for Focus-on-Security, says there is a disconnect between hiring managers and HR. So why is this happening, and what can be done to align the two?
There’s a diminishing pool of cybersecurity talent, with insufficient new entrants and an exodus of existing talent. The Department for Digital, Cultural Media and Sport (DCMS) upped its original shortfall projection from 10,000 to 14,100 per annum. The cybersecurity gap increased by 73% over last year, according to the ISC(2) Cybersecurity Workforce Study.
That same study made an interesting observation. Where there was a strong relationship between cybersecurity management and HR, shortages were noticeably lower, but where there was a disconnect, shortages were exacerbated. Those businesses were more than two and a half times more likely to suffer from skills shortages.
This illustrates that while HR plays an essential role in recruitment, it can have the opposite effect if it’s out of kilter with the security team. And this lack of alignment is not as rare as you might think – almost half of those questioned in the survey said the relationship between the two was poor, and 40% said HR did not add any value to the recruiting process.
What HR and Hirer Bring to the Party
Both parties are critical to an effective recruitment drive. The hiring manager will know the skillsets and experience needed, what the day-to-day job entails, and where that person will fit into the team. Still, HR knows the recruitment process, how to enter the market, and which channels to use to attract the best talent. Working together, they can craft the job specification and determine the support and perks that should be offered.
The reality, however, is that job specifications today are seldom well-written. Criticisms include the combination of multiple roles into one, specifications that did not reflect the role on offer, or which undersold the role by failing to highlight training opportunities, for example.
Consequently, the recruiters ignored these job specifications and contacted the hiring manager directly to draft their own, bypassing HR altogether. This was particularly the case for hard-to-fill roles. The danger this creates is that the hirer, who has little market visibility, is at the mercy of those less scrupulous recruiters. HR has a valuable role to play because it occupies the middle ground while at the same time representing the interests of the company.
Solving the Problem
So why has this happened, and how can HR become more aligned with the security team? Part of the problem lies in how cybersecurity has continued to evolve rapidly, resulting in a shortage of skilled professionals in particular disciplines. For instance, according to the Fortinet 2022 Cybersecurity Skills Gap report, the roles most in demand are in connection with the newest technologies, i.e., Cloud security and security operations software such as Advanced Threat Protection and Endpoint Detection and Response.
That, in turn, makes it challenging to determine the skill sets required for that particular job, forcing HR to write the rulebook – or the job specification – as they go along. Certifications can help here, so 81% of organizations insist on these when hiring. But in today’s market, where candidates are scarce, the business can no longer afford to limit itself in this manner. Doing so cuts off potential candidates switching from another career or following a less conventional path but having the potential and right soft skills to succeed.
The industry needs the means to map particular skills with current and emerging roles. This was recognized by the Cyber Security Alliance, which referred to “the complex nature of career routes into cyber security; the myriad of cyber qualifications, certifications and degree standards which exist without any uniform equivalency; and the challenges this creates for employers when it comes to assessing candidate suitability.”
As a result, the Alliance helped found the UK Cyber Security Council in 2019, the chief remit of which is establishing standards and pathways across the cyber profession by 2025. Known as The Cyber Pathways Framework, this will outline the skills associated with sixteen specialist areas, establishing a minimum set of requirements for the first time and providing HR with some much-needed guidance. But, given this is two years away, it’s possible to refer to the Council’s Careers Route Map.
Mapping Team Structures
The DCMS report notes that some organizations are already exploring ways to use the Route Map. One thought it could be used to justify the budget for careers-related training, for instance, as well as to inform job specifications. But it’s also been viewed as a means to help ensure businesses don’t reinvent their team structures, as it can be overlaid over existing IT roles to show where skills are already present and where gaps lie.
The Chartered Institute of Information Security (CIISec) cyber-skills framework furthers this organizational approach. Its Capability Development Methodology (CDM) uses four frameworks covering Skills, Knowledge, Roles, and Accreditations to map the skills within the business and help HR develop, recruit and retain talent.
Such initiatives now mean the hirer doesn’t need to seek inspiration and copy job specifications from other adverts (which happens more often than you’d think), and HR doesn’t need to operate in the dark. With both now aware of the deficits in the business, the skills needed, and the role that should be outlined and advertised, both HR and the cybersecurity team are on the same page and can more successfully liaise with the recruiter, who can advise on current market conditions and candidate selection.
Aligning these three professions makes the role more likely to be filled quickly. But there is one other aspect that also needs to be considered, and that’s retention. To help ensure that the valuable cybersecurity professional you’ve recruited stays onboard, providing them support and career progression is essential. Again, the Career Pathways can help here, providing a clear line of sight as to how roles can evolve and individuals can climb the ladder, providing candidates with the job security they’re likely to desire in today’s economy.
How do you think the disconnect between HR and hirer is harming recruitment? Share your thoughts with us on Facebook, Twitter, and LinkedIn. We’d love to hear from you!
Image Source: Shutterstock
