To help in that training Northeastern has programs to give software engineers cybersecurity skills, and has extended that to students with undergraduate degrees in non-tech subjects like history, English and math.
Don’t assume that the best candidate will come from the outside, Bryan says. The best qualified candidates may already work for the hiring organization, and managers should be creative in finding those people.
Levesque says EMC rotates recent graduates hired at the company through three-month cycles in different areas to find out whether a programmer, for example, might have an interest in incident response.
It’s often tough for applicants and employers to succinctly describe skills and requirements, respectively. Aiello says that’s because cyber security is still an immature profession that lacks basic standards for what job skills are needed for what job titles. A job with the title security analyst at one organization might have a different set of tasks associated with it than a security analyst at another organization. “It’s hard to say, ‘I want to be this,’ when ‘this’ doesn’t have a title,” he says.
Bryan says that the National Institute for Standards and Testing (NIST) is trying to create standardized titles and job descriptions to do just that with its National Initiative for Cybersecurity Education (NICE). The project “provides a common language to categorize and describe cybersecurity work,” with the goal of helping businesses identify, recruit and develop appropriate talent.
Because of stiff competition, employers may have to compete with salaries and perks. Levesque says she’s seen corporations offer work-at-home options to strong candidates who don’t want to relocate.
Bryan says that the Federal Reserve System can’t offer the big salaries major private firms can so it operates at a disadvantage.
Universities face similar challenges finding the top security pros to teach, says Northeastern’s Brodley. “It’s hard to get Ph.D.s in cybersecurity. We have the same problem that’s going on in industry, and we can’t pay what industry pays,” she says.
Aiello says the average age for cybersecurity practitioners is 41. He recommends that when younger people are being considered, enlist younger current employees to help interview them. The motivations of boomers and millennials are very different, and having someone in the same age bracket can make the process go smoother.
Brodley says that 75% of people who try computer science like it enough to take a second course. She’s hoping computer science is made a high school requirement so more students get that initial exposure that might encourage them to major in it in college.
Sign up for CIO Asia eNewsletters.