| | DECEMBER 20248CIOReviewIN MY OPINIONFor over twenty years, there hasn't been a moment where cybersecurity talent supply has met the demand. In 2019, the International Information System Security Certification Consortium (ISC2) published a study showing that US organizations had over 800,000 open positions in cybersecurity, while applicants in the market were less than a third of that. By 2023, that gap ballooned to over five million, breaking yet another yearly record.But this gap trend is only part of the story. Almost every organization is facing more cybersecurity requirements and threats. Those new threats and requirements necessitate additional funding, new tools, and, of course, additional resources. Cybersecurity researchers show billions of dollars in spending increase; some projected 2025 spending to be over four hundred billion dollars. This means cybersecurity leaders must find more resources to recruit in a low-supply market.To Grow or to BuyIn the talent acquisition landscape, the dichotomy is whether to "buy" talent by paying top dollar or "grow" cybersecurity skills from a pool of aspiring entry-level candidates or from mobilizing talent in other areas into cybersecurity. Growing talent takes a lot of time and effort. The learning curve is steep and long, with a chance of failure; the breakeven period can be a year-long, and there is more time until the resources are at their full potential. However, growing usually provides resources from different disciplines and IT backgrounds. Those can be of extreme value to the team, especially regarding cybersecurity engineering and configuration management.In contrast, "buying" resources is easy and fast, but they do come with a high cost, and they may lead to cohesive thinking with less diversity of ideas within the team.Selecting your SeedsThe common candidate selection and interview process is tedious and usually ineffective. A typical candidate selection process in the U.S. starts with a human resources analyst fishing for keywords in a pool of filtered candidates and selecting the candidate with the highest word match. This already inadvertently filters out better candidates who could have used different synonyms. This pool is then promoted to the hiring manager's attention. On average, hiring managers spend seven to fifteen seconds scanning a resume. Years of experience are summarized in those seconds, and the result is filtering out more candidates.Regarding growing talent, a hiring manager's candidate requirements must change drastically from experience and knowledge to aptitude and work ethic. The criteria should be open to people with less or no direct experience and generalized to look for accomplishments instead. Instead of four years of experience, managers should settle for a preference of two years. Instead of a bachelor's degree in cybersecurity or a cybersecurity certificate, managers can look for a degree in Information Technology or Software Engineering.Instead of experience, the interview process must assess aptitude and work ethics. Interviews should delve into problem-solving abilities and critical thinking skills tailored to each candidate's unique background and potential. I recall spending time on candidates' resumes only to figure out how I could challenge them in the areas they worked in. It is not an easy task if the manager doesn't have experience in the candidate's areas, but a colleague with similar experience can be a great help in gauging a candidate's aptitude. When there is not enough material to cover, I do include critical thinking questions that are mostly scenario-based to see what the candidate would do in situations we have experienced in real life. I often say, "There is no right or wrong here; I just want to know how you would approach this problem."GROWING CYBERSECURITY TALENT ON A BUDGETBy Ahmeed Ahmeed, Cyber and Information Security Director, Inteva ProductsAhmeed Ahmeed
< Page 7 | Page 9 >