The below excerpt was taken from a real job requisition for an entry-level cybersecurity analyst position at a well-known multinational corporation.
Qualifications:
- Advanced degree in cybersecurity, IT, or similar field. (Relevant experience can be substituted for advanced degree).
- Threat modelling and/or risk management experience.
- 1-3 years working with SIEM tools
- CompTIA Security+ or ISACA Certified Information Security Manager (CISM) required
- Ability to develop and communicate technical content to non-technical audiences.
- Experience working with large enterprise-level systems
- ISC2 CISSP (preferred)
- Forensics / Penetration Testing experience (preferred)
- Experience with CrowdStrike, SonicWall, Cisco, Barracuda, Jira, and VMWare tools highly desired
Active job seekers in the cybersecurity industry are likely all too familiar with the current state of affairs as it pertains to the overblown desired skillsets and capabilities that companies are seeking for their cybersecurity staff, and many believe that it is getting out of control – especially for entry level positions. Companies are looking to hire only personnel that have job-specific and specialized skillsets, excessive years of experience, advanced degrees, expensive certifications, and more, just to fill entry-to-mid level vacancies. In industry terms, this is called ‘unicorn hunting’ and refers to the rarity and unlikelihood of these candidates being in the active job pool available for hire. As organizations spin their wheels waiting to hire these unicorns that fit their mold perfectly, tens of thousands of highly skilled candidates are anxiously awaiting their chance to shine; unemployed.
As a university professor of cybersecurity, I have had the unique experience of witnessing first-hand the plight of the emerging professional, as countless college-age students have expressed their concern with being unable to secure employment upon graduating. These students, both driven and skilled, are being overlooked by potential employers because they simply do not fit the check-box filtering criteria set forth by hiring companies.
Wherein it is impossible to discount the value of finding a “perfect” match for a job requisition, potential candidates are not the only ones suffering, as employers often find themselves with long-term languishing vacancies. This sustained vacuum leads to the degradation of cybersecurity programs over time, and has lasting effects on the associated systems’ security as well as company morale. So how is it possible that companies still set such stringent job requirements when they are not really needed, and what can be done to cessate this bad habit?
There appear to be four primary factors driving the over-specification of job requirements in the cybersecurity industry today: requisition development by unfamiliar stakeholders, comparative hiring, cost-driven decision making, and artificial-intelligence (AI) integration in hiring processes.
One of the first (and perhaps the most obvious) issue is that many active cybersecurity job requisitions are developed or written by HR staff or leadership-level personnel that do not truly understand the scope of work required to complete the job successfully. In some cases, hands-on staff are polled for information to include in the requisition, but by the time it passes all of the necessary gate-checks, it represents something vastly different than the source content provided by those key stakeholders. This often results in “fluffy” and bloviated cyber-adjacent language that makes no practical sense for anybody familiar with the craft.
The second commonly experienced issue is that many companies build requisitions based on job descriptions “borrowed” (plagiarized) from their competitors. This is clearly evident in the Department of Defense for instance, as cookie-cutter job descriptions and requirements are clearly copied across multiple companies, programs, and system types. To make matters worse, all of these mirror requisitions appear to be built from the same deficient source material. This is not something that is unique to defense by any means, as similar examples can be seen in every functional industry from healthcare all the way through manufacturing.
Implementing cost-driven hiring is another key facet of the current job market turmoil; but it is not something that is easily resolved. In many cases, organizations have defined financial limits for hiring certain positions, and any flexibility outside of these confines is largely non-existent. As such, if a particular position is slotted for $200,000 per year, then the idea of hiring 2 personnel at $100,000 each instead is rarely even a consideration. This is an oversimplification of course but sheds some light on the financial factors limiting hiring.
A similar gripe with financially driven hiring is the idea that there will always be someone willing to do the job cheaper; and cheaper rarely means better. This has been a long-standing issue within the cybersecurity industry and very few companies know how to properly valuate the cybersecurity work (and therefore the cyber workers) that make security programs successful. The result? Affordable, but under trained and under skilled workers that fail to fulfill job-specific duties.
Along the same vein, comparative hiring is sometimes paired with cost-driven hiring leading to a compounded problem. In cases such as this, organizations rely on comparisons from other companies for both the job description and the recommended salary range – leading to a significant pigeonhole effect, wherein teams limit their hiring options without fully understanding why those limitations were set in the first place. Requisitions ultimately need to be specific to the organization for which they are being developed.
The final constraint that appears to be running rampant as of late is the inclusion of artificial intelligence in hiring processes. There is an undeniable value in using AI to aid in HR activities, however the scope of limitations needs to be clearly defined in order for it to work effectively. Setting aside the countless stories of AI discrimination in hiring processes over the past several years, the primary mechanism by which AI screens candidates is very clinical and does not factor in non-tangibles that traditional human screening could capture. For instance, if a resume does not have the appropriate number of keywords or the proper formatting, it is likely to get rejected by AI tools, without ever reaching a human being to review it for applicability. This not only depersonalizes the human interaction needed for effective hiring, but drastically limits the available screened candidates to choose from.
AI screening software such as this, which is often praised by hiring staff for making their jobs easier, is dissimilarly cursed by job candidates as an enigmatic puzzle that needs to be solved in order just to be considered for an open position. Long story short, if candidates do not satisfy the AI tool first, they will rarely be given the opportunity to prove their worth to hiring managers; and satisfying the AI criteria is not an easy feat.
There is a fifth factor that results as an aggregate of all four aforementioned issues; and that is the oversaturation of candidates in the active market. With thousands of candidates applying to almost every position opened by companies, the numbers simply don’t favor the candidates. Rational thinking individuals may think that this is beneficial for the hiring companies as a result, however the research indicates otherwise, as companies are struggling to find the unicorns that they are so hellbent on seeking. Even if the unicorns are actively pursuing employment, the AI pre-screening process may eliminate them from consideration, or they may simply get lost among the masses. Inevitably, this leads to a palpable feedback loop wherein there are thousands of viable candidates searching for work, but hiring organizations still somehow struggle to fill their roles.
This begs the question; are unicorns extinct? Perhaps not, but they are certainly endangered. Most “perfect” candidates are likely already settled into roles where they are valued and well-paid, and very rarely do these candidates become available on the open market. While companies sit patiently on their open requisitions waiting for these people to re-enter the job market, countless candidates remain unemployed; regardless of their ability to complete the tasks at hand. When driven to the point of desperation, companies often resort to sniping (headhunting) other organizations’ unicorns, luring them in with inflated salaries and promises of a better life. This works quite well; however, it is largely unnecessary. There is talent out there. Companies just need to see it for what it is and understand how to properly foster it.
So, is there an actual solution to this dilemma? There is no easy yes or no answer. A great place to start would be understanding the delineation between ‘required’ and ‘desired’ skills. Would it be nice to have a candidate with 20 years of relevant experience, advanced certifications, project management experience, an M.S. in cybersecurity and expert-level public speaking skills to fill a mid-level cyber engineering position? Of course it would be. Should it be required? Absolutely not. The current emphasis that is placed on required skillsets in the market is far too granular to be sustainable. Instead, these credentials should serve as “nice-to-haves” and should not constitute an elimination criterion for candidates on a large scale. Needless to say, there are circumstances where granular specifications for candidates might be warranted, but overwhelmingly these criteria are unnecessary and don’t add any value to the hiring process.
Another potential solution is shifting the focus from checklist criteria to non-tangible skillset (soft skills) assessments that lend to the adaptability and flexibility of candidates. Many hiring managers would much rather have employees that are eager to learn, well-spoken, well-written, and have the ability to adapt to an ever-changing work environment. These soft skills can be somewhat difficult to glean from a resume but become apparent during interview processes. It is for this reason that adjusting the hiring processes as a whole might be beneficial as well- decrease hard requirements, reduce pre-interview screening, open the door for previously excluded candidates, and test their soft skills during the interview processes. Simply put, give people a chance.
By getting to know candidates during the interview process, versus simply trying to understand them through their resumes or through some AI-generated summary, companies can also reduce the likelihood of candidate misrepresentation. The sad truth is that it is very easy to lie on a resume, and in fact, there are AI tools out there that will rewrite resumes to match job descriptions perfectly, giving some people an unfair advantage. Although it is easy to lie on a resume, it is significantly more difficult to lie in an interview; or at least easier for hiring managers to detect these lies in an interview. Especially in tech-related fields where the barrier to entry is so robust and the jargon is so specific; it will become apparent very quickly when candidates are unable to walk-the-walk or talk-the-talk.
To summarize, the key takeaway here should be to stop hunting for unicorns – instead, hire work horses and turn them into unicorns through professional development, mentoring, and growth opportunities. Hard workers will always want to work, so giving these individuals the opportunity to shine can only result in forward progress; requisitions be damned.
Image credit: foxyburrow, AdobeStock
