Why We Chose to Write This Book
From humble beginnings of the Arpanet and a worm called “Creeper,” cybersecurity as a field has grown by leaps and bounds. Now, in the year 2022, every private corporation, government entity, public school, private university, mom-and-pop shop, massive financial institution, and local bank branch must consider cybersecurity and the people they hire to carry out cybersecurity directives. The massive growth of the field is staggering, with demand for cybersecurity experts estimated to be growing twelve times faster than the current job market in the United States.1 In short, every industry is struggling to find and retain employees that address cybersecurity needs. The structured solution offered in this book will guide the C-Suite, internal and external talent acquisition teams, and human resource professionals charged with navigating this challenging arena. Eligible employees come from information technology, engineering, security, privacy, risk, legal, computing, and human resources backgrounds, each offering a different piece of the puzzle. Compounding the complexity of the concept we term “cybersecurity” is the variety of fulltime, part-time, contract, and “As A Service” (“AAS”) employees every employer must consider. What we have found, over and over again, is that cybersecurity is fundamentally a human problem—and must be addressed accordingly.
We have been fortunate enough to speak with leaders in this space from a wide range of backgrounds, and have incorporated their valuable insight into our hiring model. From the Director of the National Initiative for Cybersecurity Education at the National Institute of Standards and Technology in the U.S. Department of Commerce; to the Director of Information Security Governance Risk and Compliance for the University of Wisconsin System; to the Vice President and Chief Security Officer of Dominion Energy (a major energy supplier for the U.S. government and countless private entities); to the former Chief Information Officer of the U.S. Air Force and current Senior Vice President of Leidos (the largest IT provider in the federal market); to the Director of Technology Infrastructure and Information Security of a Major League Baseball Team.
Outline
Technology is inherently and firmly rooted in everyday life. Safe interaction with information technology systems is increasingly important. Fortunately, many companies are aware of the risk and corresponding liability which arise from maintaining ever-growing amounts of data, and they emphasize building systems which will stay ahead of cyber threat vectors. Developing and implementing solutions to ongoing cyberattacks and data breaches requires creative, focused, and highly trained employees. The challenge is finding the right people who are capable of creating effective solutions to evolving problems. As a result, the cyber world is struggling to find the human capital it needs.
It was predicted that there would be 3.5 million unfilled cybersecurity jobs globally by 2021, up from one million positions in 2014.2 Unfortunately, the cybersecurity workforce gap continues to increase: as of 2019, it was estimated that the U.S. cybersecurity workforce needed to grow by sixty-two percent in order to meet nationwide demand.3
Compounding this problem is the fact that clear descriptions of job roles and responsibilities are substantially lacking. The research shows that professionals in the field of cybersecurity respond better to clearly defined job requirements and descriptions. Vague descriptions are not only a “turn-off” to those with experience but also create confusion for newbies.4 When non-manager level cybersecurity professionals were asked “What about a job description demonstrates an employer’s lack of cybersecurity knowledge?” seventy percent respondents replied it was when the description was “too vague,” and forty-eight percent of executive management concurred.5 A runner-up problem was when the job description “didn’t accurately reflect the position details or responsibilities.”6
Defining who you need for certain roles is more challenging for jobs relating to cybersecurity because these positions are situated in a rapidly evolving field involving specialized skills which must be adapted to unique workplace environments. Even though the initial strategy at the outset is often to set the bar high, begin reviewing applicants, and then compromise on one or a few competencies, this compromise is rarely realized. This is because once a “good enough” candidate is identified, at least one person in the approval pipeline will ask why a candidate who fails to meet the job description is being considered at all. But there are valuable cybersecurity candidates—whether for technical, compliance, risk, legal, or executive roles—that come from all different backgrounds and can be trained. The real question is: do you know (and understand) what you need?
The single most important part of this process is often overlooked by most hiring professionals, and not only those focused on cybersecurity. To hire effectively, you must know, in specific detail, exactly who and what you need for each specific position. Job competencies, particularly those based on surveys or industry research, are insufficient because they are too general. Relying on credentials or completion of specific training courses, without a deeper dive, is also not enough to differentiate between candidates who will succeed and those who will fail. Defining who you need for certain roles is more challenging for jobs relating to cybersecurity because these positions present a field that involves specialized skills which must be adapted to unique workplace environments. Paul Maurer,7 the president of Montreat College (which is a National Center of Academic Excellence in Cyber Defense Education), explains why cybersecurity is a human problem:
Paul Maurer: Here’s the basic value proposition that we came to after a year of market-testing, in boardrooms, in Washington D.C., in partnership with a think tank in D.C.: that cybersecurity is not principally a technical problem. The problem of cybersecurity is principally a human problem. Therefore, the solution to cybersecurity is not principally a technical solution. It is principally a human solution. If you don’t have people with the right character and ethics as your cyber leaders, as your cyber operators, your technology doesn’t matter very much. We don’t think that AI alone can solve the cyber problem. We think humans principally need to solve the cyber problem.8
The first section of this book dives into the particulars of cybersecurity—the laws, regulatory bodies, and careers that impact and influence hiring needs, obligations, and budgets.
Afterward, we describe our proprietary hiring model that best applies to cybersecurity workforce development. In reviewing how to use this model, we offer solutions for defining and assembling the right candidate pool, how to use a resumé most efficiently, and how to develop a candidate description and corresponding question sets that will facilitate the extraction of relevant data. The goal is to make better hiring decisions. We will address common pitfalls and how to avoid them; in particular, the concepts of “fit”, “a great addition to the team,” and “taking a chance” as bases for hiring decisions will be analyzed, and processes for how to avoid them given in detail.
With a comprehensive analysis of the current cybersecurity workforce, backed by in-depth interviews with leading industry experts, statistics from government and the private sector, and data breach stories pulled directly from the headlines, this book serves as a practical guide to adeptly find, differentiate, and hire the appropriate and necessary cybersecurity workforce. It is the most effective way to face the cutting-edge nature of cybersecurity in the first half of the twenty-first century.
1 National Initiative for Cybersecurity Careers and Studies, Veterans: Launch a New Cybersecurity Career. https://niccs.us-cert.gov/training/veterans
2 Cybersecurity Ventures, Cybersecurity Talent Crunch to Create 3.5 Million Unfilled Jobs Globally by 2021. https://cybersecurityventures.com/jobs/
3 (ISC)2, Cybersecurity Workforce Study 2019. www.isc2.org/-/media/ISC2/Research/2019-Cybersecurity-Workforce-Study/ISC2-Cybersecurity-Workforce-Study-2019.ashx (3)
4 (ISC)2, Hiring and Retaining Top Cybersecurity Talent. www.isc2.org/-/media/Files/Research/ISC2-Hiring-and-Retaining-Top-Cybersecurity-Talent.ashx (10)
5 Id.
6 Id.
7 Paul Maurer serves as president of Montreat College in North Carolina. Montreat College is a National Center of Academic Excellence in Cyber Defense Education as designated by the NSA and DHS. The college offers four levels of cyber education: certificate programs, Associate of Applied Science in Cybersecurity, Bachelor of Science in Cybersecurity, and MBA with a concentration in cybersecurity management. Montreat emphasizes the role of character and ethics as central to being trusted cyber leaders and professionals.
8 P. Maurer, in discussion with the authors. July 13, 2020.