Cybersecurity Hiring Insights

How to Hire the Right Cybersecurity Talent: Essential Tips and Strategies

Table of Contents

  • [toc headings="h2,h3" title="Table of Contents"] Hiring the right people is critical for any role in an organization, and that's especially true when you're recruiting cybersecurity professionals. These are the employees you entrust with keeping all your company's data and systems secure from cyberattacks. The right candidates for cybersecurity positions need to be up-to-date on the latest security trends and technology, as well as being a fit for your culture and work environment, and that can be a tall order. According to the ISACA's State of Cybersecurity 2022 report, 63% of the 2,000 companies surveyed have unfilled positions on their cybersecurity team, an increase of 8% from the previous year. Among those who do find the talent they need, about 20% of respondents report a time to hire of six months or longer. Those kinds of delays are costly and leave your company vulnerable to hackers and data breaches. An effective security hiring strategy can help business leaders overcome these issues to ensure they have a full team of highly-qualified employees.

  • Challenges of cybersecurity hiring

  • The most significant challenge in cybersecurity hiring today is that there simply aren't enough skilled professionals to fill all the open jobs. In (ISC)2's 2019 Cybersecurity Workforce Study, there is a gap in the cybersecurity workforce of nearly 500,000 in the United States alone. The talent pool would need to grow by roughly 62% in order to meet these demands. It doesn't help that there are significant barriers to employment in cybersecurity. Truly entry-level roles are difficult to come by, which can prevent those pivoting from other tech roles, or recent graduates who haven't yet accrued experience, from adding their talents to a security team. Many employers look for security professionals with industry certifications as well as degrees, but those can be costly to obtain and maintain, adding another barrier to entry for newcomers to the field. Cybersecurity also hasn't been immune to the Great Resignation and other shifts happening across the broader talent market. Security professionals know they're in high demand and are less likely than in the past to settle for a role with low compensation, a hostile work environment, a lack of flexibility, or other issues that will affect their work/life balance or workplace satisfaction. The expansion of remote work, meanwhile, has opened up even more options for workers with security skills, making hiring a challenge even in regions not known as tech hubs.

  • Skills to look for in cybersecurity candidates

  • One reason many companies are struggling to hire security talent is that they're looking for so-called purple squirrel candidates. In other words, they want individuals with a perfect combination of experience and skills, who can handle the full responsibilities of the role with little to no training. The problem is, these candidates may not exist even in a typical hiring landscape, and are even harder to find when there's an ongoing talent shortage. To be fair, there's a good reason for employers to be picky about their security hires. Security teams and cybercriminals are in a perpetual arms race as hackers look for new ways to exploit vulnerabilities and companies find new ways to stop them. This means cybersecurity workers need to stay up-to-date with the latest trends and tools in order to perform their jobs effectively. How do employers get around this seeming catch-22? The answer comes down to knowing which skills and experience are crucial for the role, and which would be nice to have but aren't absolutely necessary. While the specific must-haves vary between roles, there are some consistent skills needed for the entire security team. On the technical skill side, this starts with scripting. Security workers don't necessarily need to be able to write programs from scratch, but they do need to understand languages like PowerShell and Python, both so they can create automation routines and other tools, and so they can analyze this code for inconsistencies or vulnerabilities. Along with this, they need an in-depth understanding of intrusion detection systems (IDS), intrusion prevention systems (IPS), and security information and event management products (SIEM), as well as computer operating systems and network security control measures. On the soft skill side, the most important across roles is knowledge of risk management. This means an ability to identify potential vulnerabilities, assess the severity of known threats, and anticipate the impact of a threat on the business. This means having excellent creative problem solving and critical thinking ability. Communication and collaboration are also key skills for cybersecurity pros, including the ability to explain technical processes in layman's terms.

  • Top interview questions for cybersecurity roles

  • Interviews are the most valuable step of the hiring process. It's an opportunity to assess both the applicant's security knowledge and their fitness for the company's culture, mission, values, and workplace environment. Here are some great questions hiring managers can ask to identify the top cybersecurity applicants.

  • Technical interview questions

  • Open-ended questions about the terms, tools, and concepts related to information security are an excellent way to assess a candidate's depth of knowledge. Some excellent questions about the technical side of the field include:

    • Explain the difference between vulnerability, threat, and risk.
    • What's the difference between IPS and IDS?
    • Talk me through the steps of implementing and maintaining a firewall.
    • What's the difference between penetration testing and vulnerability assessment, and how would you go about performing each function?
    • List the most common types of security attacks and one defense against each.
    • What type of attack do you think our organization would be most likely to experience, and what steps would you take to prevent it?
    • What is the difference between black hat, gray hat, and white hat hackers?
    • What is the most effective way to prevent phishing?
    • What are some methods to prevent DDOS attacks? How would you stop one that's already in progress?

  • Behavioral interview questions

  • These types of questions help you to assess whether the candidate will be a good fit for your team and workplace, and can be just as important as technical questions for identifying the best candidates. Some great behavioral questions for security pros include:

    • Describe a time you discovered a vulnerability in a company's systems, and talk me through the steps you took to resolve the issue.
    • Tell me about a time you collaborated with a team to solve a security challenge.
    • If you discovered a major vulnerability or breach, what steps would you take to communicate that to leadership?
    • How do you prioritize tasks and manage your day-to-day workflow?
    • What are the steps to conduct a cybersecurity risk assessment, and when is it necessary?
    • What type of management style do you prefer to work under, and why?
    • When you're leading a team, what type of management style do you use?
    • What type of security work do you find most engaging, and why?
    • What's the difference between quantitative and qualitative analysis, and how would you use each in a risk assessment?
    • How do you stay informed about trends and developments in the industry?

  • Tips to hire and retain cybersecurity talent

  • Pay a competitive salary

  • With talent, as with so many things, you often get what you pay for. If you're not willing to pay an experienced security analyst or engineer what they're worth, someone else will. This starts with identifying just what is considered competitive for your role through salary benchmarking and other methods if you don't know this already.

  • Write reasonable, accurate, and unbiased job descriptions

  • More qualifications for a job means fewer candidates are likely to meet them. This can discourage some applicants from even trying if they don't think they stand a chance of being hired. The same is true of sexist, racist, or other biased language, even if it's unintentional. Carefully consider each of your job requirements to make sure it's actually necessary for your role, and review the language of every job description carefully to ensure it's not turning off any potentially strong applicants.

  • Implement an employee referral program

  • Referred hires are more likely to be a good long-term fit than the average candidate. For one thing, your employees understand your workplace culture and business needs, and what kind of worker would be a great fit for them. Employees also know that the referred hire's performance reflects on them, so most won't knowingly refer someone who can't thrive in the role.

  • Attend job fairs, conferences, and other networking events

  • Events hosted by organizations like (ISC)2 and the ISACA are an excellent place to connect with cybersecurity professionals at every stage of their career, including passive candidates as well as those actively looking for opportunities.

  • Invest in upskilling and reskilling for your current team

  • If you give current team members an easy way to learn the skills for cybersecurity roles, you won't need to hire as many new professionals to close skill gaps in your organization. Supporting your security team's ongoing education also enables them to grow with your company, improving retention. You don't need to create these training programs from scratch, either. Instead, you can offer paid study time or fee reimbursement to encourage employees to take advantage of the wide variety of certification and training programs that already exist.

  • The bottom line on cybersecurity hiring

  • As companies across industries continue to expand their digital offerings for customers, as well as their use of remote workers and cloud-based systems, the need for professionals to keep all of the organization's data and network secure. In other words, if you're struggling to hire the right talent now, it's not going to get any easier. Utilizing the tips and information in this article can help companies build the impactful security teams they need today so they're ready to meet the needs of the business in the future.

Hiring the right people is critical for any role in an organization, and that’s especially true when you’re recruiting cybersecurity professionals. These are the employees you entrust with keeping all your company’s data and systems secure from cyberattacks. The right candidates for cybersecurity positions need to be up-to-date on the latest security trends and technology, as well as being a fit for your culture and work environment, and that can be a tall order.

According to the ISACA’s State of Cybersecurity 2022 report, 63% of the 2,000 companies surveyed have unfilled positions on their cybersecurity team, an increase of 8% from the previous year. Among those who do find the talent they need, about 20% of respondents report a time to hire of six months or longer. Those kinds of delays are costly and leave your company vulnerable to hackers and data breaches. An effective security hiring strategy can help business leaders overcome these issues to ensure they have a full team of highly-qualified employees.

Challenges of cybersecurity hiring

The most significant challenge in cybersecurity hiring today is that there simply aren’t enough skilled professionals to fill all the open jobs. In (ISC)2’s 2019 Cybersecurity Workforce Study, there is a gap in the cybersecurity workforce of nearly 500,000 in the United States alone. The talent pool would need to grow by roughly 62% in order to meet these demands.

It doesn’t help that there are significant barriers to employment in cybersecurity. Truly entry-level roles are difficult to come by, which can prevent those pivoting from other tech roles, or recent graduates who haven’t yet accrued experience, from adding their talents to a security team. Many employers look for security professionals with industry certifications as well as degrees, but those can be costly to obtain and maintain, adding another barrier to entry for newcomers to the field.

Cybersecurity also hasn’t been immune to the Great Resignation and other shifts happening across the broader talent market. Security professionals know they’re in high demand and are less likely than in the past to settle for a role with low compensation, a hostile work environment, a lack of flexibility, or other issues that will affect their work/life balance or workplace satisfaction. The expansion of remote work, meanwhile, has opened up even more options for workers with security skills, making hiring a challenge even in regions not known as tech hubs.

Skills to look for in cybersecurity candidates

One reason many companies are struggling to hire security talent is that they’re looking for so-called purple squirrel candidates. In other words, they want individuals with a perfect combination of experience and skills, who can handle the full responsibilities of the role with little to no training. The problem is, these candidates may not exist even in a typical hiring landscape, and are even harder to find when there’s an ongoing talent shortage.

To be fair, there’s a good reason for employers to be picky about their security hires. Security teams and cybercriminals are in a perpetual arms race as hackers look for new ways to exploit vulnerabilities and companies find new ways to stop them. This means cybersecurity workers need to stay up-to-date with the latest trends and tools in order to perform their jobs effectively.

How do employers get around this seeming catch-22? The answer comes down to knowing which skills and experience are crucial for the role, and which would be nice to have but aren’t absolutely necessary. While the specific must-haves vary between roles, there are some consistent skills needed for the entire security team.

On the technical skill side, this starts with scripting. Security workers don’t necessarily need to be able to write programs from scratch, but they do need to understand languages like PowerShell and Python, both so they can create automation routines and other tools, and so they can analyze this code for inconsistencies or vulnerabilities. Along with this, they need an in-depth understanding of intrusion detection systems (IDS), intrusion prevention systems (IPS), and security information and event management products (SIEM), as well as computer operating systems and network security control measures.

On the soft skill side, the most important across roles is knowledge of risk management. This means an ability to identify potential vulnerabilities, assess the severity of known threats, and anticipate the impact of a threat on the business. This means having excellent creative problem solving and critical thinking ability. Communication and collaboration are also key skills for cybersecurity pros, including the ability to explain technical processes in layman’s terms.

Top interview questions for cybersecurity roles

Interviews are the most valuable step of the hiring process. It’s an opportunity to assess both the applicant’s security knowledge and their fitness for the company’s culture, mission, values, and workplace environment. Here are some great questions hiring managers can ask to identify the top cybersecurity applicants.

Technical interview questions

Open-ended questions about the terms, tools, and concepts related to information security are an excellent way to assess a candidate’s depth of knowledge. Some excellent questions about the technical side of the field include:

  • Explain the difference between vulnerability, threat, and risk.
  • What’s the difference between IPS and IDS?
  • Talk me through the steps of implementing and maintaining a firewall.
  • What’s the difference between penetration testing and vulnerability assessment, and how would you go about performing each function?
  • List the most common types of security attacks and one defense against each.
  • What type of attack do you think our organization would be most likely to experience, and what steps would you take to prevent it?
  • What is the difference between black hat, gray hat, and white hat hackers?
  • What is the most effective way to prevent phishing?
  • What are some methods to prevent DDOS attacks? How would you stop one that’s already in progress?

Behavioral interview questions

These types of questions help you to assess whether the candidate will be a good fit for your team and workplace, and can be just as important as technical questions for identifying the best candidates. Some great behavioral questions for security pros include:

  • Describe a time you discovered a vulnerability in a company’s systems, and talk me through the steps you took to resolve the issue.
  • Tell me about a time you collaborated with a team to solve a security challenge.
  • If you discovered a major vulnerability or breach, what steps would you take to communicate that to leadership?
  • How do you prioritize tasks and manage your day-to-day workflow?
  • What are the steps to conduct a cybersecurity risk assessment, and when is it necessary?
  • What type of management style do you prefer to work under, and why?
  • When you’re leading a team, what type of management style do you use?
  • What type of security work do you find most engaging, and why?
  • What’s the difference between quantitative and qualitative analysis, and how would you use each in a risk assessment?
  • How do you stay informed about trends and developments in the industry?

Tips to hire and retain cybersecurity talent

Pay a competitive salary

With talent, as with so many things, you often get what you pay for. If you’re not willing to pay an experienced security analyst or engineer what they’re worth, someone else will. This starts with identifying just what is considered competitive for your role through salary benchmarking and other methods if you don’t know this already.

Write reasonable, accurate, and unbiased job descriptions

More qualifications for a job means fewer candidates are likely to meet them. This can discourage some applicants from even trying if they don’t think they stand a chance of being hired. The same is true of sexist, racist, or other biased language, even if it’s unintentional. Carefully consider each of your job requirements to make sure it’s actually necessary for your role, and review the language of every job description carefully to ensure it’s not turning off any potentially strong applicants.

Implement an employee referral program

Referred hires are more likely to be a good long-term fit than the average candidate. For one thing, your employees understand your workplace culture and business needs, and what kind of worker would be a great fit for them. Employees also know that the referred hire’s performance reflects on them, so most won’t knowingly refer someone who can’t thrive in the role.

Attend job fairs, conferences, and other networking events

Events hosted by organizations like (ISC)2 and the ISACA are an excellent place to connect with cybersecurity professionals at every stage of their career, including passive candidates as well as those actively looking for opportunities.

Invest in upskilling and reskilling for your current team

If you give current team members an easy way to learn the skills for cybersecurity roles, you won’t need to hire as many new professionals to close skill gaps in your organization. Supporting your security team’s ongoing education also enables them to grow with your company, improving retention. You don’t need to create these training programs from scratch, either. Instead, you can offer paid study time or fee reimbursement to encourage employees to take advantage of the wide variety of certification and training programs that already exist.

The bottom line on cybersecurity hiring

As companies across industries continue to expand their digital offerings for customers, as well as their use of remote workers and cloud-based systems, the need for professionals to keep all of the organization’s data and network secure. In other words, if you’re struggling to hire the right talent now, it’s not going to get any easier. Utilizing the tips and information in this article can help companies build the impactful security teams they need today so they’re ready to meet the needs of the business in the future.