homepage
Open menu
Go one level top
  • Train and Certify
    Train and Certify

    Immediately apply the skills and techniques learned in SANS courses, ranges, and summits

    • Overview
    • Courses
      • Overview
      • Full Course List
      • By Focus Areas
        • Cloud Security
        • Cyber Defense
        • Cybersecurity and IT Essentials
        • DFIR
        • Industrial Control Systems
        • Offensive Operations
        • Management, Legal, and Audit
      • By Skill Levels
        • New to Cyber
        • Essentials
        • Advanced
        • Expert
      • Training Formats
        • OnDemand
        • In-Person
        • Live Online
      • Course Demos
    • Training Roadmaps
      • Skills Roadmap
      • Focus Area Job Roles
        • Cyber Defence Job Roles
        • Offensive Operations Job Roles
        • DFIR Job Roles
        • Cloud Job Roles
        • ICS Job Roles
        • Leadership Job Roles
      • NICE Framework
        • Security Provisionals
        • Operate and Maintain
        • Oversee and Govern
        • Protect and Defend
        • Analyze
        • Collect and Operate
        • Investigate
        • Industrial Control Systems
      • European Skills Framework
    • GIAC Certifications
    • Training Events & Summits
      • Events Overview
      • Event Locations
        • Asia
        • Australia & New Zealand
        • Latin America
        • Mainland Europe
        • Middle East & Africa
        • Scandinavia
        • United Kingdom & Ireland
        • United States & Canada
      • Summits
    • OnDemand
    • Get Started in Cyber
      • Overview
      • Degree and Certificate Programs
      • Scholarships
    • Cyber Ranges
  • Manage Your Team
    Manage Your Team

    Build a world-class cyber team with our workforce development programs

    • Overview
    • Why Work with SANS
    • Group Purchasing
    • Build Your Team
      • Team Development
      • Assessments
      • Private Training
      • Hire Cyber Professionals
      • By Industry
        • Health Care
        • Industrial Control Systems Security
        • Military
    • Leadership Training
  • Security Awareness
    Security Awareness

    Increase your staff’s cyber awareness, help them change their behaviors, and reduce your organizational risk

    • Overview
    • Products & Services
      • Security Awareness Training
        • EndUser Training
        • Phishing Platform
      • Specialized
        • Developer Training
        • ICS Engineer Training
        • NERC CIP Training
        • IT Administrator
      • Risk Assessments
        • Knowledge Assessment
        • Culture Assessment
        • Behavioral Risk Assessment
    • OUCH! Newsletter
    • Career Development
      • Overview
      • Training & Courses
      • Professional Credential
    • Blog
    • Partners
    • Reports & Case Studies
  • Resources
    Resources

    Enhance your skills with access to thousands of free resources, 150+ instructor-developed tools, and the latest cybersecurity news and analysis

    • Overview
    • Webcasts
    • Free Cybersecurity Events
      • Free Events Overview
      • Summits
      • Solutions Forums
      • Community Nights
    • Content
      • Newsletters
        • NewsBites
        • @RISK
        • OUCH! Newsletter
      • Blog
      • Podcasts
      • Summit Presentations
      • Posters & Cheat Sheets
    • Research
      • White Papers
      • Security Policies
    • Tools
    • Focus Areas
      • Cyber Defense
      • Cloud Security
      • Digital Forensics & Incident Response
      • Industrial Control Systems
      • Cyber Security Leadership
      • Offensive Operations
  • Get Involved
    Get Involved

    Help keep the cyber community one step ahead of threats. Join the SANS community or begin your journey of becoming a SANS Certified Instructor today.

    • Overview
    • Join the Community
    • Work Study
    • Teach for SANS
    • CISO Network
    • Partnerships
    • Sponsorship Opportunities
  • About
    About

    Learn more about how SANS empowers and educates current and future cybersecurity practitioners with knowledge and skills

    • SANS
      • Overview
      • Our Founder
      • Awards
    • Instructors
      • Our Instructors
      • Full Instructor List
    • Mission
      • Our Mission
      • Diversity
      • Scholarships
    • Contact
      • Contact Customer Service
      • Contact Sales
      • Press & Media Enquiries
    • Frequent Asked Questions
    • Customer Reviews
    • Press
    • Careers
  • Contact Sales
  • SANS Sites
    • GIAC Security Certifications
    • Internet Storm Center
    • SANS Technology Institute
    • Security Awareness Training
  • Search
  • Log In
  • Join
    • Account Dashboard
    • Log Out
  1. Home >
  2. Blog >
  3. Skilling the Gap: Creative Ways to Recruit Top Cyber Talent
370x370_kevin-garvey.jpg
Kevin Garvey

Skilling the Gap: Creative Ways to Recruit Top Cyber Talent

Many want to come to our field, but just do not know how. Open the door for them.

March 22, 2021

Recruiting for top cyber talent has been a challenge since the dawn of the cyber security industry. As the requirements for organizations to secure themselves against a myriad of security concerns continues to grow, so does the growing requirements to fill new and existing cyber roles. This worldwide problem is exacerbated by dearth of “perceived” worldwide cyber security talent. However, many within the industry and recruiting for roles in the industry can utilize this unique challenge and turn this problem into creative and successful solutions to bridging the gap of cyber talent. Luckily, those who are hiring for cyber security roles have the individual power to help turn the tide and bring uniquely qualified candidates to organizations.

Understanding what is causing candidates not to present themselves to an organization starts from the very beginning of recruitment. Four main problems creating an artificial blockade to potential candidates include:

  • Steppingstone hands-on experience is lacking for many trying to get into the industry
  • Job descriptions over exaggerate the requirements for the role
  • Interviews can be too much of an art than a science
  • Tech teams and HR have not forged on bridging the talent gap together

Steppingstone Hands-on Experience is Lacking for Many Trying to Get into the Industry

Many individuals trying to get a head start into the cyber security industry hit a major headwind the minute they start applying for a role. They look back at their resume and say to themselves, “I do not have the required hands on experience for this role”.

Unfortunately, while that candidate may have the right ingredients to be successful at the role they are applying to, they will pause on applying to the role due to a perceived lack of experience for the position. This dilemma stops so many qualified candidates from ever stepping foot into this amazing industry. There are a few different ways one could tackle this barrier to enlarge the pipeline of qualified candidates into stepping-stone roles to flourish into something special in the industry:

  • Develop a rotation for candidates to sit with non cyber security focused technical team such as network operations, Windows and Linux operations, and IT help desk in the beginning of their tenure to gain hands on experience. This allows candidates to build key foundational knowledge of functional units they may be responsible for protecting and responding to throughout their career.
  • Follow Google’s 80/20 policy which allows an individual to spend 20% of their time on creative side projects. Not only does that allow the candidate to flex their creative muscles, but it also gives them wonderful opportunity to partner with other functional areas to gain experience they would have never had the chance to even think about prior. It will also afford them the chance to network with those outside of cyber security and build contacts throughout the company that could help them be successful in the organization throughout their tenure.
  • Allow employees to work on stretch goals. For example, let someone work on an automation solution so they can grow a small amount of programming skills. Employees will appreciate senior management’s backing on their endeavors to be a better version of themselves too.

Job Descriptions Over-Exaggerate the Requirements for the Role

When organizations know they have an open requisition to fill, some make the mistake of using a canned job description from the past or taking one from the internet and copying and pasting much of the detail. However, those trying to enter the industry see job descriptions and get scared off from even applying in the first place. An example of an entry level job description I found through a quick search:

“A minimum of three years of experience in the field of Cyber Security and Information Risk Management

Bachelor's degree in an appropriate field from an accredited college/university

Cybersecurity related certification (e.g., CISSP, CISM, CISA, GCIH, GPEN) a plus

Working knowledge of NIST 800-171 and the Cybersecurity Maturity Model Certification

Familiarity with other compliance frameworks such as FedRAMP, FISMA, SOC, ISO, HIPAA, HITRUST, etc.

Working knowledge of database technologies such as SQL

3 years of working and hands on networking knowledge”

In fact, many with experience in the industry may not have all the “requirements” for this entry level role. Does that mean an entry level application would be unsuccessful at this role? Maybe instead of analyzing that question, we instead ask if the job description for the role is appropriate. Next time you are charged with review a job description of a role, think about:

  • Will large list of certificates could scare off qualified candidates?
  • Look closely at the “years of experience” required for each line item
  • Differentiate between a “required skill and “nice to have”
  • What soft skills can make an entry level candidate shine?

Unfortunately, stringent job descriptions like the example above may be good for Application Tracking Systems, but it may not be the best way to bring in your best future cyber talent. It may inadvertently stop top candidates from ever applying to your organization because they automatically do not think they are qualified enough. Sadly, if they do not apply, you will not be able to interview them to really get to know a hidden well qualified candidate. Some of the key hard skill components to be successful at a role have the potential to be taught while on the job.

Interviews Can Be Too Much of an Art Than a Science

Ask 100 people how they interview a candidate, you will get 100 different answers. Everyone has their own style of interviewing, but when it comes to entry level positions or those trying to forge their path in the cyber security industry, trying to figure out the right mixture of questions to assess a candidate can be tricky. After interviewing hundreds of candidates for roles, including entry level roles, honing in on the candidate’s soft skills can be a huge win to find someone who will quickly excel in the industry. Some high-level soft skills to assess an entry level candidate on can include:

HR_Cybersecurity_Blog_1_Pic1.svg

I always enjoy interviewing a candidate to find out how they were able to get through a sticky situation each at school or in the office. Hearing the way they tell the story can say a lot about a candidate as it showcases their communication skills without it being a direct soft skill based question. Additionally, understanding the thought process of how the candidate was able to win over the situation will likely translate well into how they will get past complex situations at the office. A key tenet to remember:

“Cyber security is filled with the complex, but many times the crux of the answer is found by asking the best directed questions to best directed people or systems and not taking what is on the surface as the final answer. “

In addition, finding someone who has taken steps to practice their craft outside of normal working hours can turn into a superstar in your cyber team. They continually dig for the best answers when they are not transparent. Also, the tools in their toolbox are constantly being sharpened by being exposed to a diverse set of problems and an even more diverse set of solutions.

Tech Teams and HR Have Not Forged on Bridging the Talent Gap Together

What is enjoyable about trying to close the talent gap is no one is alone on this journey. Cyber security teams and HR teams have a unique opportunity to work together and be creative on future roles. Many affinity groups are working tirelessly to help fill the gap. Both candidates and cyber professionals can partner with them to help build the future pipeline and also to find candidates who are making every effort to make a positive splash in the industry. In addition, utilize the free resources SANS has created to help in your cyber security and HR partnered journey

Cyberaces.org


Developed by SANS, Cyber Aces is a free, online course that teaches the core concepts needed to assess and protect information security systems.

sans.org/FREE

SANS instructors produce thousands of free content-rich resources for the information security community annually. These resources are aimed to provide the latest in research and technology available to help support awareness and growth across a wide range of IT and OT security considerations.

SANS Summits

Summits bring together cyber security practitioners and leading experts to share and discuss case studies, lessons learned, new tools, and innovative strategies to improve cyber security and overcome challenges in a particular focus area or industry. Many SANS Summits are now FREE!

Tech Tuesdays

Dive into the material and get hands-on experience with tools and techniques that you can apply immediately.

SANS Reading Room

The SANS Reading Room features over 3,120 original computer security white papers in 111 different categories as of March 2021, and is continually added to regularly.

While the cyber security industry has experienced incredible growth both in requirements and expertise over the years, talent development is still playing catchup. Luckily, those in the cyber security field historically thrive in situations where the answer to a problem is not always clear. Answering the problem by developing talent beyond the standard approaches will pay dividends to both your organization and the growth of the whole industry.

Many want to come to our field, but just do not know how to. Open the door for them.

Rest of the HR + Cybersecurity Series

1. Listen to the corresponding webcast here.

2. Read the rest of the Blog series here:

  • Knowing Your Applicants: How to Stay Current to Best Assess Your Cyber Applicants
  • Not in Cyber Security? No Problem! Creative Ways to Gain Experience With No Experience
  • Slow the Revolving Door of Talent: Creative Ways to Keep Your Cybersecurity Talent in Your Organization
  • Transition to Cyber Security From a Non-Cyber Role: Creative Ways to Impress to Land Your Dream Cyber Role
About the Author

Kevin Garvey is the US IT Security Manager for an international bank responsible for overseeing incident response, vulnerability management, cyber threat intelligence, as well as the security operations center (SOC). Previously, he worked at New York Power Authority, JP Morgan and WarnerMedia (formerly Time Warner). Kevin has always had a passion to hunt down the adversary and has loved tackling the risk and threat challenges his responsibilities have thrown at him. Kevin teaches SANS MGT512: Security Leadership Essentials for Managers. Read Kevin's full profile here.

Share:
TwitterLinkedInFacebook
Copy url Url was copied to clipboard
Subscribe to SANS Newsletters
Receive curated news, vulnerabilities, & security awareness tips
United States
Canada
United Kingdom
Spain
Belgium
Denmark
Norway
Netherlands
Australia
India
Japan
Singapore
Afghanistan
Aland Islands
Albania
Algeria
American Samoa
Andorra
Angola
Anguilla
Antarctica
Antigua and Barbuda
Argentina
Armenia
Aruba
Austria
Azerbaijan
Bahamas
Bahrain
Bangladesh
Barbados
Belarus
Belize
Benin
Bermuda
Bhutan
Bolivia
Bonaire, Sint Eustatius, and Saba
Bosnia And Herzegovina
Botswana
Bouvet Island
Brazil
British Indian Ocean Territory
Brunei Darussalam
Bulgaria
Burkina Faso
Burundi
Cambodia
Cameroon
Cape Verde
Cayman Islands
Central African Republic
Chad
Chile
China
Christmas Island
Cocos (Keeling) Islands
Colombia
Comoros
Cook Islands
Costa Rica
Croatia (Local Name: Hrvatska)
Curacao
Cyprus
Czech Republic
Democratic Republic of the Congo
Djibouti
Dominica
Dominican Republic
East Timor
East Timor
Ecuador
Egypt
El Salvador
Equatorial Guinea
Eritrea
Estonia
Ethiopia
Falkland Islands (Malvinas)
Faroe Islands
Fiji
Finland
France
French Guiana
French Polynesia
French Southern Territories
Gabon
Gambia
Georgia
Germany
Ghana
Gibraltar
Greece
Greenland
Grenada
Guadeloupe
Guam
Guatemala
Guernsey
Guinea
Guinea-Bissau
Guyana
Haiti
Heard And McDonald Islands
Honduras
Hong Kong
Hungary
Iceland
Indonesia
Iraq
Ireland
Isle of Man
Israel
Italy
Jamaica
Jersey
Jordan
Kazakhstan
Kenya
Kiribati
Korea, Republic Of
Kosovo
Kuwait
Kyrgyzstan
Lao People's Democratic Republic
Latvia
Lebanon
Lesotho
Liberia
Liechtenstein
Lithuania
Luxembourg
Macau
Macedonia
Madagascar
Malawi
Malaysia
Maldives
Mali
Malta
Marshall Islands
Martinique
Mauritania
Mauritius
Mayotte
Mexico
Micronesia, Federated States Of
Moldova, Republic Of
Monaco
Mongolia
Montenegro
Montserrat
Morocco
Mozambique
Myanmar
Namibia
Nauru
Nepal
Netherlands Antilles
New Caledonia
New Zealand
Nicaragua
Niger
Nigeria
Niue
Norfolk Island
Northern Mariana Islands
Oman
Pakistan
Palau
Palestine
Panama
Papua New Guinea
Paraguay
Peru
Philippines
Pitcairn
Poland
Portugal
Puerto Rico
Qatar
Reunion
Romania
Russian Federation
Rwanda
Saint Bartholemy
Saint Kitts And Nevis
Saint Lucia
Saint Martin
Saint Vincent And The Grenadines
Samoa
San Marino
Sao Tome And Principe
Saudi Arabia
Senegal
Serbia
Seychelles
Sierra Leone
Sint Maarten
Slovakia
Slovenia
Solomon Islands
South Africa
South Georgia and the South Sandwich Islands
South Sudan
Sri Lanka
St. Helena
St. Pierre And Miquelon
Suriname
Svalbard And Jan Mayen Islands
Swaziland
Sweden
Switzerland
Taiwan
Tajikistan
Tanzania
Thailand
Togo
Tokelau
Tonga
Trinidad And Tobago
Tunisia
Turkey
Turkmenistan
Turks And Caicos Islands
Tuvalu
Uganda
Ukraine
United Arab Emirates
United States Minor Outlying Islands
Uruguay
Uzbekistan
Vanuatu
Vatican City
Venezuela
Vietnam
Virgin Islands (British)
Virgin Islands (U.S.)
Wallis And Futuna Islands
Western Sahara
Yemen
Yugoslavia
Zambia
Zimbabwe

By providing this information, you agree to the processing of your personal data by SANS as described in our Privacy Policy.

This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.

Recommended Training

  • MGT521: Leading Cybersecurity Change: Building a Security-Based Culture
  • SEC301: Introduction to Cyber Security
  • MGT415: A Practical Introduction to Cyber Security Risk Management

Tags:
  • Cybersecurity Insights
  • Security Management, Legal, and Audit

Related Content

Blog
Cybersecurity Insights
January 16, 2023
The 17 Best Cybersecurity Podcasts
A list of cybersecurity-related podcasts.
Emily_Neuens_370x370.png
Emily Neuens
read more
Blog
Special_Broadcast_ChatGPT.png
Cybersecurity Insights
December 21, 2022
Q&A From SANS Special Broadcast: What You Need to Know About OpenAI's New ChatGPT Bot - and How it Affects Your Security
We had an influx of questions come in during our ChatGPT Special Broadcast on Wednesday, December 21. Here were those questions — and our responses.
370x370-person-placeholder.png
Emily Blades
read more
Blog
Blueprint_Podcast_-_Blog_-_Top_5_Blueprint_Podcast_Episodes_of_2022_-_340x340.jpg
Cyber Defense, Cybersecurity Insights
December 12, 2022
Top 5 Blueprint Podcast Episodes of 2022
This year Blueprint Podcast published 14 episodes with experts from across the cybersecurity industry. Here were the top-rated episodes of the year.
Emily_Neuens_370x370.png
Emily Neuens
read more
  • Register to Learn
  • Courses
  • Certifications
  • Degree Programs
  • Cyber Ranges
  • Job Tools
  • Security Policy Project
  • Posters & Cheat Sheets
  • White Papers
  • Focus Areas
  • Cyber Defense
  • Cloud Security
  • Cybersecurity Leadership
  • Digital Forensics
  • Industrial Control Systems
  • Offensive Operations
Subscribe to SANS Newsletters
Receive curated news, vulnerabilities, & security awareness tips
United States
Canada
United Kingdom
Spain
Belgium
Denmark
Norway
Netherlands
Australia
India
Japan
Singapore
Afghanistan
Aland Islands
Albania
Algeria
American Samoa
Andorra
Angola
Anguilla
Antarctica
Antigua and Barbuda
Argentina
Armenia
Aruba
Austria
Azerbaijan
Bahamas
Bahrain
Bangladesh
Barbados
Belarus
Belize
Benin
Bermuda
Bhutan
Bolivia
Bonaire, Sint Eustatius, and Saba
Bosnia And Herzegovina
Botswana
Bouvet Island
Brazil
British Indian Ocean Territory
Brunei Darussalam
Bulgaria
Burkina Faso
Burundi
Cambodia
Cameroon
Cape Verde
Cayman Islands
Central African Republic
Chad
Chile
China
Christmas Island
Cocos (Keeling) Islands
Colombia
Comoros
Cook Islands
Costa Rica
Croatia (Local Name: Hrvatska)
Curacao
Cyprus
Czech Republic
Democratic Republic of the Congo
Djibouti
Dominica
Dominican Republic
East Timor
East Timor
Ecuador
Egypt
El Salvador
Equatorial Guinea
Eritrea
Estonia
Ethiopia
Falkland Islands (Malvinas)
Faroe Islands
Fiji
Finland
France
French Guiana
French Polynesia
French Southern Territories
Gabon
Gambia
Georgia
Germany
Ghana
Gibraltar
Greece
Greenland
Grenada
Guadeloupe
Guam
Guatemala
Guernsey
Guinea
Guinea-Bissau
Guyana
Haiti
Heard And McDonald Islands
Honduras
Hong Kong
Hungary
Iceland
Indonesia
Iraq
Ireland
Isle of Man
Israel
Italy
Jamaica
Jersey
Jordan
Kazakhstan
Kenya
Kiribati
Korea, Republic Of
Kosovo
Kuwait
Kyrgyzstan
Lao People's Democratic Republic
Latvia
Lebanon
Lesotho
Liberia
Liechtenstein
Lithuania
Luxembourg
Macau
Macedonia
Madagascar
Malawi
Malaysia
Maldives
Mali
Malta
Marshall Islands
Martinique
Mauritania
Mauritius
Mayotte
Mexico
Micronesia, Federated States Of
Moldova, Republic Of
Monaco
Mongolia
Montenegro
Montserrat
Morocco
Mozambique
Myanmar
Namibia
Nauru
Nepal
Netherlands Antilles
New Caledonia
New Zealand
Nicaragua
Niger
Nigeria
Niue
Norfolk Island
Northern Mariana Islands
Oman
Pakistan
Palau
Palestine
Panama
Papua New Guinea
Paraguay
Peru
Philippines
Pitcairn
Poland
Portugal
Puerto Rico
Qatar
Reunion
Romania
Russian Federation
Rwanda
Saint Bartholemy
Saint Kitts And Nevis
Saint Lucia
Saint Martin
Saint Vincent And The Grenadines
Samoa
San Marino
Sao Tome And Principe
Saudi Arabia
Senegal
Serbia
Seychelles
Sierra Leone
Sint Maarten
Slovakia
Slovenia
Solomon Islands
South Africa
South Georgia and the South Sandwich Islands
South Sudan
Sri Lanka
St. Helena
St. Pierre And Miquelon
Suriname
Svalbard And Jan Mayen Islands
Swaziland
Sweden
Switzerland
Taiwan
Tajikistan
Tanzania
Thailand
Togo
Tokelau
Tonga
Trinidad And Tobago
Tunisia
Turkey
Turkmenistan
Turks And Caicos Islands
Tuvalu
Uganda
Ukraine
United Arab Emirates
United States Minor Outlying Islands
Uruguay
Uzbekistan
Vanuatu
Vatican City
Venezuela
Vietnam
Virgin Islands (British)
Virgin Islands (U.S.)
Wallis And Futuna Islands
Western Sahara
Yemen
Yugoslavia
Zambia
Zimbabwe

By providing this information, you agree to the processing of your personal data by SANS as described in our Privacy Policy.

This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.
  • © 2023 SANS™ Institute
  • Privacy Policy
  • Contact
  • Careers
  • Twitter
  • Facebook
  • Youtube
  • LinkedIn