The advancements in cybersecurity forces organizations into a race to protect their data and digital infrastructure as new threats and technologies continuously emerge. However, one critical yet often overlooked component revolves around people. More specifically, the actual job descriptions that define the workforce.
How most cybersecurity job descriptions are crafted today–ahem, ctl+c to ctrl+v, anyone?–fail to reflect the dynamic nature of the industry or the organizations themselves, and may be inadvertently exacerbating the cyber talent gap.
If you’re a security leader (or even HR!) I know what you might be thinking, “Girl, you’re preaching to the choir!” But when speaking with several other leaders, many are aware and yet do not act on this change because let’s be honest, it’s not a one-and-done deal. It’s an ongoing process that involves consistent analysis and updates. However, is it really different from doing vulnerability scans on your systems?
Fear not fellow security and HR leaders. Some of the suggestions listed below are quick fixes. In contrast, others may require extra planning or support, but all add up to helping continuously improve talent acquisition and retention efforts as industry and organizational needs evolve.
Here are 6.5 considerations when updating cybersecurity job descriptions that impact both organizations and practitioners:
Many job descriptions list various certifications or a collegiate degree as prerequisites. While certifications like the CISSP or a BS in Information Systems can be valuable indicators of expertise, they shouldn't be the baseline criteria for hiring. The underlying abilities assumed with a credential are if an applicant demonstrates interest in learning new skills, can think critically, and apply skills effectively. Some organizations have removed these criteria altogether or found alternative or more inclusive forms of expertise.
Speaking of certifications. This may seem obvious, but it is still worth calling out as this is still common practice. Most entry-level jobs list 0-3 years of experience, but the minimum experience requirement for pursuing the CISSP certification is five years. More reasonable entry-level certifications can vary by the job function, but you can’t go wrong with CompTIA’s IT Fundamentals+, A+, Network+, or Security+ credentials.
Along the same lines, experience is undoubtedly valuable in cybersecurity, but an exclusive emphasis on prior experience can be detrimental. Talented newcomers to the field may be deterred from applying for fear of their non-technical background or limited experience being perceived as unfavorable. Again, organizations should invest in promising candidates who possess the desire to learn and excel. Here are five transferable skills to look out for in candidates who may have limited experience or non-traditional backgrounds.
Many cyber JDs are laden with buzzwords and technical jargon that can make them appear impressive but are often disconnected from the actual tasks associated with the role. Unrealistic or undefined expectations around the proficiency level in the programming languages, operating systems, and tools can discourage potential candidates who might possess excellent core skills but are put off by the exhaustive list of prerequisites.
Cybersecurity is not just about technical proficiency; it also requires effective communication, problem-solving, and team collaboration at all levels. Many job descriptions focus solely on technical skills and neglect the importance of soft skills. This omission can result in a cybersecurity team that excels at a functional level but struggles to collaborate and adapt to new challenges. These traits are essential for individuals wanting to advance into more managerial and strategic positions.
On the flip side, unrealistic or undefined job role expectations can also confuse current employees. It’s important to clarify the knowledge, skills, abilities, and tasks (KSATs) per role in order to identify and minimize gaps or overlaps between roles. Having appropriate qualifications with realistic expectations can create an effective ecosystem where employees perform tasks relevant to their roles, optimize workflows, and create clear hierarchies and career development pathways.
While it's not formally required, mapping your cybersecurity workforce and job roles to industry frameworks can provide guidance and consistency to improve practices around identifying, recruiting, developing, and retaining cybersecurity and cyber-adjacent talent.
Emphasis on guidance. The NIST-NICE Framework punctuates that the KSATs and work roles identified should serve as building blocks and adapt to the standards, regulations, needs, and mission of each organization.
To bridge the cybersecurity talent gap and attract the right professionals, organizations must reimagine their approach to crafting job descriptions:
While fixing cybersecurity job descriptions isn’t a silver bullet, it is certainly a solid foundation to build upon. Security and HR leaders should consider revising their job descriptions to be more inclusive, adaptable, and reflective of the evolving nature of cybersecurity and the evolving needs of the organization. By setting clear expectations and creating more inclusive opportunities for practitioners, organizations can attract, build, and retain a broader range of talent and bridge the cyber skills gap.
For leaders ready to revamp job descriptions and enhance their cybersecurity talent strategy, we’ve created a step-by-step strategy guide to help you get started. Check N2K’s Cyber Talent Insights for more information on job description support.