The cybersecurity talent shortage has troubled organizations for years. Whether you work for a large enterprise, financial institution, a services firm, or anything in between, it’s likely that you have cybersecurity roles listed on your website today that have yet to be filled. With the reported increase in cybercrime and sophistication of attacks, the demand for cybersecurity talent is at an industry high.

ISACA’s State of Cybersecurity 2020 reports that 62% of IT and security leaders surveyed say their cybersecurity teams are understaffed. Plus, those who took longer to fill cybersecurity positions reported more cyber attacks.

The (ISC)2 Cybersecurity Workforce Study 2020 reports nearly identical numbers: 64% of the cybersecurity professionals surveyed reported staff shortages. The study also revealed that the Global cybersecurity workforce gap – the difference between the number of skilled professionals that organizations need to protect their critical assets and the actual capacity available to take on this work – was 3.12 million in 2020.  

In other words, we’ve got our work cut out for us – and it’s clear that, as an industry, we need to reimagine our hiring efforts to keep pace with the demand. In this blog, we’ll discuss how the events of the past year have reshaped hiring, creative recruitment ideas, hiring challenges, and why employee retention is key. Bonus: NetSPI’s COO shares advice to help narrow the talent gap while essential cybersecurity positions remain unfilled.

The COVID-19 pandemic has reshaped hiring

The COVID-19 pandemic has caused rapid change in the way we work – and the way we hire. Largely, it has given organizations more flexibility to find the best talent. Dependent on the position, recruitment efforts are no longer bound by geography, and we have the ability to source the best talent regardless of where they live.

Tsedal Neeley, a professor at Harvard Business School and author of the book Remote Work Revolution: Succeeding From Anywhere, communicates this point perfectly in a recent NPR article: “We have changed. Work has changed. The way we think about time and space has changed. Workers now crave the flexibility given to them in the pandemic — which had previously been unattainable.”

Aligned with this sentiment, it is a job seekers market. We’re in the midst of what many are calling “The Great Resignation.” More than ever, employers need to put their best foot forward, offer flexible work options, and understand that work must accommodate life – not the other way around.

7 creative approaches to recruiting

Ask any organization about their primary recruiting channels and the standard answers you will likely receive include popular job sites (LinkedIn, Indeed, etc.), job fairs, and staffing firms. However, there are many creative ways to step outside of those bounds and get creative about where you source your cybersecurity talent. In the name of information sharing, here are seven ways NetSPI has discovered some of its best talent:

  1. GitHub: Are there open source tools that your technical team use on a regular basis? Look to see who has contributed to those tools for potential candidates. 
  2. Twitter: The security community is very active on Twitter. Explore hashtags specific to your organization (#penetrationtesting) or follow along with topical dialogues and threads. Often, you’ll come across a public thread of candidates actively looking for cybersecurity work.
  3. NetSPI University (NetSPI U)NetSPI U is a full-time, paid training program that focuses on pentesting. It’s geared toward entry level security professionals that want to get started in the space. The result? Qualified technical talent who understand our technologies, processes, and vision. More on this later.
  4. Meetups: Continued engagement with security organizations such as OWASP, DEFCON, and others have been instrumental in growing our network of candidates.
  5. Referral Program: In 2021 alone, we have hired 20 employees as a result of our employee referral program. We trust our employees to recommend the best talent in their network.
  6. Re-Hires: Given the flexibility of remote work, we were able to reengage with many past NetSPI employees who had moved where there was not a NetSPI office location.
  7. Investing in Internal Recruiters: While staffing firms are certainly helpful, we believe that investing in internal recruitment resources produces the best results. Because we’re boots-on-the-ground at NetSPI each day, we understand the organization’s standards and know exactly what to look for, from technical skills to culture fit.

Cybersecurity hiring challenges

The fact that the cybersecurity industry has a 0% unemployment rate could be seen as the industry’s greatest challenge, but it’s also an opportunity. An opportunity for employers to recognize that the hiring process is a two-way street and, just as employees need to communicate why they would be the best fit for a given position, employers must effectively communicate their strengths, perks, and get competitive about what they have to offer. Ultimately, it’s increasing the urgency for organizations to create a positive candidate experience for applicants.

Another major challenge specific to cybersecurity is the high level of standards that are set for technical security professionals. There is little room for error in this industry as one mistake could result in a detrimental outcome. We take pride in the high-quality work every NetSPI team member produces and it’s important – and an ongoing challenge – to find technical talent that is in alignment.

The security industry has countless disciplines. Cloud securityapplication securitynetwork security, the list goes on – not to mention the subcategories within each discipline… AWS, mobile apps, IoT, etc. There are many different areas of security that people can specialize in, but we’ve noticed a lack of candidates with a strong focus in a niche area. While there are benefits to having a well-rounded candidate, it is particularly difficult to hire for a specific cybersecurity need today.

Finally, barrier to entry is very high in the security industry. That’s why we developed and continue to invest in NetSPI U, our training program for entry-level penetration testers. Often, the requirements on job descriptions are too stringent to open the door to new candidates with a passion for cybersecurity, but perhaps do not have a traditional security background or education. It features hands-on labs and opportunities to shadow some of the most brilliant minds in security. It gives entry-level security professionals the foundation to jump start their career

Learn more about NetSPI U and apply for our next NetSPI U class online here.

Employee retention should be the priority

Above all, investing in the growth of your existing team and retaining top talent is key to closing the talent gap. If you invest in your current workforce, people will be more apt to want to join your team.

Employee retention remains a priority for NetSPI, which is why we achieved an industry-high retention rate of 92% in 2020. Pulling from our 2021 Top Workplaces survey results, here are the top five reasons people stay with us.

  • Collaboration: Collaboration is one of NetSPI’s brand pillars. One quote from the Top Workplaces survey summarizes this well: “The people I work with are dedicated to making sure everyone succeeds to the best of their ability – and enjoys working along the way!” 
  • Fun: We take pride in the relationships our employees have with one another. The ability to create an environment where employees enjoy their work is essential to the success of our organization.
  • Talent: The caliber of people our employees get to learn from and work with is a huge draw for NetSPI. Top talent attracts top talent.
  • Growth: We don’t give our employees a ceiling for growth. We cross-train and hire within when possible. We believe in promoting people who can do the job, and do not base growth on years of experience. An indicative quote from the Top Workplaces survey: “Career growth is always visible and in reach.”
  • Innovation: Something we do well is creating technologies that solve common problems not only for our clients, but also for our services team. The more we can automate redundant, time-consuming tasks, the more time our consultants can focus on finding the vulnerabilities that tools cannot.

Beyond hiring: 3 alternative actions that can help narrow the cybersecurity talent gap

It is important to note that today’s cybersecurity talent ‘crisis’ does not have an overnight solution. However, there are some things organizations can do in the interim to address the growing demand for talent today. We spoke with NetSPI Chief Operating Officer (COO) Charles Horton to learn what steps organizations can take to narrow the gap. Here’s what he had to say:

Automation is a critical tool for narrowing the cybersecurity talent gap. Without automating the more tedious, administrative tasks, security practitioners will not have time to focus on the strategic work at hand – or professional development activities. Keeping talent focused on the more creative, strategic work they enjoy and allowing tools to do the administrative work will keep teams engaged. Also, automation helps keep the team interested in their work and gives them opportunities to build their skills as they support key security initiatives. 

Cybersecurity leaders continue to be challenged by filling roles that require candidates with mid- to senior- level experience – and entry level job openings continue to be in high demand. Companies will need to do more with fewer people. To accomplish this, the adoption of program-level or ‘as a service’ partnerships with third parties that can provide dedicated support and capacity to keep key security initiatives running as an extension of the internal security team. This allows security teams to be agile and flexible with their talent as needs arise.   

Companies that can think outside of the box can take a creative approach to narrowing the cybersecurity talent gap. This would require building training programs that could be delivered internally, through external partners, or a blend, in combination with targeting candidates that may not have an exact match from a skills perspective but have a core set of skills that could be leveraged to accelerate training. These hiring and training tactics could yield a skilled workforce in cybersecurity where opportunities were not initially visible. 

If there’s one thing we love most about the cybersecurity industry, it’s the willingness to share big ideas and new concepts with one another. If you have recommendations for closing the talent gap or are curious about a career at NetSPI, reach out to