The advancements in cybersecurity forces organizations into a race to protect their data and digital infrastructure as new threats and technologies continuously emerge. However, one critical yet often overlooked component revolves around people. More specifically, the actual job descriptions that define the workforce.
How most cybersecurity job descriptions are crafted today–ahem, ctl+c to ctrl+v, anyone?–fail to reflect the dynamic nature of the industry or the organizations themselves, and may be inadvertently exacerbating the cyber talent gap.
Where Cyber JDs Fall Short
If you’re a security leader (or even HR!) I know what you might be thinking, “Girl, you’re preaching to the choir!” But when speaking with several other leaders, many are aware and yet do not act on this change because let’s be honest, it’s not a one-and-done deal. It’s an ongoing process that involves consistent analysis and updates. However, is it really different from doing vulnerability scans on your systems?
Fear not fellow security and HR leaders. Some of the suggestions listed below are quick fixes. In contrast, others may require extra planning or support, but all add up to helping continuously improve talent acquisition and retention efforts as industry and organizational needs evolve.
Here are 6.5 considerations when updating cybersecurity job descriptions that impact both organizations and practitioners:
1. Overemphasis on Degrees or Certifications
Many job descriptions list various certifications or a collegiate degree as prerequisites. While certifications like the CISSP or a BS in Information Systems can be valuable indicators of expertise, they shouldn't be the baseline criteria for hiring. The underlying abilities assumed with a credential are if an applicant demonstrates interest in learning new skills, can think critically, and apply skills effectively. Some organizations have removed these criteria altogether or found alternative or more inclusive forms of expertise.
1.5. Requiring Advanced-Level Certs for Entry-Level Jobs
Speaking of certifications. This may seem obvious, but it is still worth calling out as this is still common practice. Most entry-level jobs list 0-3 years of experience, but the minimum experience requirement for pursuing the CISSP certification is five years. More reasonable entry-level certifications can vary by the job function, but you can’t go wrong with CompTIA’s IT Fundamentals+, A+, Network+, or Security+ credentials.
2. Narrow Focus on Experience
Along the same lines, experience is undoubtedly valuable in cybersecurity, but an exclusive emphasis on prior experience can be detrimental. Talented newcomers to the field may be deterred from applying for fear of their non-technical background or limited experience being perceived as unfavorable. Again, organizations should invest in promising candidates who possess the desire to learn and excel. Here are five transferable skills to look out for in candidates who may have limited experience or non-traditional backgrounds.
3. Buzzword Overload and Unrealistic Expectations
Many cyber JDs are laden with buzzwords and technical jargon that can make them appear impressive but are often disconnected from the actual tasks associated with the role. Unrealistic or undefined expectations around the proficiency level in the programming languages, operating systems, and tools can discourage potential candidates who might possess excellent core skills but are put off by the exhaustive list of prerequisites.
4. Ignoring Soft Skills
Cybersecurity is not just about technical proficiency; it also requires effective communication, problem-solving, and team collaboration at all levels. Many job descriptions focus solely on technical skills and neglect the importance of soft skills. This omission can result in a cybersecurity team that excels at a functional level but struggles to collaborate and adapt to new challenges. These traits are essential for individuals wanting to advance into more managerial and strategic positions.
5. Built in Silos versus Ecosystems
On the flip side, unrealistic or undefined job role expectations can also confuse current employees. It’s important to clarify the knowledge, skills, abilities, and tasks (KSATs) per role in order to identify and minimize gaps or overlaps between roles. Having appropriate qualifications with realistic expectations can create an effective ecosystem where employees perform tasks relevant to their roles, optimize workflows, and create clear hierarchies and career development pathways.
6. Sidestepping Industry Frameworks
While it's not formally required, mapping your cybersecurity workforce and job roles to industry frameworks can provide guidance and consistency to improve practices around identifying, recruiting, developing, and retaining cybersecurity and cyber-adjacent talent.
Emphasis on guidance. The NIST-NICE Framework punctuates that the KSATs and work roles identified should serve as building blocks and adapt to the standards, regulations, needs, and mission of each organization.
How To Fix Your Cyber Job Descriptions
To bridge the cybersecurity talent gap and attract the right professionals, organizations must reimagine their approach to crafting job descriptions:
- Regularly Assess and Update: To keep up-to-date job descriptions, it's vital to revisit them when there are organizational changes. Consider changes such as the introduction of new technology or the need for new or modified job roles due to workforce growth.
- Set Clear Expectations: Organizations should identify and communicate clear expectations regarding technical proficiency, emphasizing the importance of core skills and competencies while being realistic about the need for continuous learning and adaptation. (Here's a short on-demand webinar where we discuss how to set better cyber role expectations to attract and retain talent.)
- Include Holistic Requirements: Incorporate both technical and soft skill requirements, reflecting the reality that effective cybersecurity involves collaboration, communication, and a strong understanding of the organization's overall objectives.
- Build Functional Ecosystems: Job descriptions should be tailored to the specific role, outlining the core competency expectations while shaping streamlined pathways for growth vertically and horizontally throughout the cyber organization.
- Illustrate Context and Vision: Provide context about the organization's cybersecurity strategy and the role's contribution to it. This can help candidates envision their impact and align their career aspirations to a great mission.
Conclusion
While fixing cybersecurity job descriptions isn’t a silver bullet, it is certainly a solid foundation to build upon. Security and HR leaders should consider revising their job descriptions to be more inclusive, adaptable, and reflective of the evolving nature of cybersecurity and the evolving needs of the organization. By setting clear expectations and creating more inclusive opportunities for practitioners, organizations can attract, build, and retain a broader range of talent and bridge the cyber skills gap.
For leaders ready to revamp job descriptions and enhance their cybersecurity talent strategy, we’ve created a step-by-step strategy guide to help you get started. Check N2K’s Cyber Talent Insights for more information on job description support.
