Hiring for the position of security analyst – that workhorse of security operations – could become even more difficult.
Demand for the job is expected to grow, with the U.S. Bureau of Labor Statistics predicting that organizations will add tens of thousands of jobs over the decade, with security analyst employment expected to grow 33% between 2020 and 2030 , much faster than average. for all trades.
This makes the security analyst role one of the 20 fastest growing jobs in the country.
This news comes at a time when CISOs and other corporate security managers are already reporting difficulties finding people to fill the role.
This makes it harder for CISOs to secure their organizations. The RSS Report 2022 from security provider SpyCloud found that CISOs cited a lack of qualified personnel as the top issue when asked what inhibits their ability to establish effective cybersecurity defenses. And the CISO Voice Report 2022 from security provider Proofpoint found that half of CISOs surveyed believe the recent surge in employee transitions is making protecting data more difficult.
Given these disastrous numbers, CISOs need to be careful not to stack the odds in their favor with job postings that scare away candidates. You think it’s not you? To be sure, check out these red flags that security veterans say make hiring harder:
1. No description of actual responsibilities
A red flag identified by sources relates to the use of security analyst himself. Admittedly, this is one of the most common titles/positions in the cybersecurity profession. But sources say its prevalence, coupled with the fact that the cybersecurity field and cybersecurity departments are still evolving and maturing, has given the role a generic quality.
“A security analyst can do different things from company to company,” says Vincent Nestler, associate professor of information and decision science at California State University, San Bernardino and director of the CSUSB Cybersecurity Center. .
As a result, there are variations in responsibilities. So just using the title alone leaves job applicants wondering what the job actually entails.
“Basically, the analyst is supposed to analyze the company’s infrastructure, its technology stack and, based on that analysis, make recommendations. But in a big company you can find analysts whose only job is to analyze and in small companies they can do that but also implement some or all of the [security] solutions,” says Nick Kolakowski, editor at Dice Insights, part of the Dice tech career website.
As such, he and others advise security managers to be specific — in their job descriptions, actual job postings, and in information provided during interviews — about what their analyst position is. security actually does day to day so candidates know exactly what is expected of them in the role.
2. Unrealistic experience requirements
The security analyst position is an entry-level position and often the first position workers take when entering the cybersecurity profession, but job descriptions often call for years of experience or certifications. which require years of experience to acquire.
“Right there, it is a challenge for a candidate. They’re going to say ‘I’m not qualified’ and they’re not going to apply for the job,” says Tara Wisniewski, executive vice president for advocacy, global markets and member engagement at (ISC)², a training and certification body.
For example, Wisniewski says she often sees job postings for this position requiring the CISSP of (ISC)² as a required or preferred certification, which itself requires a minimum of five years of cumulative paid work experience. .
specific to the organization Guide for Cybersecurity Hiring Managers calls this issue, adding that “unrealistic entry-level job description continues to be derided as a major cause of organizations’ cybersecurity staffing challenges.”
He goes on to suggest that “greater collaboration between hiring managers and HR is the solution.”
3. Overemphasizing technology, especially if it’s old
Information security analysts must, of course, understand the technology needed to do the job, but sources say jobs that require experience or knowledge with specific technologies or vendors could be off-putting to candidates who would otherwise be excellent recruits.
According to Nestler, rather than asking if a candidate has experience with a specific vendor, it’s more productive to look for candidates who understand how to use a class of technology, noting that a professional proficient in the tool of a supplier can easily learn to use another supplier’s tool.
“The question is whether they have the right basic knowledge,” he adds, and not necessarily a history with a specific brand.
Others warn that job descriptions listing experience on legacy technologies can also be a red flag for candidates, meaning the security organization is falling behind.
“If you look at most of the job population, they want to work with the latest and greatest,” says Ben Johnson, CTO and co-founder of software company Obsidian Security.
Some top candidates may still apply if the CISO announces a transformation effort to get rid of this old technology, Johnson says, but most applicants are likely to be wary.
4. Kitchen sink requirements
Another major red flag: an incredibly long list of preferred or required skills, experiences, and educational achievements. Security managers have cited this issue time and time again, often joking that companies like to include even the kitchen sink among the items they want to see in security professionals.
“That’s one of the underlying issues here: unrealistic expectations and qualifications. Hiring managers tend to come up with an insurmountable list of job requirements that they deem necessary. But candidates will look at this and say, ‘That’s not me,’” says Jason Rebholz, CISO of Corvus Insurance.
Lucia Milică, global resident CISO at Proofpoint, agrees, saying too many security managers list their dream candidate rather than outline what they actually need from an individual to succeed in the role. “This will deter many qualified candidates from applying,” she adds.
Milică says this is particularly problematic for companies looking to create gender equity in their ranks, pointing to research that has shown that women typically only apply for jobs when they have all or most of the skills. qualifications listed, while men will if they have about half.
“So start with the essentials, these five chips, rather than throwing everything under the sun,” she adds.
Jon Check, executive director of Cyber Protection Solutions at Raytheon Intelligence & Space, says he avoids words like “shall” and “must” to prevent good candidates from self-selecting.
” Does anybody really have all these things? Instead, you need to convey that everyone is welcome,” including those who might not have what have traditionally been considered the “right” certifications or the “desired” pedigree,” he says. “And then put in place a training plan for the skills they don’t have.”
5. Unrealistic Job Requirements
Along the same lines, some information security analyst jobs seem to require a long list of skills because the position itself covers so much ground, says Milică.
She says she’s seen security analyst jobs that also included governance, risk and compliance responsibilities. GRC, however, requires a different skill set than an analyst position with enough work to usually occupy someone full time and should therefore be a completely different role.
As such, candidates are often reluctant to see a long list of responsibilities in a job description, adds Milică.
Others agree, saying that placing too many responsibilities that cut across different disciplines in the analyst role indicates that security leaders have assigned the role an unsustainable workload. They say it also indicates that managers are doing it maybe because the department itself is understaffed, under-resourced, not valued, poorly managed or all of those things.
Another red flag that could indicate such problems: any language that sounds like workers should always be available. Granted, the job may require everyone to be on deck during an incident and may require extra on-call hours and extra shifts, but job descriptions should not give the impression that security is constantly on. call – and the service shouldn’t be structured that way either. .
“Typically, security guards want to be there because they want to make a difference, but they don’t want to work 24/7,” Johnson says.
6. No details on what the company can do for the candidate
Another potential red flag: no details on the opportunities that come with the security analyst position, including information on how to progress and leave the position.
“The Security Analyst role is in constant firefighting mode and you can burn out. It’s a chore, so you want to know how you can grow and progress as a professional,” says Rebholz.
Rebholz and others say it’s especially important for managers to provide training and professional development to their security teams to recruit and retain talent. As such, CISOs and their leadership team should share and promote how they help their own staff learn and succeed.
“It might not be a red flag if it’s not in the job description itself, but if it’s not brought up at all during conversations, that’s a problem because you [as a candidate] I want to see the company talk about these things proactively,” says Rebholz.
Copyright © 2022 IDG Communications, Inc.