Rethinking security hiring: How COVID-19 is changing talent acquisition

Neither the pandemic nor the resulting economic downturn have slowed the cybersecurity workload at Raytheon Intelligence & Space.

As a result, recruiting and hiring has continued, with firm leaders adjusting their interviewing and onboarding processes to balance the ongoing need to bring on talent with social distancing and the other new realities of the day.

It’s an approach that has paid off, with Raytheon successfully staffing up despite the challenging times.

“We’re in a business that doesn’t get to pause; there wasn’t a thought from our team to shut this all down. In fact, our thoughts were: ‘How do we work around these obstacles and challenges?’ Then we came up with different ways to hire, to onboard, and to get people trained,” says John DeSimone, vice president for cybersecurity and special missions at Raytheon Intelligence & Space.

Raytheon’s situation speaks to the current cybersecurity job market.

Although some companies are laying off, competition for security talent remains fierce as many security executives aim to keep their current employees and add new ones to fill existing jobs as well as positions created to cope with the ramped-up security work that has come with the pandemic.

Hiring security workers has never been an easy task, and today’s extraordinary circumstances have further complicated the job, forcing companies like Raytheon to recruit, hire and onboard talent in new ways.

It’s a reality that has created challenges but also opportunities — some of which could permanently reshape the talent acquisition process.

“This has given us an opportunity to rethink how we hire,” DeSimone says. “And I think we got more efficient in being able to bring in more people and making a decision faster and figuring out how to do orientation.”

Competition for talent remains high

CISOs and other cybersecurity leaders have had a tough time hiring security talent for years, as study after study has shown.

Consider the figures released late in 2019 from (ISC)², a nonprofit association of certified cybersecurity professionals. Its 2019 Cybersecurity Workforce Study calculated that the current cybersecurity workforce of 2.8 million professionals was well short of the 4.07 million needed to close the existing skills gap. It further noted that the global cybersecurity workforce would need to increase by 145% to meet enterprise talent needs. In the U.S. market, the (ISC)² study put the cybersecurity workforce at 804,700, with a shortage of skilled professionals at 498,480, necessitating a 62% increase in talent to meet the sector’s needs.

Reports from this year have found much of the same — despite the dramatic economic changes and widescale unemployment in other professional areas.

The State of Cybersecurity 2020, a report released by ISACA in late May, found that 57% of respondents had unfilled cybersecurity positions on their team and 62% had an understaffed cybersecurity team. The report also found that 70% of respondents felt that fewer than half of their cybersecurity applicants were well-qualified.

That doesn’t surprise Tony Coulson, a professor of information and decision sciences at the Jack H. Brown College of Business and Public Administration at California State University, San Bernardino and director of the university’s Cybersecurity Center.

“This has been a battle that has been fought for the past 25 years. The successful output of talent doesn’t match demand out there,” he says.

The pandemic hasn’t dulled overall demand for talent. Coulson cited statistics from CyberSeek, a nonprofit organization working to address the shortage of security talent. The site before the pandemic reported 390,000 open jobs in cybersecurity nationally; it posted 504,000 open jobs in early June.

ISACA surveyed 3,700 IT audit, risk, governance and cybersecurity professionals from 123 countries in mid-April to assess the impact of -19 on their organizations and their own jobs.

It found that 58% believe threat actors are taking advantage of the pandemic while 87% said the rapid transition to remote work increased data protection and privacy risk. Meanwhile, just 59% say their cybersecurity teams have the necessary tools and resources at home to perform their jobs effectively and only 51% are highly confident that their security teams are ready to detect and respond to the rising cybersecurity attacks happening during this pandemic.

Labor and employment statistics, too, have found that cybersecurity jobs have mostly been spared, reflecting ISACA’s findings that showed 84% of organizations believing that cybersecurity is an essential function.

Conditions necessitate new tactics

Coulson saw security leaders use creative tactics to attract candidates even before the pandemic. He knew one CISO who hired a meal truck from In-N-Out Burger to park near a competitor’s office in an attempt to lure applicants away from that company; the CISO from the competitor had deployed similar strategies.

Business as usual won’t work now, though, even as demand for talent is ticking up.

Security leaders can no longer lure candidates with impressive tours of their companies and friendly meet-and-greets with staff or with strategically parked In-N-Out Burger trucks. They face backlogs on background checks and security clearances, and they often must deal with complicated and sometimes contradictory information for employees who need to relocate.

“You can’t always have someone relocate if you need someone to work for you, because they may not be able to. You can’t just pick up and go to Hawaii or New York City now,” Coulson says, adding that some candidates are reluctant to move today for a number of reasons even if they’re offered jobs in states without any government-issued restrictions.

As such, security leaders must find new tactics if they want to successfully compete for candidates today.

That’s the case with Protiviti.

“We’re not doing any in-person hiring and we’re doing remote onboarding, and it’s been difficult to create that same experience when you’re not in person, so you have to be creative, you have to be resourceful,” says Curt Dalton, managing director and global leader for the security and privacy practice at Protiviti, a management consulting firm.

Case in point: finding new ways to develop a rapport with candidates.

Dalton said he has found that video calls don’t allow for those informal moments during the interview process that allow both hiring managers and candidates to evaluate whether a job is a good fit. So, he looks for opportunities to do so, sometimes finding such chances on calls when candidates add personal backgrounds or show their own home surroundings. That glimpse of personality can then offer a reason for a different kind of conversation, which in turn helps determine whether there’s a cultural match.

Raytheon Intelligence & Space, whose external hiring goal for 2020 is 5,200, likewise adapted to the current conditions.

DeSimone says his company has been aggressively hiring since March to fill positions created by regular attrition, forecasted growth and pandemic-related demands.

Company security leaders started biweekly online hiring events instead of on-site career days and in-person job fairs. They switched some real-world campus recruitment opportunities to virtual versions. They’re using social media for more outreach, and they’re pushing managers to tap into their networks to identify potential candidates.

“Now we make it everyone’s responsibility for bringing in candidates,” says Jon Check, senior director of cyber protection solutions at Raytheon Intelligence & Space, adding that his company has similarly shifted its onboarding process to an online format and is having new hires work remotely if possible.

Other companies have also developed their own pandemic-related hiring tactics.

As an example, Coulson points to one company that provides free legal help to candidates to help them get out of contracts and noncompete agreements, going so far as to offer legal statements that the candidates can submit to their existing employers when they go to quit.

Ongoing shifts

Organizations that offered remote work options prior to the pandemic are seeing the most success in hiring and onboarding now, as they typically have managers and staff comfortable using online platforms to collaborate, says Michael Coates, co-founder & CEO at cybersecurity company Altitude Networks, who previously served as the CISO of Twitter and also head of security at Mozilla.

Such organizations also already know how to organize teams to be successful in the virtual world, making it easier to onboard new workers and integrate them into the existing staff, Coates says.

He points to his own experience in hiring people without having met them in person, explaining that he looks for their ability and willingness to work in a virtual scenario. He and his hiring managers look for candidates who have the technical capabilities, such as reliable connections, and an engaging online presence. They also confirm that candidates can work at least six hours of their shift during normal business hours U.S. Pacific time.

There are many organizations, however, that aren’t advanced enough in their virtual business practices to easily shift to today’s recruiting requirements.

“Companies that were very heavy on in-person are just now trying to figure out how to interview someone virtually and how to make offers to a person they’ve never met,” Coates says, adding that many are struggling to catch up to their competitors as a result.

The struggle, though, is worthwhile — not just for the short term but likely in the long run, too, as many say some changes may indeed be permanent.

For example, Coates says he has found that online hiring has brought a more intense focus on qualifications and other objective criteria and less attention to whether an in-person meeting felt chummy.

Meanwhile, Dalton says he found the use of video calls has sped up the hiring process; he expects his company to use video for more interviews in the future, adding back in-person meetings only for the later stages of the hiring process once it’s safe to do so.

Similarly, Robb Reck, who as CISO at Ping Identity hired for three of seven open positions during the second quarter, says virtual screenings helped him fill those slots in record time. And the need to onboard virtually forced him to create a formal onboarding process, one that is more comprehensive and engaging than the real-world version it replaced.

On the other hand, however, Reck sees some pandemic-related hiring and onboarding requirements a poor substitute for their in-person alternatives. The online happy hour to build comradery among new team members, for example, doesn’t match a real meal together out at a favorite restaurant. He says he’ll be reverting back to those in-person events as soon as he can.