BETA
This is a BETA experience. You may opt-out by clicking here

More From Forbes

Edit Story

Why There's More To Cybersecurity Recruitment Than Just Job Titles

Following
This article is more than 4 years old.

A job in cybersecurity is the hot ticket for anyone who wants to work in tech right now. Data compiled by recruitment website Indeed recently showed a 15% increase in the number of jobs being advertized for sufficiently skilled candidates in the 12 months between 2017 and 2018.  

The rise in popularity of such jobs shouldn’t come as any great surprise given the current climate. The frequency and severity of data breaches is increasing, with attacks on well-known businesses making the news on a regular basis. And with the implementation of ever-tighter privacy laws such as GDPR, businesses have never been more focused on protecting their networks and the precious information that flows across them.

But what do these jobs actually entail? Rather than any detail about the skills currently needed, all we see are vague, generalized job titles – “IT Security Specialist, IT Security Engineer, Security Consultant”. It would be hard to be less specific. Yet, it’s the specialized expertise, knowledge and experience that lies behind these titles that matters most to an organization’s security. Unfortunately, the HR teams, heads of business and board members that make the decisions around who to hire often won’t understand the nuances of what being on the front line against cyber threats really involves.

Distinctly different

Threat actors will use a range of techniques to exploit vulnerabilities, both technological and human, in their ongoing mission to steal valuable information, hold businesses to ransom, or simply cause harm and wreak havoc.

In 2018, for example, almost two thirds of organizations suffered a zero-day attack launched at their endpoints, while the number of phishing attacks was up by almost 300%. DNS continues to be a target, with attackers exploiting this – surprisingly unprotected – protocol to exfiltrate sensitive information or to overwhelm an organization’s IT network with DDoS attacks. Web applications are vulnerable to SQL injections and various scripting and database attacks. And users themselves – often regarded as the weakest point of any IT network – are responsible for considerable harm, sometimes deliberately, but usually by accident. Then there’s malware, social engineering, supply chain attacks… the list goes on.

The point is this: just as there’s no single attack vector, there’s no single type of security expert. An organization must appreciate the nuances to effectively protect its attack surface. It’s important to understand, for example, that an expert in application security might have less thorough knowledge of digital forensics and reverse engineering – a crucial distinction given that these are entirely different parts of an overall security posture.

Labelling everyone involved a “cybersecurity professional” is therefore a generalisation that, at best, will limit their development and, at worst, put the organizations they work for at risk.

Understanding and advice

CISOs understand this issue of generalization. Having been security analysts themselves, and having achieved the appropriate accreditation, they have an appreciation of how just how broad a scope an organization’s cybersecurity has. Unlike the CEO or the head of finance, they know just how it feels to be on the sharp end of a data breach, stemming the outward flow of their company’s or their customers’ private information. They’ve seen the effects of a DDoS attack first-hand. They, or at least a member of their team, have had to cope with the paralysis that ransomware can inflict.

And that’s why CISOs should be involved in placing recruitment ads. Their understanding of the nuances of cybersecurity is precisely why they should be involved in the hiring process. If nothing else, they should be considered trusted advisors.

By suggesting they follow the advice and threat intelligence freely laid out in MITRE’s ATT&CK framework, for example, CISOs can help ensure businesses recognize the threats they’re facing. And, by recommending that their business embraces guidelines such as NIST’s National Initiative for Cybersecurity Education (NICE) Framework, which categorizes and describes cybersecurity work, they can further ensure that any potential candidates are sufficiently qualified to tackle those specific parts of the cyber-attack chain.

Given the current climate, it’s understandable that cybersecurity professionals are in high demand across all sectors. But there’s far more to the job than just “providing cybersecurity”. When it comes to protecting a business against outside threats, it’s essential that those responsible for hiring cyber talent look beyond the job title, and at the skillset that – when an attack eventually comes – will make the difference between violation and mitigation.