CEO tells (ISC)² Security Congress how orgs should rethink hiring strategies

(ISC)², the US-based security certification organization, is piloting an entry-level certification that it hopes will help to diversify, and enlarge, the infosec workforce.

The new certification exam is being trumpeted at the ongoing (ISC)² Security Congress 2021 as a key pillar in addressing the stubbornly wide infosec skills gap.

(ISC)² will hope that, among other things, fewer organizations will make higher level CISSP certification a condition of entry-level positions, one of several prescriptions for rethinking hiring practices set out yesterday (October 18), on day one of the conference, by (ISC)² CEO Clar Rosso.


RECOMMENDED ‘Find out what sparks joy’ – YouTube educator and security expert Katie Paxton-Fear on carving out a successful infosec career

Mind the gap

For all the talk of different pathways and reskilling, said Rosso, “we’ve hardly made a dent in that gap – it’s still not enough”.

(ISC)²’s forthcoming Cybersecurity Workforce Study 2021 estimates the global skills gap stands at 2.7 million unfilled infosec jobs worldwide, she said – down from 3.1 million in 2020 and four million in 2019.

The consequences of not closing the gap faster are grave, Rosso warned, with infosec pros telling (ISC)² that personnel shortfalls contribute to system misconfigurations, slow patch cycles, rushed deployments, infrequent risk assessments, and a lack of oversight of processes and procedures.

Internal talent spotting

The new certification, whose composition will be informed by a survey of infosec pros (closing tomorrow), will give infosec newbies a grounding in technical skills that Rosso believes can be further developed on the job.

“Hire for non-technical skills that cyber pros tell us are essential: analytical, problem solving [skills], the ability to work alone and in a team,” she advised.


DON’T FORGET TO READ ‘In security, every problem is different’ – Offensive Security’s Ning Wang on training the next generation of infosec pros


This approach also makes internal talent spotting a viable alternative recruitment strategy. “Wouldn’t it be great to hire a coworker who you trust and already understands your systems?” mused Rosso.

Rosso also urged organizations to embrace the benefits of remote working, and to invest in people before technology.

“Create informal mentoring programs for new team members, challenge junior staff with complex problems,” she recommended, along with other prescriptions set out in the 2021 (ISC)² Cybersecurity Career Pursuers Study.

‘Diverse talent pool’

The (ISC)² has also launched a focus group study investigating the experiences and challenges faced by women and people of color in the infosec sector, which follows the organization’s launches earlier this year of a Global Diversity, Equity, and Inclusion (DEI) Task Force and DEI Resource Center.

Preempting criticism from some quarters, Rosso sought to reassure attendees that the DEI drive is “not about quotas”, “eliminating opportunities for white males”, or “stacking teams with unqualified individuals”.

She added: “If we continue to look for the same characteristics and skillsets it will remain the slow [talent] stream it has been for decades”, rather than the “flood of talent” required.


RELATED Good education: Cyber awareness initiative aims to close infosec workforce gap with free school curriculum