At a recent conference sponsored by the National Institute of Standards and Technology (NIST), there was a lot of discussion regarding the gap between talent supply and demand in the cybersecurity industry. The audience featured a mix of academics, government and industry, and while there was no dispute over the presence of this talent gap, there were no clear ways to address it.
The conference’s keynote began with a joke about the ways colleges and universities disqualify large majorities of otherwise qualified applicants to demonstrate how “elite” or “prestigious” they are. Because many job postings focus on imprecise skill indicators, like college degrees, some certifications and vague resume bullets, the speaker suggested that we do away with those and focus on skills-based assessments.
Speaker after speaker beat the same drum, each describing the Utopia that would allow for millions of disenfranchised job seekers and long suffering hiring managers to meet. In one session, a startup showed off a timed, scored, challenge-based assessment tool called Hacker Rating that allowed coders to participate in challenges to demonstrate their skills.
Including skills assessments in the hiring process is nothing new. Academia has required whitepapers and presentations as part of the interview process for a very long time. Other industries use puzzles and practice pitches to allow applicants to show off their skills. None of that addresses the establishment of restrictive “minimum requirements,” however.
When we look at the supply and demand of skilled, qualified workers, the challenge is not to fill the talent gap with people, but to fill it with the right people. In academia, government and large industries, hiring the wrong person can cost a team’s productivity and management’s time to fix. As I sat through the conference, I wondered if there was a process that might work to merge the emerging skill assessment method with the traditional formal qualification evaluation.
For discussion, I suggest the following:
- Eliminate legacy requirements and institute a level set on real, minimum requirements. Does the job require a four-year degree? Why? If there’s a certification requirement, can the training be done on the job, perhaps during the probationary period?
- Create and distribute an initial skill assessment to all applicants. Use the skill assessment to weed out applicants before investing time to review their resumes.
- After narrowing the applicant pool, ask your candidates to complete second skill assessment or practical demonstration. At the end, you can call the applicants and discuss how they did in the skill portion, saving the evaluation of “soft skills” for the on-site interview.
Creating skill assessments will take time and resources, so I’m not presenting this as a simple fix, but rather as a place to begin a conversation regarding the ways in which an organization can attract a broader range of applicants, while hiring the most skilled and qualified candidates for a position.
For those candidates who are highly skilled, but need certification, or for development of your current workforce, Merit Network offers more than forty cybersecurity certifications, customized private workshops and turnkey training programs. Visit https://www.merit.edu/cybertraining to learn more.