In some sectors, skills shortages are so acute that finding and keeping hold of talent has become a major headache for HR, with 73 percent UK businesses now experiencing the problem, says Jamal Elmellas.

Cybersecurity, in particular, is seeing demand outstrip supply on a cumulative annual basis. The skills gap increasing by 73 percent in the UK last year, equivalent to 56,811 unfilled vacancies, according to the (ISC)2 Cybersecurity Workforce Study.

However, it would appear that HR’s role in the recruitment process may in fact be exasperating rather than solving the problem.

The same (ISC)2 study found that in those organisations where there was a strong relationship between cybersecurity management and HR, shortages were noticeably lower, but where there was a disconnect between those teams, shortages were much worse.

In fact, those businesses were 2.5x more likely to suffer from skills shortages. Therefore, the difficulties businesses are facing when it comes to recruitment do not just come down to a shortage of talent in the marketplace.

Poor perceptions

Only half of hiring managers (52%) thought they had a strong working relationship with HR and 40 percent did not think HR added value to the recruiting process. And it’s not just hiring managers that think HR is hindering rather than helping. The Cybersecurity Skills in the UK Labour Market 2022 report by the former Department for Digital, Culture, Media and Sport (DCMS) found many recruiters would ignore the job specification they had been given and contact the hiring manager direct in order to write their own, bypassing HR altogether.

These are worrying perceptions given that all three parties are essential to successful recruitment. As the (ISC)2 report attests, while cybersecurity managers are likely to know best what kind of candidates to look for, recruiters know the market, and HR managers have the expertise to find and attract those candidates, not to mention retain them – although that, too, has been brought into question.

Retention was found to be real problem among those organisations experiencing sustained skills shortages and there was a common denominator in each case. All had similar approaches to learning and development (L&D). They were not prioritising cybersecurity within the company culture, or sufficiently training staff, or offering opportunities for growth and promotion, according to the (ISC)2 report, leading to higher staff turnover. In fact, Gartner recently predicted that nearly half cybersecurity leaders will change jobs by 2025, suggesting churn is on the increase.

Poor retention rates were also borne out by ISACA’s State of Cybersecurity 2022: Global Update on Workforce Efforts, Resources and Cyberoperations report which found that 60 percent had experienced problems keeping staff. When asked why they chose to leave their employer, almost half (47%) said they did so due to limited opportunities for promotion and L&D. This is no doubt in part to some companies wanting to curb spend and avoid their employees becoming a ‘flight risk’ but this is short-sighted.

Speculate to accumulate

Those companies that do invest in training and offer rotating job assignments, mentorship or opportunities for employees in related fields to retrain in cybersecurity are least likely to suffer from shortages, according to the (ISC)2 report. Only 49 percent of businesses with 1,000 staff or more who implemented these initiatives experienced shortages compared to 77% of those who had not, which means HR has the power to really boost retention rates through L&D.

The problem that remains is how to close the miscommunication gap between the hiring manager, HR and the recruiter. Clearly, they are not aligned and there is a disconnect between the hiring manager and HR, with the former unable to communicate their needs to the latter and unable to understand the value HR brings to the table. The recruiter, as the last person in the chain, inevitably realises the criteria will not fly with candidates, and so resorts to contacting the hiring manager direct.

What’s really happening here is that neither the hirer nor HR are in tune with the marketplace, and this is because cybersecurity as a relatively nascent sector has evolved unchecked to the point where roles can now be ambiguous. It’s not unusual, for instance, to see different companies advertise for the same job role while listing different skillsets. Nor is it unheard of for HR to place so called ‘unicorn’ job postings in a bid to recruit someone to fill several roles. The end result is everybody is confused and the post remains unfilled. Indeed, ISACA found that one in five companies took over six months to fill their vacant positions.

Reading from the same song sheet

Getting the point where everyone is operating together means they need to all be using the same criteria. Thankfully, progress is being made in this area with the UK Cyber Security Council developing a Cyber Career Framework that will map all the skills, experience, responsibilities (including salary expectations), and qualifications needed to perform a particular role. This covers 16 specialisms and is expected to be completed by 2025.

The framework is a mammoth undertaking that will see a structure applied to the industry for the first time. It should make it far easier for hiring managers to assess their workforce, identify where the gaps are and to plan which roles they need to recruit. It should also provide HR with the information needed on skills and experience to help them furnish accurate job descriptions and select suitable candidates. But it should also give them the information they need to build out career progression plans for individuals to boost retention. Finally, it will help candidates identify roles relevant to them, ensuring a better fit, and to work out which skills they need to progress up the ladder.

Of course, cybersecurity is just one area where HR is struggling to recruit but it’s an area where competition is so high that it is served to expose problems in the recruitment process which under other circumstances might be ignored. The fracture points all indicate areas in which the process can be improved, from penning more accurate job descriptions to investing more in L&D, to using career frameworks to make the process more efficient and successful. And all it takes is sharing the necessary information between all facets of the chain to create a cohesive process.


Jamal Elmellas is Chief Operating Officer at Focus-on-Security.





 | Website

Jamal Elmellas is Chief Operating Officer at Focus on Security, the cyber security recruitment agency, where he is responsible for delivering an effective and efficient selection and recruitment service. He has specific expertise in and is adept at designing and delivering secure, scalable and functional ICT services.

Prior to joining Focus on Security, Jamal built a successful Security consultancy and undertook the role of CTO. He was responsible for delivering secure ICT services for both government and private sectors. He has also fulfilled the role of Lead Security Architect and Assurance practitioner within sensitive government departments and blue organisations.

Jamal has almost 20 years’ experience in the field and is an ex CLAS consultant, Cisco and Checkpoint certified practitioner.