Blog

Can a Barista Become Your Next SOC Analyst?

Mar 07, 2023

MAR-CCSP-Ultimate_Recruiters_Guide_to_Securing_Cloud_Security_Talent-Web-Banners-1200x628 Spoiler alert: the obvious answer is not always the correct one!

Migrating services, apps and data to the cloud is both promising and challenging. The advantages of scalability, flexibility, reduced operational costs and supporting a hybrid workforce can be eliminated by the challenges of cloud security and talent gap. Those two challenges are closely interrelated as it is demonstrated by numerous surveys.

For example, the (ISC)² Cloud Security Report 2022 indicates that:

  • 93% of organizations are moderately to extremely concerned about the massive skills shortage of qualified cybersecurity professionals
  • 57% admit this lack of staff expertise makes cloud compliance challenging
  • 56% of respondents believe that cloud security capabilities are the most essential talent for their organizations

The hiring process is flawed

However, the problem is not solely an issue of lacking the knowledge to manage and securely configure multiple cloud platforms. It is also an issue of bad hiring practices. Organizations frequently do not comprehend what they are seeking, resulting in hiring errors. Cybersecurity job descriptions are often criticized for having unrealistic demands when setting out to hire new employees.

According to recent research by Information Systems Security Association (ISSA) and industry analyst firm Enterprise Strategy Group (ESG), 29% of the professionals surveyed stated that their HR departments are likely to dismiss qualified candidates because they lack the essential cybersecurity capabilities. And 25% reported that job postings at their firms tend to be unrealistic, requiring excessive experience, certifications and technical skills.

“Job descriptions have got to get better. They must focus on the correct things; they cannot request 10 years of Kubernetes experience when the platform has only been around for six years. There are numerous examples of these job descriptions that contain such absurdities,” says Alyssa Miller , a business information security officer and public speaker on cybersecurity.

The problem may become even more perplexing because the HR departments are usually hiring for qualifications and not also for aptitude. As cloud technology is evolving, security professionals are investing time and money to upskill themselves. Many of them are self-taught, demonstrating the requisite aptitude for success while lacking specialized certificates. Even though a candidate has years of experience in the field, their application could be rejected if HR does not feel that they possess the necessary qualifications. But could helping employees on their journey to gain the necessary qualifications open up the talent pool?

Is a barista your go-to security professional?

All the facts point out that organizations should consider changing their tactics to effectively support their organizations. Demanding five years of experience for an entry-level position will not work, nor will a box-checking exercise requiring certain qualifications up front in an industry where new threats necessitate constantly evolving skill sets.

Alyssa Miller explains in her TED talk of how a barista could possess the required abilities to succeed in a cybersecurity career. “Like a barista, I’m seeking someone who is adept at synthesizing many inputs into jobs, then prioritizing and carrying out those activities. That is what I request of a SOC analyst,” she says.

This will necessitate a shift in perspective regarding hiring. Companies cannot assume that experienced cloud security professionals will appear out of thin air and take entry-level pay. Businesses must acknowledge they must begin recruiting individuals at the beginning of their careers. They may have less experience, but they are willing to learn and will become a worthwhile investment for the company.

By broadening the search for cybersecurity personnel in this manner, organizations have a greater chance of diversifying their workforce. Just 25% of the global cybersecurity workforce is female . Companies that emphasize creating a fairer, more diverse and empowering workplace could reverse this trend. Diversity can help improve cybersecurity for everyone by bringing different perspectives and considerations into the room.

Besides looking for attitude and diversity, it is also time to reconsider your recruitment strategy and how to make it more attractive and appealing. “Modifying the job postings and presentation to make the team appear inventive and modern may attract more qualified individuals,” says Matt Stamper , research director at Gartner.

Part of making a vacancy attractive is to determine the basic criteria for the role, and only list those. Requiring certifications at the intermediate to advanced level in cloud security for junior positions would result in unfilled positions and disgruntled understaffed teams.

Finally, it is always a good idea to look for candidates within your organization. Search for individuals outside the IT department whose skill sets could be beneficial to your team or “re-purpose” individuals from other IT specializations. When external talent is difficult to uncover, it may be preferable to develop talent from within. This can be accomplished through the provision of professional development opportunities or the funding of new certifications and courses.

HR teams can play a huge role here in challenging and supporting the organizations to consider a wider candidate pool.

Professional development is always important

Due to the rapid evolution of technology, ongoing talent development is essential. Individuals are afforded the opportunity to learn and advance their careers by adopting a strong training and upskilling program, while organizations can gain a competitive advantage in the industry by fostering internal talent or attracting new talent with a rewarding training program.

If businesses wish to retain security experts, they must offer opportunities for advancement and skill development. Offering these upskilling and reskilling chances will also develop experience, eliminating the need for recruiters to hunt for it initially.

In addition to enhancing their vendor-specific technical abilities, organizations should invest in broadening their expertise in cloud security procedures and frameworks. This is the added value of vendor-neutral certifications in cloud security, such as (ISC)² Certified Cloud Security Professional (CCSP) . The purpose of these certifications is to ensure that cloud security team members remain up to date on cloud technology. Professionals will study techniques, procedures and programs that focus on the technology rather than on specific vendor platforms, enabling them to be fully rounded, effective cloud security professionals and an asset to your organization.

If you wish to learn more on how to avoid the most common pitfalls on hiring cloud security professionals and how (ISC)² can help you develop their technical skills, download our whitepaper “The Ultimate Recruiters Guide to Securing Cloud Security Talent .”