Hiring for the role of security analyst—that workhorse of security operations—could get even harder.
Demand for the position is expected to grow, with the U.S. Bureau of Labor Statistics predicting organizations to add tens of thousands of positions through the decade, with employment for security analysts expected to grow by 33% from 2020 to 2030—much faster than the average for all occupations.
That makes the security analyst role among the top 20 fastest-growing jobs in the nation.
Such news comes at a time when CISOs and other enterprise security managers already report challenges in finding people to fill the post.
That’s making it harder for CISOs to secure their organizations. The 2022 CISOs Report from security vendor SpyCloud found that CISOs cited the lack of skilled personnel as the top issue when asked what inhibits their ability to establish effective cybersecurity defenses. And the 2022 Voice of the CISO Report from security vendor Proofpoint found that half of surveyed CISOs report believe that the recent spike in employee transitions make protecting data more challenging.
Given such dire numbers, CISOs should take care not to stack the odds against themselves with job postings that scare off applicants. Think that’s not you? To be sure, check out these red flags that veteran security leaders say make hiring harder:
1. No description of the actual responsibilities
One red flag identified by sources centers on the use of security analyst itself. True, it’s one of the most common titles/positions in the cybersecurity profession. But sources say that its prevalence coupled with the fact that the cybersecurity field and cybersecurity departments are still evolving and maturing have given the role a generic quality.
“A security analyst could be doing different things from one company to another,” says Vincent Nestler, an associate professor of Information & Decision Sciences at California State University, San Bernardino and director of the CSUSB Cybersecurity Center.
As a result, there are variations in responsibilities. So just using the title alone leaves job candidates wondering what the job actually entails.
“At its most basic, the analyst is supposed to analyze the company’s infrastructure, its tech stack, and based on that analysis make recommendations. But at a larger enterprise company you might find analysts whose only job is to analyze and at smaller companies they might do that but also implement part or all of the [security] solutions,” says Nick Kolakowski, senior editor at Dice Insights, part of the tech career website Dice.
As such, he and others advise security managers be specific—in their job descriptions, actual job postings and in the information provided during interviews—about what their security analyst position actually does day-to-day so candidates know exactly what’s expected of them in the role.
2. Unrealistic experience requirements
The security analyst position is an early-career role and often the first position that workers take when entering the cybersecurity profession, yet job descriptions often ask for years of experience or certifications that require years of experience to earn.
“Right there that’s a challenge for a candidate. They’re going to say, ‘I’m not qualified’ and they’re not going to apply for the job,” says Tara Wisniewski, executive vice president for Advocacy, Global Markets and Member Engagement at (ISC)², a training and certification organization.
For example, Wisniewski says she often sees job postings for this position require (ISC)²’s CISSP as a required or preferred certification, which itself requires a minimum of five years cumulative paid work experience.
The organization’s own Cybersecurity Hiring Managers Guide calls out this problem, adding that “unrealistic entry-level job description continues to be derided as a major cause of organizations’ cybersecurity staffing challenges.”
It goes on to suggest that “more collaboration between hiring managers and HR is the solution.”
3. Overemphasizing the tech—especially if it’s old
Information security analysts must, of course, understand the technology needed to do the job, but sources say job listings that require experience or knowledge with specific technologies or vendors could be off-putting to candidates who otherwise would be great hires.
Nestler says rather than ask if a candidate has experience with a specific vendor it’s more productive to seek applicants who understand how to use a class of technology, noting that a professional skilled in one vendor’s tool can easily pick up how to use another vendor’s tool.
“The question is whether they have the right foundational knowledge,” he adds, and not necessarily a history with a specific brand.
Others caution that job descriptions listing experience on legacy technologies can also be a red flag to candidates, signifying that the security organization is behind the times.
“If you’re looking at the bulk of the job population, they want to work with the latest and greatest stuff,” says Ben Johnson, CTO and co-founder of software company Obsidian Security.
Some top-notch candidates may still apply if the CISO is advertising a transformational effort to shed that old technology, Johnson says, but most applicants will likely be wary.
4. Kitchen-sink requirements
Another major red flag: an impossibly long list of preferred or required skills, experiences, and educational achievements. Security leaders cited this as a problem over and over, often joking that companies like to include even the kitchen sink as one of the items they want to see in security professionals.
“That’s one of the underlying issues here: unrealistic expectations and qualifications. Hiring managers tend to put in an unsurmountable list of requirements for the job that they think is necessary. But candidates will look at that and say, ‘That’s not me,’” says Jason Rebholz, CISO of Corvus Insurance.
Lucia Milică, global resident CISO at Proofpoint, agrees, saying that too many security leaders list their dream applicant rather than describe what they actually need from an individual to be successful in the role. “That’s going to dissuade many good qualified candidates from applying,” she adds.
Milică says that’s particularly problematic for companies looking to create gender equity in their ranks, pointing to research that has shown women generally apply to jobs only when they have all or most of the listed qualifications while men will do so if they have about half.
“So start with the must-haves, those five bullet points, vs. tossing in everything under the sun,” she adds.
Jon Check, executive director of Cyber Protection Solutions at Raytheon Intelligence & Space, says he stays away from words like “must” and “shall” to keep good candidates from self-selecting out.
“Does someone really have to have all those things? Instead, you have to convey that everyone is welcome,” including those who might not have what has been traditionally considered the “right” certifications or the “desired” pedigree,” he says. “And then set up a training plan for the skills they don’t have.”
5. Unrealistic job demands
On a similar note, some information security analyst jobs do seem to need an expansive list of skills because the position itself covers so much ground, Milică says.
She says she has seen security analyst jobs that also included responsibilities for governance, risk and compliance. GRC, however, requires a different set of skills than an analyst position with enough work to usually keep someone busy full time and thus should be a completely different role
As such, candidates often balk at seeing an extensive list of responsibilities in a job description, Milică adds.
Others agree, saying that putting too many responsibilities that cut across different disciplines under the analyst position indicates that security managers have assigned the role an untenably high workload. They say it also indicates that managers may be doing so because the department itself is understaffed, under-resourced, not valued, poorly run, or all of those things.
Another red flag that could indicate such issues: Any language that sounds like workers must be always available. Granted, the job may need all hands on deck during an incident and require on-call hours and extra shifts, but job descriptions shouldn’t make it seem like security is constantly on call—and the department shouldn’t be structured that way either.
“Typically security people want to be there because they want to make a difference, but they don’t want to work 24/7,” Johnson says.
6. No details on what the company can do for the candidate
Another potential red flag: No details about the opportunities that come with the security analyst job, including information about how to move up and out of the position.
“The security analyst role is in a constant firefighting mode and you can burn out. It is a grind, so you want to know how you can grow and advance as a professional,” Rebholz says.
Rebholz and others say it’s particularly important for managers to offer training and professional development to their security teams to both recruit and retain talent. As such, CISOs and their leadership team should be sharing and promoting how they help their own staff learn and succeed.
“It might not be a red flag if it’s not in the job description itself, but if it’s not being brought up at all during conversations, that is an issue because you [as a candidate] do want to see the company proactively talking about those things,” Rebholz says.