November 12, 2020 | 3 min. read

Identifying bona fide cybersecurity skills has become a top priority for employers looking to fill cybersecurity positions. In a market that exceeds 500,000 open positions in the U.S. for cybersecurity, the issue is not this statistic, but the compounded problems employers face trying to fill these positions with validated talent. The problem becomes detrimental after a person hired into a position is later discovered to be unqualified when an organization faces real-time cyber threats.

ISACA surveys have shown that over 60% of employers take three months, and 30% of employers take six months or more, to fill an open cybersecurity position. 70% of employers responded that less than half of the applicants were qualified, with a lack of soft skills being the primary skills gap. Hiring a person based on a great resume and/or interview can end up costing an employer a lot more time, from releasing that person to starting the placement cycle anew. The potential inability to mitigate risks the employer may be exposed to, during the next 3 to 6 months, is too great to get the hiring selection wrong. The level of cybersecurity experience, certifications, and expertise an employer is looking for, will determine soft skills and/or hard skills assessments.

The Collins English Dictionary defines the term “soft skills” as, “desirable qualities for certain forms of employment that do not depend on acquired knowledge: they include common sense, the ability to deal with people, and a positive flexible attitude”. Since cybersecurity risk mitigation requires good communications and collaboration skills, to reduce an organization’s risk exposure, an employer is well served by assessing individuals’ soft skills. For entry level positions, positions set up to be an intern, or for an apprenticeship position, it’s always best practice to assess the aptitude of the individual for the cybersecurity position to be filled. Aptitude tests are designed to assess whether or not an individual can understand the basic concepts and principles of cybersecurity.

Hard skills are various technical skills relating to a specific cybersecurity task or situation. Hard skills assessments can come in several forms – extensive deep-dive interviews to ascertain the level of cybersecurity knowledge required, and/or cyber ranges offering the ability to simulate real-time cybersecurity attacks and assess the response of the participant.

                                  Tree diagram display of the NICE Workforce Framework

Core to soft and hard skills cybersecurity assessments is standardization. The National Institute of Standards and Technology has developed the National Initiative for Cybersecurity Education (NICE) Framework, to drive standardization of knowledge, skills, and abilities across the cybersecurity workforce. It is a detailed taxonomy of the key skills required to fulfill specific work roles and competencies. The NICE framework is widely adopted across industries, academia, and government to support addressing the national cybersecurity talent shortage.

CyberKnights provides soft and hard skills assessments, enabling employers to assess external talent interested in open cybersecurity positions, as well as evaluate internal talent. The NICE Framework is the foundation and standard by which cyber practitioners, candidates, and employees are all measured against. Employers can identify the gaps in knowledge, skills, and abilities within their company, and map a course of training and/or educational plans for employees, apprentices, and new hires. By implementing the power of CyberKnights unique design, employers can breathe a sigh of relief knowing the talent they’ve found is qualified, and might even already exist within their company.