An analysis of recent job opening descriptions in the security domain, conducted on behalf of The Hague Security Delta (HSD) Office, has found that a significant amount include confusing and sometimes unrealistic requirements. This may discourage candidates to apply for these jobs. One way employers could improve this situation and help lessen the Human Capital problem would be by consistently using an agreed framework for career paths. The framework should include a cross-reference to the Dutch educational system and to professional certificates. Furthermore, an editorial check by online recruitment sites may prevent impossible or even illegal requirements being included in vacancy descriptions.
Most Wanted Security Professionals
Job titles vary far and wide. The analysis, based on vacancies collected through publicly accessible recruitment websites, found 91 unique job titles amongst 127 job openings. Candidates searching for jobs may find the plethora of titles confusing and misleading. They also might overlook suitable vacancies because some employers use creative job titles. In several cases the job title did not match the description of the role at all and there are a few examples where the job advertisement aimed to recruit candidates for several different jobs in one go. The potential effect is that employers and candidates miss out on each other.
The top 5 most in demand security professionals are (based on content of the job description, not job titles):
- Consultant Information Security
- Security Guard
- Information security officer
- Cybersecurity specialist/engineer
- Environment, Health and Safety (EHS) officer
Within cybersecurity, career paths are unclear, as there is hardly any distinction in tasks and required competences amongst roles in different competence areas and at different seniority levels. Employers search for cybersecurity generalists that master many different competences at the same time. The complexity of these descriptions may discourage candidates from other relevant professions to apply for a role in cybersecurity. Roles in safety & security are more strucured. But although there are similarities between these jobs and cybersecurityjobs, the pathways between them are not indicated.
Required Education
Regarding the required education, there is a big difference between cybersecurity jobs and other safety & security jobs. Jobs in cybersecurity require, in 78% of the cases, a higher education degree (HBO and WO in Dutch). In contrast, 76% of the safety & security jobs require a vocational level education in security or environmental management (in Dutch: MBO or VMBO) or do not state any requirements at all. Amongst the cybersecurity jobs, employers tend to state that the candidate should have either a degree from a university of applied sciences (HBO) or university level education (WO) background. This is remarkable, as higher vocational education institutes and universities provide different types of education. This suggests that employers do not acknowledge this difference. Further confusion arises when employers use the terms Bachelor or Master. Employers do not specifically ask for any of these, instead they just state: ‘Bachelor or Master’ while there is at least one year of additional education between them.
Within cybersecurity, 56% of the employers ask for professional certificates (the research found 46 unique desired certificates). This is where employers demonstrate insufficient knowledge of the professional development and career paths of cybersecurity professionals. In fact, this group asks for ‘one or more of the following lists of certificates:….’. This is then followed by a list, showing certificates that support different career paths.
Moreover, some employers ask for certificates that do not exist. These could be typing errors but in two analysed cases the candidate needed to be ‘ISO 27001 certified’. This is not possible as ISO 27001 is a certification for organisations, not for individuals. Furthermore, many professional certificates require proof of several years of working experience (usually five years). A significant amount of employers (19%) required less than five years of experience while at the same time asking for at least one of those certificates.
Required competences
Security professionals generally require similar character traits in both cybersecurity and the other safety & security jobs. Good communication skills, being able to work in a team as well as independently, and the ability to cope with stress are examples of traits that they all need. In cybersecurity the ability to take initiative is highly valued and not often mentioned within the other safety & security jobs. In this domain there is a demand for a neat and professional appearance, which is rarely mentioned in cybersecurity jobs. Safety & security job vacancies generally do not state many specific technical skills. The most frequently asked are knowledge of MS-office and affinity with computers. A few employers require knowledge of First Aid, ISO 14000, VCA certification requirements and management systems for EHS (KAM in Dutch) or ISO 9001.
On the other hand, the total list of competences mentioned in cybersecurity job vacancies counts no less than 85 different areas of technical knowledge. A large amount of the technical competences is related to working with products from different vendors.
Recommendations
Employers and candidates could benefit from a consistent framework or model for career paths in security. The plethora of job titles and roles is confusing and not beneficial for both parties. Within the cybersecurity domain, some frameworks have been published by NIST, CyberSeek, and the Dutch Platform for Information Security (PvIB). However, there appear to be more cybersecurity-related roles than those frameworks accommodate. There is more clarity in the roles, tasks, and required education for safety & security jobs and a part of these are agreed upon through collective labour agreements (CAO in Dutch).
In some cases, finding the right candidates may benefit from mapping cross-overs between cybersecurity and safety. For example, roles such as information security officer and EHS officer require similar competences and working with comparable management systems. Working towards an agreed model for career paths in security and connecting these to competences, education and professional certificates is advisable. Additionally, agreeing on the use of a security-jargon dictionary may relieve the incorrect use and confusing diversity of terms. Recruiters might also be able to help posting better job descriptions. A check on writing style, unclear requirements and unrealistic demands prevents the demotivation to apply within certain target groups.
The findings in this analysis for cybersecurity functions show that this area is still in its infancy from a human resources perspective. To improve the attraction and flow of talent, better constructed function profiles that are more logically related to each other and to existing education and certifications are needed. New security challenges will require current functions to be changed or new ones to be created. Developing talent to move from diminishing traditional roles into future careers requires effort from educators, employers, public institutions and talents themselves.