Intelligent Connections. Recruiting Integrity.
Call Us: 415-510-2973

Archive for the Blog Category

Top Five Insights from Talent42 2019

By Domini Clark, CEO, Blackmere Consulting

Recently I had to the privilege to rub shoulders with some of the best and brightest technical recruiters at the Talent42 conference in Seattle.  Known for its edgy and practical feel, the 100% tech-focused conference attracts big name companies like Google, Amazon and Expedia, as well as smaller organizations all fighting for the same technical talent. These were the key takeaways for me.

Re-defining “talent”

As the job market and economy evolve, the most cutting edge companies are taking a good hard look at what “talent” means in their environment. How do we truly achieve diversity and, in fact, what should diversity look like in our company? Are we putting up barriers for candidates without realizing it, such as making bachelor’s degrees a hard and fast requirement?

Technology is ephemeral, relationships are not

More and more, technical talent is making the choice to connect only with people and situations that “feel” right. This means that it is more important than ever to take the time to make a real connection with candidates, network peers and others.

De-Clutter the hiring process

Companies big and small have created hiring processes with rules, regulations, and excuses that have built up over time andoften are defended tooth and nail. That distracts us from the fact that talent acquisition is a very human endeavor, and real people — with other jobs and other job offers — can get stuck in the processes. With unemployment close to an all-time low, cumbersome processes simply don’t pay. To stay ahead of the game and win top talent, we need to take the clutter out of our hiring processes — make it easy for the candidates you want to want you, too.

Stories matter

Everyone knows that most technical talent, from software engineers to cybersecurity architects, have their pick of opportunities. Gone are the days of posting an HR-generated job description, sitting back and waiting for the talent to come to you. Instead, we need to tell the stories that leverage our greatness, whatever that may be. Maybe your data center is run with 100% sustainable energy, or your founder is a female combat veteran. Tell your story. The right person will be drawn to you and the culture that makes your company unique.

You can’t get away with anything

It was always a goal of the Internet to make massive amounts of information available to everyone. Be careful what you wish for! If you think your code review questions aren’t on the Internet, think again. That candidate you put through five interviews but then forgot to follow up with? She shared that on her blog and social media posts. There are “underground” sites in plain view listing companies that require whiteboard exercises. Staying mindful of the vast reach of communication may help drive better processes and will certainly keep you on your toes!

Taken all together, I think it means that robots will not be taking over our jobs as recruiters any time soon.  In fact, the more technical and more difficult the hiring becomes, the more human and efficient our processes must be. From tailoring our job descriptions to fit real people, to diving deep into the personal impact a job change has on our candidates, to making sure we’re telling the right story about our own unique culture, it’s clear that all of the technology in the world wont replace humanity in technical hiring.  

Skills in demand: Application Security Engineers

Skills in demand: Application Security Engineers

The need for Application Security Engineers has grown dramatically as legacy applications are moved to the web.  Application Security Engineers can be focused on enterprise or mobile applications, but their overall goal is similar:  consider all system vulnerabilities of applications from design/development through implementation and maintenance.  This is a subject matter expert with strong knowledge of IT architecture, hardware, web security, identity and access management, application firewalls, intrusion detection as well as threats and vulnerabilities.

What it takes

Hands on experience with secure code review, static analysis security testing, dynamic application security testing and strong knowledge of web development technologies.  A deep understanding of threat/attack modeling is also critical as well as the ability to interact with cross-functional teams.

Compensation
Base compensation can range from $100-175K, often with additional incentives.  Independent contract rates can be higher.

– Domini Clark, principal, Blackmere Consulting; founder and director of strategy, InfoSecConnect.com.

 

Cybersecurity Recruiting: Weigh Your Options To Find The Right Strategy

cybersecurity recruiting tips

cybersecurity recruiting tips

For chief information security officers (CISOs), finding cybersecurity talent is difficult and expensive. It can seem like the greater the need, the less available the talent is. That’s why I believe the most powerful weapon in a seasoned CISO’s arsenal is, hands down, a security-focused recruiter.

So Much At Stake

Even with all of the recruiting technology, internal resources, employee referral programs and other bells and whistles out there, you may truly need security-specific recruitment experts. A quick look at the state of the industry reveals a worldwide shortage of cyber talent, with some saying we have hit a crisis point. Highlights from ISACA’s 2018 “State of Cybersecurity Study,” which surveyed over 2,300 individuals across various industries, clearly explain today’s landscape:

• 80% of study respondents said it was “likely” or “very likely” their organization would experience a cyberattack this year.

• 50% noted their organization experienced an increase in the number of cyberattacks last year.

• 59% stated their organization had unfilled cybersecurity positions.

• 54% admitted that filling open cybersecurity positions took three-plus months, longer than other areas of IT and much longer than just about any other functional area.

Security Recruiting Is Unique

To begin with, one thing I’ve found through my work in executive recruiting for this industry is that strong security professionals often aren’t active in the market, but they are being hounded. According to an (ISC)2survey, nearly half of cybersecurity professionals are solicited on a weekly basis, yet only 14% are actively seeking a new gig. You can’t spam them through LinkedIn and expect a response. They will not click on a link embedded in your email, nor will they “apply online” without a conversation first — and good luck getting them on the phone.

The best candidates don’t post their resumes everywhere. The best ones are hiding on purpose; only their closest colleagues know how amazing their last project was. They don’t trust people who don’t have street cred in the community, and ironically, technical recruiting tools aren’t effective at finding these technical experts. The only way to succeed is through networking, relationships and personal trust. It’s a full-time job.

Chances are, your internal HR/recruitment team is already overwhelmed and is made up of generalists rather than specialists. In fact, they’ll probably agree that outsourcing is the way to go to find top cybersecurity talent. There are many ways to structure a relationship with a recruiting firm, but there are three main models your organization may choose from.

Retained Search: This model often is considered the most effective, and for good reason: A retained recruiter is 100% focused on your search. Traditionally associated with C-level and executive searches, it has become more common in cybersecurity due to the critical need. A good retained search provider will act as a consultant, helping you scope out the position, explore business goals, and set search strategy. On a tactical level they should set expectations, provide position and title insights, identify potential roadblocks, and provide compensation information. Be prepared to take an active role in this sort of relationship, including providing regular and frank feedback. Most retained search firms charge a percentage of the annual compensation (base plus bonus) for the candidate selected (often  20-30%).

Contingency Search: In this model you are only charged if you hire the candidate the contingency firm delivers. This is a great option if you want to give a new recruiting firm a trial run, or if your internal team simply needs additional resources. However, be aware that a contingency recruiter needs to work multiple other simultaneous searches to ensure revenue, and you won’t get a search expert’s full attention. As with retained search, fees are based on a percentage of the annual compensation for the selected candidate and can range from 15-30%.

Container/Engaged Search: This is a hybrid between retained and contingency where a payment is negotiated at the inception of the search, and the remainder of the fee is up for grabs at the time of offer. This is a great approach to ensure both sides (recruiter and hiring organization) have vested interests in the success of the search. The downside here is the same as with the contingency model: Container recruiters divide their time and attention among multiple searches.

By the way, while it may be tempting to hire multiple recruiters for a single search, it’s likely to backfire. Everyone working on a search probably will talk with the same 30 qualified candidates, which can be frustrating for each recruiter. In addition, top-tier candidates become annoyed quickly if they are approached by multiple recruiters regarding the same position.

Superior cybersecurity talent is essential to protecting and defending your corporation and your reputation. The right relationship with your external recruiting partner is essential to engaging superior talent.

This article was contributed to Forbes by Blackmere Founder and CEO Domini Clark, and was originally published on Forbes here

Skills in demand: Application Security Architect

Skills in demand: Application Security Architect

The need for Application Security experts has grown dramatically as enterprise systems become more and more complex.  While Application Security Engineers can be focused on a variety of enterprise or mobile applications, the Application Security Architect must understand how applications fit into a multi-tiered architecture.  They must consider all system vulnerabilities and their relationship to each application from design/development through implementation and maintenance.

What it takes

This is a subject matter expert with strong knowledge of IT architecture, hardware, web security, identity and access management, application firewalls, intrusion detection as well as threats and vulnerabilities.  AppSec Architects often have deep technical knowledge and hands on experience with secure code review, static analysis security testing, dynamic application security testing and strong knowledge of web development technologies.  An overall understanding of complex systems and expertise in threat/attack modeling is critical as well as the ability to interact with cross-functional teams.

Compensation
Base compensation can range from $150-200K, often with additional incentives.  Independent contract rates can be higher.

– Domini Clark, principal, Blackmere Consulting; founder and director of strategy, InfoSecConnect.com.

This was originally published in the June  2016 Issue of SCMagazine

Hacking the Applicant Tracking System: Resume Tips to Get Your Resume Found

Follow these 5 Applicant Tracking System resume tips to make sure your InfoSec resume doesn’t automatically get kicked out of the screening process

Dear ‘FirstName’ Unknown ‘LastName’ Unknown,

I am a recruiter – today I spent hours sourcing from one of the many career websites/resume databases that you carefully created a profile and uploaded your resume. I read the profiles and created the perfect candidate pool of job seekers that I wanted to target. I downloaded the resumes from the resume database and for HR compliance I uploaded them to my Applicant Tracking System (ATS). To my dismay, this step usually results in 50% of the resumes being unreadable and you my favorite candidate is now “Unknown Unknown”. I researched what was happening and found one common thread among these sourced candidates. The top of their resumes stated:

– Note: This is a converted Word document. An image of the resume is displayed rather than text.

Keep in mind ATS systems are now used by most companies to meet HR compliance and handle the 100’s of applicants they receive on most job postings. Recruiters generally upload their sourced resumes to these systems to meet HR compliance requirements. ATS systems parse resumes and compare the data against criteria in the job posting through key words, screening questions, etc. Most resumes are only seen by humans if they are actually sourced or if they pass the initial screenings completed solely by the computer.

Unfortunately, if you are one of the InfoSec folks who have converted your resume to the Word image format, it will be lost once the recruiter uploads it to the ATS or it will not succeed in passing most ATS initial screenings. Usually this means you will receive a rejection letter automatically from the system once they make their final selection. So here’s what happens – most resume parsers in ATS systems do not have optical character recognition (OCR) capabilities, therefore your resume image is simple unreadable by the computer systems.

InfoSec Connect wants to help you modify your resume to ensure you are being considered based on your skill set and not your resume format. Algorithms designed to screen resumes are systematic and minor things can kick your resume out of consideration. The rules are simple:

  • DO NOT convert your resume to an image
  • DO NOT put your name and contact information in the document header
  • DO keep your resume format simple – try to avoid advanced formatting such as tables, unique fonts, images, etc.
  • DO Clearly label the resume sections with standardized headings (best to use headings from postings such as Qualifications, Experience etc.)
  • DO use the keywords that you identified in the job posting – keep in mind that most ATS systems use outdated SEO methods for the initial screening.

Now go update that resume and get past those initial screenings!

Skills in demand: Cyber Threat Intelligence Analyst

Cyber security is changing and some organizations are beefing up their threat intelligence groups in order to get ahead of the attack.  The Cyber Threat Intelligence Analyst works closely with network defenders, incident responders, application security experts and threat hunting teams to collect, classify and exploit potential threats.  Responsibilities include:

  • Collection, validation and analysis of threat information from multiple, and often industry-specific, organizations
  • Generation threat intelligence for the purpose of detection and response to advanced persistent threats (APTs)
  • Research and creation of a variety of concise and actionable threat analysis and warnings which will be consumed by everyone from senior company executives to security analysts

This is an intelligence expert with the ability to influence immediate change within an organization in the midst of high pressure situations.

 

Interview tips: How to ACE Your Interview in 5 Steps

You’ve followed our tips for creating a standout information security resume, and you got a callback for an interview.  Well done. Now make the most of your investment in time so you are prepared to ace the interview and make yourself impossible to pass over. Read more

10 Tips for Creating a Stand Out Information Security Resume

Let’s be honest – there are 100 million articles out there about how to write the best resume, right?  Right.  Well, after 20 years as a technical recruiter and nearly a decade of recruitment in information security, I know what makes a good resume in this industry.  Some of these tips are industry specific, some are (or should be) common knowledge.  Following these basic principles will ensure you have the right foundation to create a marketing piece (information security resume) that will catapult you into the next phase of your career. Read more

Relocation costs now a sticking point for job-hunting security managers

In an effort to cut costs, many companies hire local candidates to fill CSO positions. But are they also sacrificing quality for their security program?

By Bob Violino Follow
CSO | May 5, 2015 9:47 AM PT

http://www.csoonline.com/article/2918772/infosec-careers/relocation-costs-now-a-sticking-point-for-job-hunting-security-managers.html

IT Careers Leadership and Management
COMMENTS
With security executives and staff in such demand at many organizations today, is it possible that something like paying for relocation costs could get in the way of hiring a new employee to join the security program? Yes, according to a number of people in the industry.

“Companies are finally realizing that they need someone to lead their information security efforts. Unfortunately, [they’re] settling for available local talent instead of hiring the experienced talent they really need” because they don’t want to pay for relocation, says an information security executive who asked to remain anonymous because he’s actively looking for another job.

[ ALSO: IT careers: Security talent is red-hot ]

MORE ON CSO: The things end users do that drive security teams crazy
In some cases, it’s made clear that relocation compensation is not an option. “If you start looking at director or above in the job boards, few positions will state that relocation is provided and many will explicitly say that relocation is not provided,” the executive says. “Since I am looking for a new position, I have talked with several recruiters and heard the same story from them. Companies don’t want to invest in relocation and are looking at local candidates only.”

Recently, the executive talked with a large restaurant chain that is looking for a new CISO, and was told that the company liked him for the position, but did not want to deal with relocation costs. “They did finally find someone local who had one-third the experience and had never been a CISO before,” he says. “I will give them nine to 12 months—or a breach—for them to be looking again.”

It’s not unusual for employers to ask recruiters to focus on the local candidate pool so they do not have to relocate someone, says Kathy Lavinder, executive director of Security & Investigative Placement Consultants, a retained recruiting firm that finds and places security management and financial investigative personnel.

“That’s quite common in the larger metropolitan areas where the local candidate pool is likely to be sufficient,” Lavinder says. “That directive eliminates some strong non-local talent, but that appears to be a price some employers are willing to accept.”

Some of Lavinder’s clients have been trying to contain relocations costs when possible. “Some have reduced the number of house-hunting trips to the new location for the potential employee and his or her spouse,” she says. “I’ve seen them reduce the number of paid house-hunting trips to one, instead of two. I’ve also seen a few employers put a 30-day limit on the coverage of interim housing costs to spur the new employee to find permanent housing.”

Some larger companies are expressing a desire to avoid cross-country moves, Lavinder says. “In one recent instance, a multinational company headquartered in the New York metro area asked us to focus on candidates east of the Mississippi,” she says. “The company may have been concerned that someone from the western U.S. may not adapt to the New York area, but I suspect cost entered into their decision.”

Larger companies have always had more generous and comprehensive relocation packages than smaller and mid-size companies, Lavinder adds, “but even some of our larger clients are trimming relocation packages a little. In one case, the company cut out some minor things they had covered in the past, such as the cost of a new driver’s license and car registration. These are minimal costs and candidates would never know they had been covered in the past, so it’s easy for employers to make a change like that with little consequence.”

Another security executive recruiter, Wils Bell, president of SecurityHeadhunter.com, has encountered refusals by companies to cover relocation costs “on many occasions.”

One example was a larger company that was located in a big city. “Their position had been open almost a year when I was contacted about working on their search,” Bell says. “The position offered a good salary, career advancement for the right person, challenge, etc. What it did not offer was any type of relocation.”

Corporate leadership had decided that since the business was located in a larger city, it should be able to draw from the local market. “They still were holding onto this policy even after a year of searching and interviewing several candidates through numerous sources,” Bell says.

And among companies that do cover relocations costs, in many cases the offer is not as generous as in the past, Bell says.

“For the vast majority of positions, relocation has changed from years ago,” Bell says. “Getting a ‘Cadillac’ relocation package is many times being replaced by a specific dollar amount [such as] $3,000, $5,000 or $7,500, and you move yourself. Of course, you’ll need receipts to back up all expenses.”

These types of situations, with either no relocation packages or limited packages, have been on the rise, Bell says. “I don’t see it as often at the C-level as I do the mid- to senior-level positions, but it is definitely increasing,” he says.

Years ago, relocation packages and their perks were fairly standard, Bell says. “Over the years they have decreased in value,” he says. “In my opinion, money is the main driving factor. Firms could spend a great deal of money moving someone. The actual move, closing costs, house hunting trips, temporary housing, etc. all added up. It is easier for many firms to just offer a flat dollar amount.”

Some organizations are more likely to provide relocation packages only for the higher-level security jobs.

“Often, organizations see the value of finding the precise organizational and skill-set fit at or above the director level, making relocation necessary,” says Domini Clark, principal at Blackmere Consulting, which recruits information security professionals.

“Below that level, however, it is often very difficult to find organizations willing to cover the costs of relocation,” Clark says. “Unfortunately, the majority of the hiring necessary in any organization goes on at this level, which causes issues with positions being open much longer than necessary or not being filled at all.”

Some recruiters, however, say they’ve not encountered any major issues regarding relocation costs.

“We have filled some of the most prestigious CISO roles as well as companies hiring first-time CISOs, and for the most part they understand the demand for these executives is very high and are providing relocation packages,” says Joyce Brocaglia, founder of Alta Associates, an executive search firm specializing in information security and IT risk.

“We have filled over 20 information security positions in the first quarter, and the majority of companies were willing to relocate candidates,” Brocaglia says. “The only times we see companies not wanting to fund relocation expenses are for junior level to entry level manager roles that they believe they can find local talent. Even in those cases, the majority of companies are willing to provide some type of sign-on to defer expenses.”

As the demand for talent has increased the past few years, “I’ve had more companies offering relocation packages than I did in the 2008 to 2011 timeframe,” adds Jeff Snyder, president of SecurityRecruiter.com.

[ The CSO Security Career Survival Guide ]

“It is safest for a job candidate today to be prepared for reimbursement for a pack and move where the company will pay for a rental truck and maybe packing and a month or two of storage on the destination end of the relocation,” Snyder says. “If a company offers a relocation package that includes assistance with selling a home or even outright buying a candidate’s home, this is what I would consider to be a package with gravy.”

Nevertheless, containing relocation costs now appears to be a reality that recruiters, candidates and hiring managers must acknowledge and in most cases accept, Lavinder says. “This trend began during the recession and is ongoing,” she says.

Unrealistic expectations by candidates

The unwillingness of many companies to pay for relocation costs when hiring security executives and staff is having an impact in several ways, according to recruitment experts.

“This can make the jobs of recruiters and internal talent acquisition personnel more difficult,” Lavinder says.

“Candidates can have some fairly unrealistic expectations around relocation,” Lavinder says. “They’ve heard stories from peers about deluxe relocation packages and do not realize those are the exception, not the norm. Managing the expectations of candidates, as well as the relocation discussion and process, is how a good recruiter can add value and help the employer find the talent needed.”

One major effect of the decrease in relocation package offerings is that company’s limit their choices and might not be able to hire the best candidate for the position, Bell says.

“This is especially true at senior leadership levels,” Bell says. “When you consider what even a small breach can cost a firm in lost profits, reputation damage, loss of client’s, remediation efforts, etc., then hiring the best candidate, regardless of relocation, just makes good business sense.”

The trend means recruiters in some cases have to work harder to get companies to be more flexible if they want to bring in people with the needed security experience.

“Nobody ever wants to back off of their list of wants, needs and desires, but depending on the size of the local market a [company is] in, I have to convince employers that they have to find flexibility somewhere or lower their standards,” Snyder says.

“The types of roles I work on are not roles where companies can afford to lower their standards,” Snyder says.

Another consequence of the hesitance to pay relocation costs is that more and more work is being done remotely, Clark says.

“In many cases, the technology is there to make this effective,” Clark says. “However, leadership is often uncomfortable with this shifting tide. It ‘feels’ less like they have the control they need to know what’s happening with their department if they can’t do a walk through or hold an in-person meeting. If companies are unwilling to assist the right talent with meaningful relocation offerings or remote work possibilities, their positions will remain open or they will compromise on candidate quality.”

Analysts: Cybersecurity staffing shortages negatively affect national security – Domini Clark to Stars & Stripes

Blackmere founder Domini Clark‘s insights on cybersecurity staffing shortages were used for a recent article in Stars &  Stripes.  The article appeared here.


The nation’s colleges and universities are scrambling to add courses to prepare students to fill the huge number of cybersecurity jobs that have arisen due to exponential growth in hacking worldwide.

The extent of the problem isn’t clear; analysts say the number of job vacancies ranges from 100,000 to 350,000, with as many as 45,000 positions in California.

Ashton Mozano, a cybersecurity professor at the University of San Diego, says there are thousands of $80,000 entry-level jobs available to applicants who have nothing more than an undergraduate degree in computer science or computer engineering.

Analysts are trying to nail down the actual number of openings.

“The cybersecurity industry does not have the best track record when it comes to quantification,” said Stephen Cobb, a senior researcher in the San Diego office of ESET, a digital security company.

But the shortfall is real.

And a lot of the blame has been placed on academia for failing to train large numbers of students with targeted skills. Industry and government officials also are being criticized for failing to define their needs more clearly — a key component for helping colleges solve the labor shortage.

Academia is trying to fix the problem, especially in San Diego County, where hackers routinely assault the region’s huge military, defense and science communities, as well as the assets of consumers.

National University, the University of San Diego, San Diego State University, UC San Diego Extension and Palomar College now teach courses that weren’t available 5 to 10 years ago.

USD also closely works with Circadence Corp., a company in Kearny Mesa that specializes in the “gamification” of cybersecurity training. Students are exposed to high-resolution videos and graphics that give them a sense of what a real “hack attack” is like. They also use the immersive software to learn how to spot and prevent digital assaults.

The company is led by Mozano, who is also part of USD’s growing cyber program.

He’s trying to change the way students are taught in hopes to drawing larger numbers of people into the field quickly.

“Unfortunately, presenting technical training in an aesthetically pleasant way does not seem to be a high priority among course material developers,” Mozano said.

“Certain academic fields in mathematics and engineering are infamous for presenting material in drab, monotonic, esoteric, non-interactive manners.”

Analysts said that compounds the problem because cybersecurity already suffers from an image problem.

The field pays well, but many computer-science students would rather create new products and technologies for Apple and Google than design and operate systems that spot, resist and mitigate a widening variety of attacks.

“Computer science is sexy. Cyber isn’t,” said P.K. Agarwal, regional dean of Northeastern University’s Silicon Valley campuses, which teach cybersecurity.

“Cybersecurity can be a high-stress job where you can get fired if things go wrong, and no one pats you on the back if there were no problems overnight,” he added.

Analysts said the industry needs to jazz things up and highlight job opportunities.

“The chances are excellent for graduates of homeland security and cyber security degree programs to enter the job market directly out of college,” said Lance Larson, assistant director of the Graduate Program in Homeland Security at SDSU.

“The reality for recent graduates is that they need a degree, experience, and certification; this is really the perfect trifecta for graduates to have a powerful job seeker portfolio.

“At San Diego State University’s Graduate Program we are requiring students to intern, starting with our 2018 graduate class, to allow students to gain practical experience required for the job market.”

San Diego-based National University also is emphasizing practicality.

“One thing we do to improve students’ skills and make them more marketable is provide opportunities to work with local small businesses and nonprofits to conduct free security assessments as part of their final Capstone project,” said Chris Simpson, director of National’s Center for Cybersecurity

“Students who gain experience from this applied learning and who have the opportunity to network within the tech community have shared with us how well-prepared they are for the job market.”

The staffing shortage is serious enough that, “The president should … train 100,000 new cybersecurity practitioners by 2020,” the Commission on Enhancing National Cybersecurity said on Dec. 1.

The shortage also means “you’ll see more things like the Tesco attack, which targeted bank accounts (in England), and a greater risk to health-care records and everyday devices like your phone,” said John Callahan, director of cybersecurity programs at the University of San Diego.

“In the digital age, this is potentially the greatest period of risk that consumers have ever faced.”

There’s special concern about ransomware, a type of malicious software that hackers can use to remotely take control of computers, including those in automobiles. In most cases, victims have paid money — from hundreds to tens of thousands of dollars — to regain control. For example, hackers carried out such an attack against Hollywood Presbyterian Medical Center in February, forcing the hospital to pay $17,000 in ransom.

The U.S. Justice Department estimates there are about 4,000 attempted ransomware attacks each day against individuals, companies and the government, and that many of them are successful.

“Based on FBI statistics, bank robbery in the U.S. is a $40 million a year problem, whereas cyber criminals using ransomware are making over $200 million per quarter,” said Cobb at ESET.

“And while a handful of bank robbers are shot dead every year, there are no reports of cyber criminals ever being killed in the commission of a crime,” he added.

The federal government and the military began to significantly ramp up their efforts to fight cyber attacks about a decade ago. Security firms and a wide range of companies did the same.

The results have been mixed.

Analysts said most cyber attacks, including some pretty sophisticated ones, are blocked or minimized. But hackers have quickly adapted to every method used to stop them, leading to damaging and embarrassing breaches amid an ongoing game of cat and mouse.

Earlier this year, hackers stole digital spying tools thought to belong to the super-secret National Security Agency. Hackers also stole data from the Democratic National Committee and Hillary Clinton’s campaign in an apparent attempt to influence the presidential election.

In late November, a hacker disabled the fare system for the San Francisco Municipal Transportation Agency, forcing it to give commuters free rides until proper operations were restored.

Experts said these kinds of intrusions underscore the need to develop a huge professional class of cyber professionals — and to market the field as a noble and dynamic domain where well-regarded, highly valued specialists defend precious assets and protect the public’s safety.

“Some people think of cyber as the I.T. guy, which is wrong,” said Callahan at the University of San Diego.

While the staffing estimates vary, analysts agree on the huge need for qualified workers in the cyber industry.

Northeastern University’s Agarwal estimates there are 100,000 of these unfilled jobs nationwide. Peninsula Press, a journalism program at Stanford University, puts the figure at 209,000. Cyber Seek, an industry-government coalition, said the number could be about 350,000 when including positions that require at least some cyber abilities.

The job descriptions range from security analysts to network engineers to software developers to risk managers. Some lower-level positions pay as much as $70,000 per year, and management positions can hit $235,000 or higher.

Experts are eager to see the applicant pool widen, and they’re looking for specific types of candidates.

“The best cybersecurity professionals think like criminals,” said Domini Clark, an Idaho-based recruiter at the recruiting company Decision Toolbox. “The joke in the industry is that superstars have an ‘evil bit’ in the code of their personalities. They know better than to have a high-profile online presence. ‘Paranoid’ is too strong a word, but they tend to be hyper-cautious and some take pride in operating in ‘stealth mode.’”

Those people tend to be coveted, so low-ball employment offers just don’t work.

“(Some) companies are doing lip service, not willing to fund the important roles that are necessary for the growing security issues,” said Kirsten Bay, chief executive of the firm Cyber adAPT in Half Moon Bay. “There is a desperate need for technologists who can speak at both the engineering and board levels, candidates who can understand technology and yet speak to the business case for security.”

Clark at Decision Toolbox agrees, noting: “About half of cybersecurity professionals are contacted by a recruiter at least once a week. If you post a standard H.R. job description of duties and requirements, it will wash out among all the other background noise … (Candidates) want to do intriguing work that is varied and unique. Let them use their devious creativity to your company’s advantage.”