Today’s center of gravity in cybersecurity is shifting, pulling the skills and experience of cyber defenders in new directions. In most companies, this situation has led to a convergence of responsibilities between physical security, information security and cybersecurity teams, and an increased commitment to “staffing-up” of dedicated “cyber defenders.”
Unfortunately, this is easier said than done. Supply of cybersecurity specialists has lagged demand for the past eight years. In fact, an analysis of data from the Bureau of Labor Statistics indicates that nearly a quarter of a million cybersecurity jobs went unfilled in 2015, and that figure will continue heading upward for the foreseeable future. How does an employer attract qualified talent in such a competitive marketplace?
For starters, try building your brand as “an employer of choice” for cybersecurity. A good starting point is being able to demonstrate an investment in the most current tools and technologies, including endpoint detection and response, patch management and threat intelligence software. Dedicated cybersecurity professionals will want to see that your company appreciates the need for cyber strategies beyond signature analysis, and is making use of tools that give better visibility into the behavior of threat actors. And senior leaders will need to see a financial and operational commitment to spending on human capital.
Here are some other creative approaches: 1) Don’t be limited by geography. Instead, hire your cybersecurity team where they live and allow them to work remotely. This allows you to broaden your pool and truly consider the best of the best; it also encourages loyalty to you for your willingness to provide that flexibility and trust. 2) As part of your offer, ‘‘give’’ cybersecurity hires independent time to work on “whatever they want” for a percentage of their schedule (5 to 10 percent). This will attract creative types who might use the time to solve arcane security issues you didn’t even know you had. 3) Actively promote a gender diverse workforce. Women currently comprise a small minority (11 percent) within the field of cybersecurity. For them, if given a choice of employers, the companies that demonstrate a supportive culture will have a leg up on the competition. Working moms in cybersecurity are seeking environments where they can go beyond pen-testing and intrusion detection. In my experience, they want to be mentored and learn leadership and management skills.
You might also want to consider rethinking the educational prerequisites for some positions. Perhaps candidates need not have a bachelor’s degree if they possess a CISSP certification, considered by many to be “the gold standard” of InfoSec certifications. Because CISPP certification speaks to extensive experience and training, you can spend more time probing for other requirements, like communications skills, how they get along as part of a team, how they manage their time and handle task management.
Although not as prestigious, there are also alternatives to the CISSP. These include CEH (Certified Ethical Hacker), CISA (Certified Information Systems Auditor) and OSCP (Offensive Security Certified Professional).
When hiring for senior roles, like CISO, it’s tempting to err on the side of the overly technical. My advice is “don’t.” You may think that hiring a technical guru of your own is the best way to outsmart offending hackers, but at the highest level, you need to hire a great listener who can prioritize when a breach is discovered. (I’ve been amazed at what History or Music majors have done in these roles!) In a crisis situation, you will want someone in command who – instead of reading a list of vulnerabilities to executives – will focus on the company’s most treasured assets like master passwords with admin privileges, sensitive customer data and corporate secrets. Above all, a CISO must be able to provide leadership and communicate insight with a cool head, yet a sense of urgency.
You also want to steer clear of stereotypical “security geeks” when hiring the core of your team, and instead look for personality types who are puzzle solvers with a bit of rebellious flair. These analysts, who look and act differently than more mainstream candidates, tend to be highly motivated and can set a compelling direction for the entire department.
How do you find this type of talent in today’s hypercompetitive job market? First and foremost, you need access to the right talent pool. Hiring a recruitment firm that specializes in cybersecurity will give you access to established networks in cybersecurity and the InfoSec community, and allow you to tap candidates that may not be actively job seeking. In addition, a firm with cybersecurity expertise will best be able to act as your brand ambassador and brand builder to these candidates, portraying opportunities at your company in a context they will appreciate. The expense related to the recruitment of top cybersecurity talent should not be thought of in terms of fixed budgets, but rather in terms of how much your company is willing to risk, in losses, if a breach occurs.
The truth of the matter is that the majority of U.S. businesses and organizations are ill prepared. Most breaches go undetected for an average of 200 days; that’s 200 days during which “the barbarians have been in your castle.”
When that happens, you are left to rely on the raw talent and discipline of your team and their ability to remediate in light of a software system failure. At that critical juncture, you certainly don’t want your biggest security vulnerability to be your talent.
That’s why employers clearly need to invest in hiring, training and challenging cybersecurity teams – because the most dangerous cyber threats are the hardest to find, and so is the top security talent. Companies who ignore the gravity of funding this commitment to talent acquisition do so at their own peril.