The cyberthreat landscape has expanded in recent years, accelerated by enterprises promoting remote work and more reliance on cloud computing. These are a business necessity, and yet, facing down cybersecurity threats often doesn’t come with an expansion of resources to address them.
In a future post, I’ll discuss more about the Security Poverty Line, and how organizations deal with its harsh trade-offs and compromises in an uncompromising landscape. One aspect of that concept is the utter lack of cybersecurity talent globally, and how difficult it is to hire for such roles.
Not having the right people in place can have significant consequences–a recent Fortinet study found that 80% of respondents experienced one or more breaches they could attribute to a lack of cybersecurity skills or awareness. Only those with the deepest level of resources can always afford to hire the best and most seasoned security talent–that doesn’t apply to most organizations.
With the acute shortage of skilled cybersecurity talent, the only sustainable hiring model is to grow your own talent. I’ve hired technical consultants from backgrounds as diverse as molecular biology, the Best Buy Geek Squad, and everything between.
InfoSec is famous for job descriptions requiring years of experience and a pile of certifications. My recommendation is to toss that in the bin, hire for raw talent irrespective of background, and focus on your training model. I’ll go into depth on both of those areas here.
The first thing to consider, which may be a surprise given the field, is that you don’t always need to target people with prior technical acumen. It’s more critical to hire for curiosity and soft skills irrespective of technical background (or lack thereof).
You want people who want to know everything about what they’re working on. In the interview process, I’ve used standard behavioral interviewing techniques, but as a way to suss out their level of curiosity and emotional intelligence (EQ). I’ll ask the interviewee to explain something complicated to me, but not necessarily about technology, including things as disparate as the drivetrain of a bicycle hub, or professional audio recording cables.
This level of curiosity is so critical in cybersecurity–you want people who are never going to be satisfied until they know how absolutely everything works in their field.
Additionally, you want someone ambitious, but in the first few years of their career, their ability to learn from their colleagues will be critical, which is where EQ comes into play. You want people who can empathize, that can listen, and that can handle difficult interpersonal situations without getting flustered or upset. This why we very often find people who have a background working in IT helpdesk roles make a successful transition into cybersecurity,
They also need to show the capability to be a quick learner in a field that requires it even for the most seasoned professionals. [UPDATE: I wanted to also point out that this hiring model has produced some of the most diverse teams I’ve ever worked with, in part because it encourages people to not self-select out of a process based on who they are.]
The second key is the training model. Pairing new talent with a senior tech is a classic, but I’ve had better success augmenting this model with a three-person approach – one senior mentor to guide the overall learning process for the new employee, and one “peer” mentor at the same level to field more basic questions.
Having a peer guide the day-to-day work for a brand-new security analyst fosters an open dynamic, free of the intimidation that comes with working for an industry veteran. As a security leader, I had to acknowledge the reality that someone coming in from outside the field was necessarily going to be intimidated by someone who had been doing InfoSec for 15 years. That new person needed someone else to be able to ask any question they had without fear of how it would be received.
The two mentors are also able to collaborate and discuss the new analyst’s progress and potential areas of focus. They can together figure out how the candidate is scaling up, where they need work, where they might need to assign them projects, etc. It’s a way to have someone contributing to the organization and feeling like they’re getting more skilled, and then gradually climbing that ladder to take on more and more tasks.
Like any other field, folks you hire in cybersecurity will likely always want to spread their wings, broaden their horizons, and move on to another company or role elsewhere. That’s inevitable. But there are key things you can and should do to retain the staff you’ve grown into their current roles.
Some of the things you can do are fairly obvious and apply to most careers. Your people will be happier if you give them defined career paths, raises in compensation, and put them in positions to succeed in their job. If you’re able to, providing spot bonuses or off-cycle raises certainly go a long way.
Regarding day-to-day management of your team, I can’t stress enough how important it is to be adamant about work-life balance, and insist your team take time away from the job. InfoSec burnout is very real, and that’s something you have to start protecting against right as someone enters the industry; it has to start Day 1.
InfoSec can be notoriously difficult to take a break from, but if your team is trained and structured properly, there’s no reason for people to work around the clock without any breaks. That goes hand-in-hand with maintaining the right culture. Every leader needs to figure out what their team needs from a cultural standpoint, and what they need to do to foster it.
It may seem daunting to grow security talent on your own. But, if you take some chances on people who have the right soft skills and EQ, train them the right way, and do what you can to help them love what they do, then the return on your investment from a security standpoint will be immense.