By Joseph Dalessandro
October is National Cyber Awareness Month, and we’ll be spotlighting cybersecurity content on the blog all month long.
People management is one of the hardest and most rewarding experiences of one’s working life. With the advent of the “gig” economy, I am curious how we are faring in hiring in the cybersecurity space.
Cybersecurity hiring has been universally difficult for some time. It’s not that there is a lack of quality candidates. The issue is that we are missing each other. This is due in large part to the “traditional” hiring approach that many mangers adopt when they have open roles. They head to HR, or pick up the phone and call HR, and ask HR to find them candidates.
This happened to an acquaintance of mine not too long ago. He was looking for a junior information security analyst: a basic role that requires entry-level experience. He received more than 600 resumes, and realized that solid candidates were getting lost in a sea of unqualified applicants who know security is hot and want in.
If you are a manager in security, it’s time to change your hiring paradigm. To find a better applicant pool, cast your net more efficiently and do the following immediately:
- Use your network. Get into your network and spend some time talking to your peers. Learn how to recruit and get out and start recruiting. If you have people in your network that would be perfect, call them. If they do not want to move, find out if they have contacts looking for work. Ask your peers where they are finding hires. Share information on candidates, someone who is not a good team fit for you may be a good team fit for a peer of yours.
- Set the expectation up front in postings that you are different and you are serious. Include information in job postings that candidates will be tested on role skills during the first interview. Those without skills and basic security knowledge immediately fall out. This works well for junior roles. For more senior roles, make it known up front that for technicians they will need to demonstrate skills and for managers, they will need to discuss culture, training and retention.
- Make candidates provide a cover letter or cover email that explains how their experience aligns to the role, or provide them a platform to do this in a structured way. This will, once again, weed out those who do not align with the expectations of the role. If I need to describe in a table how my experience and skills relate directly to the role skills, I know that the manager is serious and is looking for the right candidate, and not just “looking” for candidates. Demand that candidates communicate, and get them together to be interviewed by other managers, from other non-IT departments, to interview them more objectively.
- Look for skills and education that shows the candidate is more than a CISSP. CISSP’s are everywhere, but show me a CISSP with a master’s degree who can write a business case or executive memo and I’ll scoop them up.
Once you build a team, you need to cultivate it. You want to develop your employees, and yes, eventually you want them to move on, to be successful in another department or another company. However, at the outset, for all your hires, you want to retain them, develop them and let them thrive. This will also pay when you need to hire. Some of those employees will develop into their next role with you, and if you know those employees and what they want and where they want their career to go, you can help. Do a better job of knowing your current employees and how you can develop them for that next role. Look at your team for diversity, and for diversity of thought, and make sure you employ some contrarians. Diversity in thought is especially important in cybersecurity. A diverse team will be a high performing team. For roles where you have great staff but they are taking leave or need a different structure to their job, consider altering your approach and preconceptions about the traditional working day or the traditional working role rather than replacing those employees.
There are candidates for roles, but they need to be discovered. If you’re looking for a position, differentiate yourself from the masses. Why do I want to hire you? Stop memorizing port numbers and show me you know what P&L is and that you understand budgeting, or, develop your presentation skills, or, develop data analysis or data visualization skills. Or, better yet, get a master’s in security leadership and I’ll know you can handle the role.
Joseph (Joe) Dalessandro is the program chair of the Information Security Leadership program at Brandeis University Graduate Professional Studies, and the Head of Security & Technology Audit and Audit Data Analytics, Australian Unity.
Brandeis GPS offers a Master’s of Science in Information Security Leadership. The part-time, fully online program prepares graduates for leadership roles in information security with a cutting-edge, industry relevant curriculum that builds leadership savvy and skill in leveraging technical know-how. For more information, contact firstname.lastname@example.org, call 781-736-8787 or visit www.brandeis.edu/gps.