If I had a nickel for every time I read about the “security skills shortage”…well, suffice to say that everyone seems to lament the lack of strong talent in this industry, and the low number of eager young graduates seeking to start a security career. So what better topic to explore by way of follow-up to the 2-part blog: Security Budget Tips from CISOs, for CISOs? (To recap: I'm interviewing CISOs for their guidance on select infosec issues.)
Hiring and managing a capable workforce is arguably just as integral – and, dare I say, challenging – as setting a budget plan. (Personal aside: management has been core to many of my past roles, I'm quite passionate about people!) Any good business leader knows that without the right people on your team, you'll never get to where you need to go.
First off, let's ask: Is the talent gap fact or fiction? Is it real, or is mass hysteria making us blind to the fact that the emperor isn't wearing any clothes? By way of response, here are some soundbites from the CISO interviews I conducted:
- “Finding the right people is near impossible.”
- “My company is based in NYC, where a lot of talent tends to pool, and we almost always get outbid by the highest paying firms, typically banks.”
- “There just aren't enough people coming into [this profession] anymore. Those that do don't have the right depth or experience.”
- “I have high expectations from my security people, and yet I'm getting applicants who want to be architects and can't tell me what a three-tier design looks like. Or someone who calls himself a senior appsec guy, but can't tell me any of the OWASP top 10.”
In a word: Yes. It's real.
The security community, on the whole, is full of skeptics, so it's pretty far-fetched to think that security professionals would all fall victim to a myth, even if it is widely propagated. The perceived “talent meccas” like NYC and Silicon Valley compete heavily to attract qualified individuals. Conversely, CISOs who weren't based in a large metropolis said that company location was a huge impediment to hiring, particularly at the lower levels where applicants are ostensibly younger. One interview subject, however, was an outlier: “[My company] is fortunate because people want to work here. We're in an unusual position: people know and love us.”
Which brings us to the first takeaway:
Culture! It Matters.
It's not surprising that brand awareness and company reputation can affect the number of job applicants. But even CISOs at smaller, less well known organizations benefit from upping their public profile. “When you're out recruiting, reputation will lead,” a CISO told me. “People will inevitably look you up, so have a consistent persona. Leadership honesty and transparency matters – these people can smell BS a mile away.” This is one of many reasons security leadership should prioritize live events, speaking, and recruiting.
Getting publicity for security efforts requires interacting with people outside of the security team. “We've worked at publicizing what it's like to work here,” said another. “That strategy has been effective. It's helped to communicate what we're doing in terms of security, and it's given me a chance to work with our editorial department, PR, and some of the engineering teams. You just can't be siloed as a security professional.” (Remember the CISO who called his job a “matrix discipline”?)
Nothing Lasts Forever
Not only will it help with retention, but having a strong culture also pays off (no pun intended) during contract negotiations. Although money talks, it's not always the #1 selling point – especially for young professionals looking to build a strong foundation for their career by developing their knowledge base. Personalized guidance and continuous learning are core to retention.
“I like to emphasize that, after three years here, you'll be a security ninja,” said a CISO. “I'll spend the money to give my team career guidance, to make sure the people who deserve it get to go to DEF CON each year.” Another echoed this mentality: “I like to work with entry level candidates on a 2-5 year growth path. I realize they may not be here forever, but I want to focus on giving them the right tools and a good experience.”
Several of the CISOs I spoke with had similar personal contracts with their team, “Please don't leave without letting me help.” Many of my past teammates allowed me to coach them, make introductions, provide personal endorsement, and even coach them through the negotiation process. Teams with enough trust to discuss growth, development, and transitions with their management have reputations in the industry- they are families people seek to join.
Always Be Recruiting
As I emphasized in my budgeting blogs, having the right headcount is key. And you shouldn't rely exclusively on recruiters to source candidates.
“To steal from Glengarry Glen Ross: Always be recruiting,” one CISO told me. “I met a history student and ended up hiring him because I thought he had the right skillset. If you're the kind of person who doesn't need a recipe to cook, then you might survive in security. I want someone with just the right level of insanity.”
The moral of that particular story was that talent can come from unexpected places, and a lot of the CISOs I spoke with said that looking in the usual places can also be worthwhile. Consistently sourcing qualified candidates will ensure that you aren't left hanging in the wake of an unexpected employee departure. Let's face it: attrition is inevitable.
Another CISO advised: “Take the three best security professionals you know, and ask them to work for you. If they won't, then ask for the three best people they know.” I asked another interview subject what recruiting tactics have worked for him. “What works is getting my staff to find friends,” he responded. “I send them to trainings where they can meet people and, hopefully, convert them. HR can only do so much in terms of hiring. I pay 5k USD to anyone who makes a referral we hire.”
Colleges, of course, are fertile hunting grounds. “I like to pull in two to three college interns each summer,” a CISO told me. “Those that show promise, we will groom and take on at the end of their school year. Admittedly, they're starting off with grunt work: risk analysis if someone wants to open a firewall, or figuring out what caused an alarm.”
The “always be recruiting” mantra doesn't just apply externally, either. Several CISOs recommended looking within your organization: “I try to ID testers, or QA people who are hungry to learn more. Then I train them up, if the role is right.” Some companies have a strong culture of growth and internal promotion, while others look down on, “poaching from other teams,” – your partner in HR or people and culture can guide you.
Obviously this is going to be a multi-parter? Stay tuned for the rest!
If you've got ideas you want to share, experience, tips or tricks- reach out!