Finding the right fit for your security team remains a daunting and somewhat challenging task in today’s world. There’s a well-documented shortage of talent across the cybersecurity industry dating back several years. The COVID-19 pandemic and the challenges it brought have made matters worse.
Recent reports and surveys don’t paint a pretty picture.
ESG and ISSA’s fifth annual research report, The Life and Times of Cybersecurity Professionals 2021, said “the cybersecurity skills crisis continues on a downward, multi-year trend of bad to worse and has impacted more than half of organizations.” Nearly everyone surveyed (95%) agreed that the gap hasn’t improved over the past several years; 44% say it’s only gotten worse.
In the federal sector, a recent Partnership for Public Service report (PDF) found the number of full-time cyber employees only increased by 8% from September 2016 to September 2020. Many agencies still struggle with retaining a cyber workforce that actually looks like the American public; few are female, few are under 30.
While the availability of some resources, like the Cyber Aptitude and Talent Assessment (CATA), seems poised to help, it won’t be a silver bullet. Organizations still need to take steps to train and retain cybersecurity talent. With that in mind, what are the best practices for finding the right fit for your security team? If your company is bleeding talent, what strategies can you employ to help ensure cyber talent retention?
For many organizations, it depends on the type of position you’re looking to fill. These days, there’s an extremely wide range of roles from security analysts, to incident responders, threat hunters, malware reverse engineers, architects, and so on. Your first objective is to identify the specific positions you want to fill, detailing all the responsibilities that’ll be required of them. Larger organizations may have the luxury of hiring for each of these specific roles but a lot of times you may end up having to hire someone able to wear a bunch of those hats. In short, when it comes to hiring the right employee, knowing the role you’re looking to fill is critical.
Identify Talent from the Inside
The first place an organization can look is internally. Having someone that’s already familiar with the corporate network, culture, and the people can be a major benefit. Then you can focus on building up their skills through a range of online training and encouraging them to acquire various cybersecurity certifications, which can pay long-term dividends. I’ve found some of the best security folks right within adjacent internal IT audit organizations. Instead of having them question you about your IT controls, have them join you!
Incentivize Current Employees and Assess Prospective Employees’ Motivation
If you need to venture outside your organization, it’s ideal to hire people that come highly recommended from either people you know or who have worked with them already. Sometimes what you see on paper doesn’t always translate to how well they’ll fit on your security team. Incentivizing employees to refer candidates they’d personally recommend is a great way to cast a wider net.
If you’re unable to acquire talent via the previous two methods and need to interview candidates with whom you’re unfamiliar, then I recommend a few things.
Ensure that you’ve listed all the roles and responsibilities that the job entails so that you can limit the number of applicants who are unqualified for the position. You’ll still receive submissions from individuals who have zero experience in the field, which can be frustrating, but at least the candidates will know exactly what you’re looking for and what skills are required. I once received an applicant looking to fill a senior threat hunter role and his work experience entailed being a high school janitor. Thus, the immediately transferable skills were surely in question.
During the interview, it’s also important not only to assess their experience, but also their personality and motivation. You want to make sure they’ll work well with others because collaboration is key.
Finally, I like to give a hands-on test to the top three candidates who make it past the initial interviews to see how they solve a problem and formulate a response. This test is usually extremely telling in what you’re ultimately getting in the hire. Are they thorough? Do the skills they’ve listed out on their resumes line up with their responses? How did they present their findings? Who presented the best?
Collaboration is Key
When it comes to ensuring cyber talent retention, establishing the right working environment is critical to keeping people engaged and motivated to stay.
Having policies to ensure there’s an effective work-life balance and offering solid benefits are important elements when it comes to employee retention. I also believe that if you have a highly collaborative and engaging team that focuses on achieving group goals and taking the time to reward and celebrate them, it goes a very long way in countering anyone’s interest in leaving.
They also say people don’t necessarily quit jobs, they quit a boss. If you foster this type of positive and respectful environment – especially understanding that employees can be focused on developing their career paths just as you are – then fostering retention will be a lot easier, too.
While there are other ways organizations can build up a robust cyber workforce, these are a few of my ‘tried and tested’ techniques. Investing in your employees by motivating and advocating for them to do their best can be the backbone of a successful cybersecurity program.
It sounds simple. In many ways, it is. But it takes time and commitment. Do it right and you’ll have a happy, stable team. Otherwise, you’ll struggle to hire while you watch your best people go someplace else.
Related: Recruiting and Retaining “Franchise Players” in Security Software Development
