Not having access to technical talent is a common complaint in the cybersecurity world. Folks with security experience on their resumes are in such high demand, CISOs need to hunt beyond the fields we know. To borrow a phrase from the ever-logical Mr. Spock, CISOs need to embrace Infinite Diversity in Infinite Combinations. By this I mean embracing diversity not only of bodies but of talents and experiences.
First, focus on acquiring the key cybersecurity skills beyond hacking and managing security tools. Effective cyber defenders leverage their business and managerial skills, including:
- Identifying, quantifying, and explaining risk to the organization’s key activities
- Understanding the value of information and its unique qualities such as timeliness, accuracy, relevance, and privacy
- Recasting business processes to reduce risk while retaining their value
- Communication skills, including expressing patience, perspective-taking, and negotiation
- A clear understanding of the principles of contract law, negligence, and customer obligations.
You will find that you can build upon these foundational skills with technical training to level-up new cybersecurity professionals. In some cases, it can be more challenging to train traditional IT security “geeks” in these skills, so this might be an easier path for some positions.
You can fish for this talent in a much larger ocean beyond traditional IT resumes. Look at customer service, business development, sales, law, finance, insurance, competitive intelligence, and library science. The biggest boost you can get is by finding these people in house and nurturing their careers. The bonus is that by being part of the organization already, they come to the table with a good grasp of the culture and value streams. Of course, not everyone in these areas is going to be a solid security pro but within the organization, you can find seeds to grow.
Now that you have a pool to draw from, how do you make the first cut of likely strong security candidates? Above all else, there must be interest and determination to enter the field. More than few people are drawn into the world of cybersecurity for the money or prestige only to be dismayed by the amount of work and frustration it entails.
If the person you’re looking to bring in is not already a cybersecurity professional, they’re in for a steep ramp-up of technical training. That’s a firehose of reading, classes, certifications, conferences, peer observation, online training, and hands-on work. Some people embrace the chance to learn new, exciting things while others balk at it. I’ve always leaned towards recruiting individuals with a “constant learning” attitude. Find out if they are willing to push themselves, not merely to maintain skills but to sweat and struggle to learn new things.
A second key skill for cybersecurity is risk analysis. Every adult human does risk analysis at some level or another. We do it whenever we decide to spend or save money, go to the doctor or wait out an illness, or simply cross a busy intersection. Obviously in cybersecurity, it’s more complicated and less clear. However, the people you’d want to hire should be deliberate, rational, and consistent in their method of risk analysis.
Given that you’re also recruiting talent with organization and business backgrounds, look at how they can link risk to the needs of the organization. Ask them what business processes take on unnecessary risks and how that might be reduced. Look at how they would prioritize risks, since we can never eliminate all our exposures but should always tackle the biggest ones.
These are just a few of many ideas to help develop your security team. With the variety of security specializations required by various cybersecurity roles in an organization, remember that not everything lines up perfectly with a security certification or a hacking background. Even non-IT professionals can be make valuable, diverse contributions to a cyber-defense program. Now go out and get them!