Haven't read part one of this blog? TL;DR:
- The security talent gap is real.
- Creating and promoting strong company culture attracts and retains top performers.
- Security professionals should always be actively recruiting – both internally and externally.
With that gross oversimplification under our belts, let's start into the next set of takeaways…
The job description – it matters.
Job descriptions don't just ensure that qualified candidates are finding your organization in the course of their job search. Knowing the key functions, responsibilities, and daily duties helps to lay the groundwork for a satisfying and rewarding career path by setting expectations at the outset. This may sound obvious, but too often organizations rely on generic job descriptions without being specific about what the role entails, the required skills, and the work to be undertaken.
Help your business partner on the HR team out – be very clear in the minimums you seek for each role, as we face a situation where there isn't enough expertise to cover our needs. Focus your minimums on what is required to get the newbie to a point where they are contributing in a meaningful way, and be realistic with how much energy and patience you (and the team!) have for getting the new hire up to speed.
I asked CISOs about their strategies for finding the right people. “Not everyone needs a security background, in the beginning,” one told me. “I try to write job descriptions that reflect this. If you want a first line analyst, you don't necessarily need someone straight out of school with an infosec degree. You need someone who is passionate about solving puzzles. Maybe they did game theory, or something else that's completely outside of security. Let that come through in the job listing, so you're casting a wider net at the get go.”
Another CISO echoed the concept that innate personality traits can sometimes be more important than learned skills: “I want people who like to experiment. Programming backgrounds are great, but you can't advise programmers on how to fix a problem if they don't understand how it got there in the first place.”
“The job description is key,” another agreed. “Some are just awful – they don't talk about how success will be measured for that particular role. First off, know what your company pays, because that will determine whether you're looking for talent in the right places. In my case, the company has a mandate that security is important and so we don't want to under-invest; that means we're aiming for the top people. I've had experiences in my career where I've had to put ego aside and acknowledge that the business isn't in the market for the cream of the crop.”
But here's my favorite summary of what to look for in candidate: “You want to find someone with the right kind of insanity.”
Remember when I wrote about soft skills? Yeah, they still count.
If you're a CISO, you'd better be good at playing the politics game – time and again, interviewees proved that interpersonal relationships are a core part of the gig. Hiring and retention is no exception. Whether you're best buds with HR or have developed a grudging respect over the years, you'll need to have a good working relationship if you want to attract and keep strong players.
“Salary is tough to go to bat for,” said a CISO, “but I will do it for someone who I want to keep very badly. Things like out-of-cycle raises aren't easy to get, either. You have to know how to negotiate for one.”
There was also a shared sentiment around how quickly talent can grow and improve, “It's not impossible to find fundamentally strong people that you can train up,” said another. “In those cases it's a question of starting low and then accelerating funding by maybe 10k each year. You can't always follow the 3-5% uptick that most organizations adhere to. So I'll work with HR and finance to explain that to them, and get them on board with the fact that otherwise we won't be able to hang on to these people.”
Another iterated the same frustration, “I have had people get on the phone, entirely disinterested in the position, but the quick conversation helped re-calibrate HR's expectation of what someone with that skillset brings home.”`
“Most of my guys have an appsec background and strong pentesting skills. HR will look at a candidate and say, ‘They have 15 years of knowledge, and as a security architect here is what their salary would be.' But no way will I get a 15-year veteran with the right skillset at that price point. I'm having issues finding good data that I can show to my organization that will demonstrate what someone in the role should actually get paid.”
Budgeting, which I've explored in more depth separately, remains an exhausting process. “I always fight the budget battle. You have to pick and choose what you'll fight for; in some cases budget constraints aren't worth making a stink about. If I can, to avoid adding headcount I'll outsource the work to another organization with the right capabilities, so I don't have to reproduce them internally.” Another CISO gets creative with HR: “Sometimes we can sweeten the pot with a work from home program, or by encouraging employees to go to security conferences. Not everyone will be a rock star, so find a way to reward those who are.”
Miscellaneous Sound Bites
In the course of conducting these interviews, I gathered a lot of cool tidbits. Not all of them qualified as top takeaways, but the insight is still valuable and so I've rounded up a few of my favorites, in the hopes that you may still benefit.
Of particular note was the fact that many interview subjects expressed frustration about the lack of women in security. Unfortunately, this is a very real problem that doesn't have a simple solution—it will require a concerted amount of focus and investment, the benefit of which may not be seen for many, many years to come. There is a lot of energy being invested in STEM initiatives, pulling a variety of young people toward the security community early on is an excellent way to prime them for an infosec career, but that's a very separate discussion that warrants its own deep dive.
- “Maybe the talent gap is partly caused by people not wanting to pay [security professionals] enough money. It's like how people say it's impossible to hire a skilled welder for 10 bucks an hour – if you're not paying market wages, then yes you won't find people with the skills you want.”
- “Wannabe security practitioners who are still in their undergrad should find a local security meetup, like ISSA or BSides, or look to get involved in CTFs. These are great ways to learn the basics of reverse engineering, hacking, etc.”
- “The security mindset is different from other technology disciplines. ‘The how do I break this?' mentality is something you want to look for.”
- “I don't have a high attrition rate. My approach is to treat employees like my kids – a little bit of love, a little bit of discipline, lots of accountability, and some fun as well.”
- “You can't fear stolen talent. Talent will move – accept that. Instead, focus on having an environment that is interactive and engaged. People will always know whether you care or not.”
- “I don't worry about my people leaving or being stolen – it is *my job* to make the team, the work, the environment, and the opportunities hard to walk away from.”
- “I strive to make leaving my team a very long, exhausting, and emotionally taxing experience. We are a family.”
As always, if you've got thoughts, or would like to join the conversation- comment below, or track me down!