Last updated at Mon, 14 Nov 2022 20:11:01 GMT

The mythical (un)icorn pipeline

When it comes to building a cybersecurity talent pipeline that feeds directly into your company, there’s one go-to source for individuals who are perfectly credentialed, know 100% of all the latest technology, and will be a perfect culture-fit: Imaginationland.

Of course we all know that isn’t a real place, and that the sort of talent described above doesn’t really exist. It’s more about thoughtfully building a talent pipeline that benefits your specific organization and moves the needle for the company. The key word in that last sentence? Thoughtfully. Because it takes strategic planning, collaboration, and a thoughtful nature to source from educational institutions, LinkedIn groups, talent-that’s-not-quite-fully-baked-but-soon-could-be, and many other venues that may not be top-of-mind.

Identifying those venues and solidifying a pipeline/network will go a long way in preventing continuous talent churn and finding individuals who bring that special something that makes them the cherry on top of your team.    

The (un)usual places

Do you have a list? A few go-to places for sourcing talent? How old is that list? Do you have a feeling it might be extremely similar to talent-sourcing lists at other companies? It only takes relocating one letter in the word “sourcing” to turn it into “scouring.” As in, scouring the internet to find great talent. Not a word with 100%-negative connotation, but it implies that – after that open analyst req has been sitting on all the job sites for months – maybe now there’s a certain frantic quality to your talent search.

So if you’re going to scour, you may as well make it a smart scour. Targeting specific avenues on and offline is great, but targeting a specific profile for the type of person you hope will join your team…that can turn out to be not so great. Stay open; the person(s) you find may just surprise you. Start online with places like:

  • TryHackMe rooms
  • Comments sections
  • Twitter (yes, Twitter)

And, truly, give some thought to heading offline and scouring/scouting for talent in places like:

  • In-person conferences and events
  • The local CTF event
  • Someone on your IT team that wants to get into cybersecurity
  • Talking to members of your existing team
  • Bespoke recruiting events in talent hotbeds around the world      

And one last place to look: past interviewees. How long has it been since you interviewed that candidate who was almost the right fit? What if that person would now be a great fit? It can be a cyclical journey, so it’s a good idea to keep a list of candidates who impressed you, but didn’t quite make the cut at the time. Better yet, connect with these candidates on social media and periodically check in to see how they are growing their skills.

The (un)familiar fit

You have an idea of what sort of person you would like to see in that open role. But, what if that person never walks through your (real or virtual) door to interview? Will you close the role and just forget about it? Of course you won’t because your SOC likely needs talent – and sooner rather than later. If you don’t allow for some wiggle room in the requirements though, you may be in for an extended process of trying to fill that position.

So, what does that wiggle room look like? Let’s put it this way: If a candidate that matched all criteria on the job description suddenly walked through your door, would you forgo the interview and hire them on the spot? Hopefully not, because there are certain intangibles you should take into account. Yes, that person matches everything on the description, but do they really want to work for your business specifically? Because a bad hire that matches all the requirements on the description, well that can ultimately be more toxic than something who has the potential to live up to those requirements.

Building Diversity, Equity, and Inclusion (DEI) hiring practices into your program, and being thoughtful with the words you use when crafting job descriptions and the requirements listed on them can create the wiggle room that non-ideal candidates might need to feel invited to apply and interview.    

The un becomes the usual

That section header doesn’t refer to any one thing discussed above. It’s a collection of considerations and practices that aren’t “un” because they’re so irregular, rather because none of them are the first thing a hiring manager might think to do when looking to fill a role. One of these considerations may be the second or third thing that comes to mind. But, by making these hiring practices more of the “usual way” to secure talent for open roles, you may experience significantly less churn and find the individuals that become the cherry on top of your SOC.    

You can learn more in our new eBook, 13 Tips for Overcoming the Cybersecurity Talent Shortage. It’s a deeper dive into the current cybersecurity skills gap and features steps you can take to address it within your own organization. You can also check out the previous entry in this blog series here.