Cybersecurity Hiring Manager Handbook

Foundation

Ideals

Why We’re Losing the War on Cybercrime

We’ve all seen the statistics by now. According to the US Department of Commerce, there are over half a million unfilled cybersecurity jobs in the US. Around the world, those numbers are even greater, with an estimated 3.5 million jobs unfilled. There’s a huge cost to these unfilled positions. According to a 2020 US Internet Crime Report, cybercrime is estimated to cost businesses and private citizens $4.2 billion. And that’s just the reported crimes!

A lack of investment from senior decision makers is the main contributor to this problem. There are simply not enough people in information security. Companies are not investing in training the next generation of security professionals. When companies DO invest in security, they hire people with years of experience doing the same work. These companies are trying to solve their security needs by taking talent from everyone else! This just isn’t sustainable in the long run.

Most senior decision makers STILL do not understand the importance of cybersecurity. They don’t invest in it at their companies. Some simply do not understand the risk of cybercrime to their organization. Others think things like “breaches happen to other companies, not us”, “who would want to attack us?” or “we don’t have any data that anyone would want to steal”.

So what ends up happening? Well, these executives hire one or two people to do security for their entire company. Think about this for a moment. How many of your peers work on a small team of one, two, or three people for a company that has one, two, or three hundred people? We know some people in that situation, and we’re willing to bet that you do as well. In fact, we know of many companies, even some Fortune 500 companies that only have a handful of people doing security as their full time job.

If we’re serious about winning the war on cybercrime - not just as business leaders - but as individuals that genuinely care about protecting our friends, family, and community - the way we recruit and hire the current and next generation of cybersecurity professionals must change. We must stop:

The current way of hiring in security is a losing strategy. We need a new approach and a new mindset - to build great teams and build the next generation. And we need to do this NOW, not next week, not next year, and not in five years. The folks that we select and train TODAY will be the experienced defenders that we need tomorrow.

The Role and Roles of the Modern Cybersecurity Team

Cybersecurity has grown and evolved from being a purely technical trade to being one that works alongside the business to help achieve shared goals. The responsibilities of cybersecurity now span all business functions and verticals, because security risk exists across all business functions and verticals, not just within IT or Engineering.

Cybersecurity exists to protect the confidentiality, integrity, and availability of our business systems and data. However, that’s not all. A great cybersecurity team also helps its organization innovate and operate in a secure environment. We’re here to enable the business, and tell them how they securely achieve their goals.

Good security helps the bottom line, while reducing the cost and burden of unnecessary risk.

To be successful as security professionals, we must be great at two things: understanding security and understanding the business. And as a security leader, you must mold both your security program and your team to align with your company’s needs and objectives.

So how do we build a successful team in today’s world?

What is the recipe for a winning modern cybersecurity team?

Think about some of the greatest sports teams from around the world. They always have two elements - a great coach, and team members that work really well together. If you look closely, every great sports team really only has one or two star players on their rosters, the rest are role players. But when great teams come together, they win.

Like great coaches, great business leaders take time to self reflect. They think about ways of improving themselves in order to help their team and those around them.

Now let’s reflect on your team.

In order to build a winning security team, you’ll need these two elements - a great leader - hopefully you - and team members of all different roles and abilities that can come together to accomplish the goal of protecting and managing risk for the business.

How to Think about Finding Candidates

How will you find candidates to fill open spots on your roster?

You need a hiring strategy, if you don’t have one already.

If your strategy is to hire people who are easy to manage and immediately ready to work then you’ll want to screen candidates for industry expertise, years of experience, and hard skills. This is a very traditional approach and it’s the dominant hiring strategy used by most organizations.

If you want to take the traditional approach, and you want to go deeper than what’s covered in this Handbook, get a by Mark Horstman called “The Effective Hiring Manager”. It’s full of excellent insight, advice, and tools for how to do it.

But there are downsides to this strategy. What if:

There is an alternative strategy which is to hire for talent. This means to search for people who have the “valuable skills that you can’t teach”. With this approach, you screen for attributes like resiliency, adaptability, or curiosity. You also check for technical aptitude, culture fit, and a minimum amount of technical skills.

If you want to take the talent approach, then book to get if you want to go deeper than what’s covered in this Handbook is “The Talent War” by Mike Sarraille, George Randle, and Josh Cotton.

Your chosen hiring strategy does not need to be mutually exclusive. There are times when you may need to hire for skill, such as a temporary assignment with work that’s highly technical and highly specialized. And there are other times when you need to hire for talent, like when you want and expect someone to work with you for a long time.

No matter which hiring strategy you choose, you need to know if and when your hiring philosophy lines up with your organization’s hiring strategy.

Just as you need to choose a hiring strategy, so does your organization. If the strategy of your organization, as pursued by your human resources (HR) department, is to hire primarily for experience and hard skills, you shouldn’t expect to get much support from them if you choose to hire for talent. In fact, in that situation, you may need to actively work to minimize HR involvement in your hiring activities.

The opposite may be true as well: If you only hire for experience and skills, but the HR focus is on talent, you can expect to clash with them and you’ll need some way to cope with the conflict.

You Should Hire for Talent as much as Possible

Our belief is if we’re going to win in the future, we need to start hiring for talent today. We need to hire people who have an amazing ability to learn, have critical thinking skills, empathy, and emotional intelligence. We want to hire people who don’t check off all the boxes. We want to GIVE people with talent a chance.

Now you might be asking: What are the benefits of hiring for talent? When you hire for talent, what you’re actually doing is - you’re getting to know someone at their most basic level. You’re getting to know them at the CORE of who they actually are.

And yes, even though hiring for experience is easier in the short term, hiring for talent is BETTER in the long term. Hiring for talent is BETTER because a person with talent will be a better fit for the job, your team, and your company. When you hire for talent, you have to figure out what is great about that person - their drive, their ambition, their ability to think critically. You have to learn about each INDIVIDUAL, and how they could each be an amazing team member.

Sure, hiring for experience is far easier. You have a list of requirements on a job description, and you match it up to the person’s resume. Check, check, check. Nothing difficult about hiring for experience at all. But when you hire for talent, now you have to put in some work. Because NOW, you have to really dive into WHO the person is and figure out their ability to adapt to the job, your team, and your company.

Hiring for experience means less upfront training, less mentorship, and less guidance. Experience means efficiency and immediate return on investment. Hiring a candidate with experience doing a certain job guarantees that you’ve got someone who’s done the work doing the work, almost as soon as that person joins the team.

But the number of unfilled jobs in our industry won’t ever be solved by hiring people away from other companies. This is not a problem that we can solve just by outpoaching one another. We can’t just hire people that are already doing the job. We need to hire people that can learn HOW TO DO the job.

Dispelling Common Myths in Cybersecurity

Despite our encouragement to hire for talent, you may still be resisting the idea. If so, ask yourself “why”? Is it because you’ve bought into some common myths about who makes a great candidate? Let’s explore a few now and see if we can bust each one.

Myth #1: You must have years of experience first

Let’s talk about some common phrases heard around our industry, such as, “You must have years of experience before getting into cybersecurity.” and “Cybersecurity is not an entry-level job.”

If there were more junior cybersecurity opportunities, we’d have legions of experienced senior cybersecurity professionals in just a few years. So if there’s work to be done, why do so few entry-level opportunities exist? There is plenty of junior-level security work to go around. Asset management, data discovery, documentation, filling out security questionnaires, scrubbing out false positives - I could fill a half dozen jobs to do the things I wish I had more help with.

You’ll see evidence of this in almost every “entry-level” job posting for cybersecurity, which commonly ask for years of experience and a litany of industry certifications. Does years of experience always equate to competency? Of course not!

Someone who worked at the same low-level job for 15 years may be considered for some of these more senior roles, simply because of their “years of experience”.

Compare that person with someone who started in cybersecurity a year or two ago. This person may be an incredible learner, is handling multiple tasks and responsibilities, and is just knocking it out of the park. This person wouldn’t qualify for more challenging roles because of the arbitrary “years of experience” requirement. Tell me, who would you rather hire? The person who has done the same job for 15 years, or the person who has handled multiple responsibilities in two?

If you’re looking for competency, asking for “any number of years’ experience” isn’t going to guarantee you anything.

So instead of asking for years of experience in a candidate, look for the ability to learn and apply new concepts. Find candidates that have learned from their past mistakes. And above all, look for those with the humility to learn things that they don’t know. Because with guidelines, best practices, frameworks, and someone to show them the ropes, the next generation CAN learn and become the experts that we need in the future.

Myth #2: Cybersecurity is difficult to learn

Another common myth that I see in the security industry is: “Cybersecurity is difficult to learn.”

Now I will say, this wasn’t a myth a decade or two ago. Cybersecurity was difficult to learn, because the industry was still in its infancy. We lacked basics, like a shared vocabulary, real world examples, and practical experience. There weren’t as many resources as we have today.

The first few decades of any industry are peppered with visionaries, inventors, and philosophers, who work together to build industry principles. Documentation and peer review are non-existent, learning tools are few and far between, and expertise is limited. This is true with our industry as well.

But today, there are whitepapers, control frameworks, protocols, algorithms, and a litany of other freely-available resources for anyone looking to learn cybersecurity. The security industry has evolved. It is now much easier to learn about security, because there are more resources to learn from.

Do you still learn new things about security? Of course, the answer is Yes! Technology is ever-changing and evolving, and security must also be ever-changing and evolving.

When you come across a new concept or technology, how do you learn about it?

I also hope your answer is Yes! You don’t want to be making up security as you go along. There are guidelines, principles, and best practices for good reason.

Here’s what I’m saying. Everything in cybersecurity can be learned. After all, you and I both learned it, didn’t we? Someone taught us, or wrote a book, or put together a framework that we used. We didn’t just wake up one day and know all the stuff that we know.

That’s the difference between previous generations and the people trying to land a role in cybersecurity today. The next generation is very technically savvy. They are what we call “digital natives”. They are so used to technology and basic security practices like passwords or 2FA, that learning new security concepts is not a big stretch for them.

The next generation is very comfortable with technology and are extremely resourceful when it comes to finding answers. If you remember, before the internet - we had to visit a library if we ever wanted to learn anything new.

Which is why “Cybersecurity is difficult to learn” is a myth. Cybersecurity is NOT difficult to learn. After all, we who are currently IN cybersecurity are learning new things every day. And so it is with the next generation as well.

Myth #3: You need “IT Fundamentals”

Databases, networking, coding, hacking skills - these are the “IT Fundamentals” that are often thought of as necessary for a career in cybersecurity. But is this really true? Do you really need to know databases, networking, and coding in order to begin a career in cybersecurity? Of course not.

Remember the goals of Information Security: Confidentiality, Integrity, and Availability. Information Security is understanding, managing, and mitigating the risk of our critical data being disclosed, modified, or denied access. These are the fundamental principles of Information Security.

What’s needed in order to achieve the fundamentals of Information Security? Every major framework, from the NIST CSF, ISO 27001 and 2, to the CIS Critical Security Controls - the fundamentals include

Put another way, the foundation of good information security can be boiled down to one simple phrase. “You can’t protect what you don’t know about!”

Do you need to know databases, networking, and coding to do asset management, configuration management, change management, or data discovery? The answer is, and always has been, No. This is why the myth of “needing IT fundamentals” fails the reality check. You simply need a curious mind and - in many cases - a spreadsheet.

Companies and organizations that focus on the fundamentals will always do better than companies that do not. The fundamentals might not seem glamorous, sure, but they are absolutely necessary.

I’ve been in security & technology for over 20 years, and I only have formal training and deep experience in a few domains. Whenever I have questions on something I don’t know, I rely on the experts around me and together we win.

Reflection: What other common myths can you think of?

There are many things in cybersecurity that are assumed to be true because of frequency bias. We hear about them so often, we assume them to be true, but in reality - they might actually be myths.

You’ve just learned about three common myths in security and why they are not true:

First, we discussed the myth that “You must have years of experience before doing security” - is false because there is entry-level work in almost every security domain.

Then, we challenged the myth that “Cybersecurity is difficult to learn” - is false because anything can be learned if you just have the right resources and put in the right amount of effort.

Finally, we learned the myth, “You must know IT fundamentals first” - is false because the “fundamentals” of information security are asset management, change management, configuration management, and data management. You don’t need in-depth knowledge of networking, coding, or databases to do any of these.

Let’s now challenge some other assumptions in cybersecurity. Take out a sheet of paper and a pen. Write down some “truths” that you’ve heard of over the years that you’d like to challenge.

Great. Now that you have your list of assumptions that you’d like to challenge, think about WHY the assumption exists. Like our first myth: “You must have years of experience before doing security”. Think about WHY this assumption exists. Give it a critical eye.

Now ask yourself, if the opposite of this assumption is true, what evidence would you expect to see?

For example, if the opposite of “You must have years of experience before doing security” were true, what would you expect to see?

Well, I would expect to see entry-level work as part of every security team’s job responsibilities. Which is what I do see.

Continue to think about what you would expect to see if the opposite of the assumptions that you listed were true. If you’re able to write down any evidence supporting the opposite of the assumption, congratulations! You’ve just proven that that assumption about cybersecurity is indeed a myth.

Unfinished topics for this chapter–please contribute

  1. The unique hiring challenges facing cybersecurity managers
    1. Continuously evolving field
    2. Much higher jobs demand than supply of candidates
    3. Plenty of eager, unqualified candidates
  2. How a great team sets you up to become an influencer within your organization
    • Should we define influencer? Influencer within IT? Influencer of the corporate culture? Influencer of the execs? Influencer within the InfoSec community? All of the above?