How to Hire and Retain Qualified Cybersecurity Professionals - Part 2

The below commentary is an excerpt from a longer white paper being produced by the Silent Sector team on how to hire and retain quality security, and by extension, IT resources.  This excerpt addresses finding and hiring IT and security professionals.

The Issue:
Currently there are far more open IT jobs than there are qualified IT resources to fill them.  This has created a seller’s market and has put the job market in the hands of the IT professionals, not the employers.  Regardless of the market, however, most IT organizations are running very lean teams and security, since they are not part of IT operations or the “Keep The lights On” (KTLO) team, often run leaner than the rest of the IT organization.  Meanwhile, security threats are increasing exponentially in quantity and complexity, and available qualified IT and Security staff are scarce.  By the year 2021 it is estimated that there will be 3.5 million unfilled cybersecurity positions the cost of cybercrime annually is estimated to be nearly 6 Trillion dollars.

How do you find good resources?
Technologists in different stages of their careers want different things but we will focus on the common threads. Work life balance may not mean anything to a single 20 something year old but it means a hell of a lot to a 30 or 40 something married professional with 2 small kids.

There are three general stages of an IT career Beginner, Mid-level, and Senior.  For the purpose of this document these are chronological stages not necessarily knowledge based.  However, there is a correlation between the two. I have taken examples of my career choices at each phase to provide some examples.

As a newly minted MCSE my first real IT only gig was on a contract working and traveling for a hotel chain running cable, installing and patching servers, installing MS Office, and general onsite help desk with some Y2K prep work thrown in for good measure. The reason I took this job was for the chance to get some experience on my resume, make some money, opportunity, challenge, and travel.

I had an opportunity with a company that was not local, not regional, but national - the big time with big pay days!  Travel with the corporate card to exciting places like New York, LA, San Francisco, Seattle, Las Vegas, Atlanta……. Cleveland, Des Moines, and Pittsburgh. I loved the job when I started, I enjoyed the tech, my team, the pay and bonus based on my performance plus bonuses for extending engagements.  However, when I was forced to take more of a management role, I spent more time in meetings than with the technology.  When it got to the point I knew the airport gate agents by name at multiple airports, could tell you a hotel chain by looking at a fabric swatch, and had slept in multiple airports due to missed or cancelled flights, I knew it was time for something else.

I moved in house and my last several jobs prior to starting Silent Sector were quite often lateral moves with large companies. I got new titles, more money, work from home opportunity, and little to no travel.  Plus, as I aged, benefits and 401(k)s began to matter more and more.  I was less willing to entertain the idea of equity trades for work. The one thing I enjoyed was having the ability to be a technology influencer and decision maker. The ability to work from home and quality of life meant more than other aspects of the job as I moved forward in my career.  However, the continual politics and poor decisions being made by some of the management always caused me to move on, in search of better corporate cultures.

What does an ideal IT employee want?
There are common threads running through the stories above.  In fact, the only true differences in many of the qualities is the weight each applies to the decision of whether to take a position with company A or company B.  You may have noticed that compensation wasn’t even a factor in the decision on my first position.

  1. Compensation is important but not always the most important thing keep in mind most technical people were technical long before they were employed. Do not, however, discount the weight of this factor.
  2. Good working environment. Remember there are sites like Glassdoor and LinkedIn that will give your prospective employee a window into your company and its working environment. Numbers 2-4 tie together.
  3. Politics or the lack thereof? This ties into the environment in which the resource will work. An old friend who spent years as a corporate trainer told me, based on his years of analysis, that technical people like IT people or engineers as a whole have little to no tolerance for palace intrigue or company politics.
  4. Respect - Not just respect from peers, but also support in their decisions by management and senior management.
  5. Exposure to new technology(s) - Am I on the bleeding edge, or is this company a late adopter and what does that mean to my resume if I am 3 years behind everyone else?
  6. Training - Is the company investing in training and building my skillset as well as supporting my certification requirements.
  7. Travel - This will be subjective to the individual, but travel becomes more of a negative as a career advances (although that will depend on the amount of travel) everyone loves the occasional trip or out of state conference.
  8. The ability to impact the technical direction of the company
  9. Stability in the job becomes more important towards mid and senior career
  10. Opportunity for advancement and job growth become less important after mid-career
  11. Work life balance becomes more important as the professional's career advances.  Work from home opportunities should be extended to your senior employees. Work from home rights are earned based on experience on the job not to be given to newbies. It does give the newbies something to work toward.

Soap Box moment:
If you will indulge me this is something that we feel passionate about at Silent Sector and this ties into #2-4 above:
Security and Technical resources must be treated respectfully by all departments. I can’t tell you how many meetings I have been when an application or security SME is shouted down or treated poorly by employees (especially management or PMs) outside their reporting structure.  All too often their manager silently lets their resource take the abuse.  Your technical resources are the experts on your technology.  They know what is right from a technical perspective far better than a non-technical resource just because they have the title of Director, Manager, or VP.  Plus your security professionals have very valid reasons for asking the questions they do and insisting on specific requirements for new software.

The Search:
There are canned lines you can find in any internet search.  In just .55 seconds using Google, I found 372,000 simplistic hiring statements such as:

  • "Build retention policies"
  • "Improve your hiring process"
  • "Find the right match"
  • "Show your employees the future"
  • "Make sure they fit your culture"
  • "Make sure they're passionate about your company"

...but what exactly does any of that mean? 

Arguably those simple statements are subjective to the individual employee and industry. I will call out 3 points I happen to agree with from (comments added are mine)

  1. They want more - They are not satisfied doing the minimum and are not looking to just skate by, they want to be successful.
  2. They’re weird – Let the freak flag fly and let’s be creative!  This creativity, believe it or not, is especially critical in security and software development.
  3. They like to prove others wrong – That generally means they are creative, confident, have an ego, and will figure out a way to make their ideas successful. The downside of this is unless you keep this person challenged and they know their input is respected and listened to, they will quickly move on to another company or will simply revert to miserably doing the minimum until they can find another gig. One caveat on this, it can also be a negative and disruptive if they do not have the talent to back up this attitude and if it is not managed properly.

Another common line in the “how to” web pages is aptitude testing.  Ask yourself, "is the solution to finding a good employee to perform aptitude testing?"  Not everyone responds well to standard tests.  A better measure may be to see if they have a certification that requires verification of their work history.  In security this would include certifications like a CISSP, or CRISC, or CISA.  ISC2 and ISACA have already figured out if they are qualified for you.  This is quick proof that the candidate can do the job.

Another common thread is to check out the prospective employees’ social media. I personally find that a little creepy, how would you feel if they checked out yours?  That being said one caveat on Social Media, if you review it as part of the interview/hiring process, if the prospective employee engages in Social Media extensively and posts extensive personal information, they are a ripe target for social engineering attacks and could potentially be a weak link in your security team. When you check out the social media of a potential employee look beyond the posts where they are doing a keg stand at the lake and look at what they are posting. Is their name, address, phone number, parents’ and kids names, pets name, birthdates etc.… posted on Facebook, Twitter, or Instagram if so that would indicate this is someone who doesn’t know how to protect their own PII (Personally Identifiable Information) or their HC (Highly Confidential) data, are they going to protect yours?

Generalities but not one size fits all for sure!

  1. Define the career stage resource you are looking for this will allow you to target your search.
  2. Networking – get out of the office and go to an ISACA, ISSA, or ISC2 meeting or one of the many IT groups on observe and engage the attendees.  You might make some great connections.
  3. Narrow defined job postings will at least get qualified applicants’ attention if your job req is a request for someone who knows PERL, Splunk, Metasploit, Sophos, Palo Alto, Windows Server and is a PCI or SOX expert. You may get applicants but not necessarily the best since the person with these requirements probably doesn’t exist, or their knowledge is too shallow in those areas to be an expert. In short be specific about what you are looking for in an employee.
  4. In your add, call out that you will PROVIDE TRAINING - This is all caps for a reason. If you cannot afford training at the very least allow your team to get their CPE (Continuing Professional Education) and pay them for their time out of the office for the CPE. If you want resources with security certifications you need to be aware that there are CPE requirements annually to maintain them. Support your employees and protect your company by allowing time to obtain their CPE. Please keep in mind security is not static there are real life bad guys called cyber-criminals that are trying to steal your stuff, or your client’s stuff, or your compute power. It is an absolute imperative that your security staff remain up on current trends, technologies, risks, and new security techniques.
  5. People are less willing to relocate out of state or even commute long distances for a new position consider remote work when you can’t find a resource in your city. Smaller cities like Milwaukee, Pittsburgh, Cleveland, Tucson, Mobile, and Cheyenne may not have the depth and quality of resources needed and someone from LA, San Francisco, Phoenix, or Chicago may not want to move there. Conversely, with the shortage of qualified security staff nationwide, larger cities don’t have all the talent they need either and may find it in smaller markets.
  6. Look at what your competitors are offering and do better.  For example, an extra 3-5 sick or vacation days goes a long way and doesn’t cost anything.
  7. Advertise the best qualities of your company, sick/vacation days, flex schedule, 401k with matching, quality restaurants, bars, and housing close to the office, etc.…
  8. In this economy you need sell your company to the perspective employee especially if you can’t be at the top of compensation.
  9. Describe the successful person, not just the job applicant.
  10. Employee referrals - Ask your team first when a new req opens.  If they don’t know anyone outside the office, there might be another issue to address with your corporate culture.

It's been shown many times, putting IT and security professionals through the same standard hiring process as other positions is ineffective and leads to more problems down the road.  While there is no perfect formula for finding the ideal IT professionals to fill needed roles in your organization, taking the time to redefine your hiring approach will payoff exponentially in terms of retention, savings, effectiveness, and an overall better culture within your department. 

About the Author

Written by Michael Rotondo

Senior IT Resource with experience in all aspects of IT from entry-level help desk to Architect, who lived and thrived through the DOT COM era and crash. CISSP-Certified Information Systems Security Professional, CRISC - Certified in Risk and Information Systems Control, CEH- Certified Ethical Hacker, CPT- Certified Penetration Tester, PCIP- PCI Professional.