Hiring the Right Information Security Leaders for Your Organization

October 18, 2021

With October recognized as Cybersecurity Awareness Month, it is a great time to train employees on how to stay safe, but it is also an opportunity to reflect on how to solve the problem for those employees, before they have to deal with them. As with every equation, there are always two sides and while it can be easy to blame users when they fall victim to scams and attacks, we also need to examine how we build and staff security teams.

Whether or not Albert Einstein said it as he's oft-quoted, "The definition of insanity is doing the same thing over and over and expecting different results" aptly applies to the mindset of hiring information security professionals. This conversation comes up frequently among CISOs and security leaders, and the lines tend to be very rigid regarding certifications, education, background, and job descriptions in general.

My experiences may differ from others, but my 25 years in information security have given me a good sample size to see what works and doesn't work. These principles apply whether leading large security groups or starting small and building them from the ground up—both of which I've had the honor of doing throughout my career. They are also industry-agnostic, applying to nearly every vertical. Hopefully, my thoughts on these areas will help encourage others to pause and reconsider the status quo as we fight the battle against cybercrime.

The Need for Education

I'm a massive proponent of formal education. It teaches discipline and helps hone writing skills to more successfully articulate and defend a position. I think education is a lifelong endeavor and value it so much that I went back to school to get my M.B.A. well into my career. However, when determining if someone will be a good cybersecurity professional, I don't believe a formal degree should limit the talent pool.

People take different paths in life, and some of those paths are deliberate, while others are due to circumstances beyond their control. One of the most brilliant individuals to ever work for me dropped out of college because a family illness forced him to change priorities. No amount of top-tier computer science education could match his passion and ability to solve complex security problems.

Not only that, but what is learned in college quickly becomes dated over time. For example, when I started college, Windows 3.1 was the latest version of Windows, but now I'm dating myself. You would be hard-pressed to find any employers looking for someone with Windows 3.1 experience. Instead of eliminating candidates without a degree, look for other clues about their passion for cyber or their intangible lessons from life experiences.

The Benefits of Certifications

Certifications can be a great entry point into a cybersecurity career for those who may lack a formal education, or they can help someone move into a different role. That said, not all certifications are equal and range from hands-on certifications like the ones from Offensive Security to entry-level tests like the Security+ certification.

I'm a big fan of certifications, and in full disclosure, I've achieved more than 15 different ones throughout my career. I encourage my staff to get new certifications when they desire, but when it comes to hiring, a certification tells you a candidate is good at taking tests. It doesn't convey their ability to do the job or overachieve in their career. If you want to delineate candidates from a technical perspective and need to assess specific skills, consider a 'capture the flag' simulation rather than relying on the certifications they have achieved.

The Importance of Diversity

While this is a popular topic, I'm going to go in a bit of a different direction with this one. Diversity can mean different genders and ethnic backgrounds. I think those are vital, but just as significant are the other differences that make each of us unique.

One of my best hires was someone from an audit, accounting, and risk background. She didn't have any security experience but she understood risk management and brought other skills that helped improve the team. She also was able to look at things from a different perspective, which helped us from falling into the rut of the status quo. When hiring, I highly recommend looking at candidates who have a unique background to see what unique experiences they bring and how they can push your team to be better.

The other trap companies fall into is only hiring from within the same industry. It amazes me how often healthcare, technology, and financial services companies in particular will favor the candidate from a similar company. If every team member only ever worked in banking, thinking outside of the box would be more challenging. Look for qualified individuals that come from a variety of backgrounds, experiences, and industries. Assess where the team has weaknesses and hire individuals that possess those attributes and skills as core strengths.

Why We Need to Create Clear Expectations

Expectations equate to how you write the job description. If a company needs to hire an entry-level security analyst, it's not realistic to expect ten years of experience or a plethora of certifications. Do you really need to have a PhD or MBA to do the job? Do they have to have the CISSP certification to be successful in the role?

Write job descriptions that will give you the broadest reach and the ability to find high potential candidates. I believe the cybersecurity labor shortage is more of an expectation gap than a true lack of qualified candidates. If you set expectations significantly above what is needed to get the job done successfully, it will take forever to find the perfect candidate. If you do happen to find that unicorn, chances are you won't be able to afford them, or they won't stay that long because there will be a long line of suitors already approaching them on LinkedIn, offering even more money than you did. While it's more work to comb through candidates, a realistic job description will give you a better chance of finding someone that can grow within the organization and stay long-term, ultimately providing more benefit to the company.

Finding the Right Cybersecurity Employees

Ultimately, finding the best information security professionals for your organization is about a mix of these things—creating clear expectations for the role, looking for the right mix of education and experience, and being willing to look outside the box for the right candidate. In my career, I’ve hired a number of qualified employees who didn’t necessarily have a traditional security background, but who had transferable skills and a love of learning, both qualities that I look for when building my team, and which I encourage others to seek out as well.

Interested in working at Abnormal? Check out our open roles and apply today.


Prevent the Attacks That Matter Most

Get the Latest Email Security Insights

Subscribe to our newsletter to receive updates on the latest attacks and new trends in the email threat landscape.

Demo 2x 1

See the Abnormal Solution to the Email Security Problem

Protect your organization from the attacks that matter most with Abnormal Integrated Cloud Email Security.

Related Posts

B 05 11 22 Scaling Out Redis
As we’ve scaled our customer base, the size of our datasets has also grown. With our rapid expansion, we were on track to hit the data storage limit of our Redis server in two months, so we needed to figure out a way to scale beyond this—and fast!
Read More
B 05 17 22 Impersonation Attack
See how threat actors used a single mailbox compromise and spoofed domains to subtly impersonate individuals and businesses to coerce victims to pay fraudulent vendor invoices.
Read More
B 05 14 22 Best Workplace
We are over the moon to announce Abnormal has been named one of Inc. Magazine's Best Workplaces of 2022! Learn more about our commitment to our workforce.
Read More
B 05 13 22 Spring Product Release
This quarter, the team at Abnormal launched new features to improve lateral attack detection, role-based access control (RBAC), and explainable AI. Take a deep dive into all of the latest product enhancements.
Read More
B 05 11 22 Champion Finalist
Abnormal has been selected as a Security Customer Champion finalist in the Microsoft Security Excellence Awards! Here’s a look at why.
Read More
Blog series c cover
When we raised our Series B funding 18 months ago, I promised our customers greater value, more capabilities, and better customer support. We’ve delivered on each of those promises and as we receive an even larger investment, I’m excited about how we can continue to further deliver on each of them.
Read More
B 05 09 22 Partner Community
It’s an honor to be named one of CRN’s 2022 Women of the Channel. Here’s why I appreciate the award and what I love about being a Channel Account Manager at Abnormal.
Read More
B 05 05 22 Fast Facts
Watch this short video to learn current trends and key issues in cloud email security, including how to protect your organization against modern threats.
Read More
B 05 03 22
Like all threats in the cyber threat landscape, ransomware will continue to evolve over time. This post builds on our prior research and looks at the changes we observed in the ransomware threat landscape in the first quarter of 2022.
Read More
B 04 28 22 8 Key Differences
At Abnormal, we pride ourselves on our excellent machine learning engineering team. Here are some patterns we use to distinguish between effective and ineffective ML engineers.
Read More
B 04 26 22 Webinar Re Replacing Your SEG
Learn how Microsoft 365 and Abnormal work together to provide comprehensive defense-in-depth protection in part two of our webinar recap.
Read More
Blog mitigate threats cover
Learn about the most common socially-engineered attacks and why these tactics are still so successful—despite a growing awareness from employees.
Read More