Hiring the Right Information Security Leaders for Your Organization

October 18, 2021

With October recognized as Cybersecurity Awareness Month, it is a great time to train employees on how to stay safe, but it is also an opportunity to reflect on how to solve the problem for those employees, before they have to deal with them. As with every equation, there are always two sides and while it can be easy to blame users when they fall victim to scams and attacks, we also need to examine how we build and staff security teams.

Whether or not Albert Einstein said it as he's oft-quoted, "The definition of insanity is doing the same thing over and over and expecting different results" aptly applies to the mindset of hiring information security professionals. This conversation comes up frequently among CISOs and security leaders, and the lines tend to be very rigid regarding certifications, education, background, and job descriptions in general.

My experiences may differ from others, but my 25 years in information security have given me a good sample size to see what works and doesn't work. These principles apply whether leading large security groups or starting small and building them from the ground up—both of which I've had the honor of doing throughout my career. They are also industry-agnostic, applying to nearly every vertical. Hopefully, my thoughts on these areas will help encourage others to pause and reconsider the status quo as we fight the battle against cybercrime.

The Need for Education

I'm a massive proponent of formal education. It teaches discipline and helps hone writing skills to more successfully articulate and defend a position. I think education is a lifelong endeavor and value it so much that I went back to school to get my M.B.A. well into my career. However, when determining if someone will be a good cybersecurity professional, I don't believe a formal degree should limit the talent pool.

People take different paths in life, and some of those paths are deliberate, while others are due to circumstances beyond their control. One of the most brilliant individuals to ever work for me dropped out of college because a family illness forced him to change priorities. No amount of top-tier computer science education could match his passion and ability to solve complex security problems.

Not only that, but what is learned in college quickly becomes dated over time. For example, when I started college, Windows 3.1 was the latest version of Windows, but now I'm dating myself. You would be hard-pressed to find any employers looking for someone with Windows 3.1 experience. Instead of eliminating candidates without a degree, look for other clues about their passion for cyber or their intangible lessons from life experiences.

The Benefits of Certifications

Certifications can be a great entry point into a cybersecurity career for those who may lack a formal education, or they can help someone move into a different role. That said, not all certifications are equal and range from hands-on certifications like the ones from Offensive Security to entry-level tests like the Security+ certification.

I'm a big fan of certifications, and in full disclosure, I've achieved more than 15 different ones throughout my career. I encourage my staff to get new certifications when they desire, but when it comes to hiring, a certification tells you a candidate is good at taking tests. It doesn't convey their ability to do the job or overachieve in their career. If you want to delineate candidates from a technical perspective and need to assess specific skills, consider a 'capture the flag' simulation rather than relying on the certifications they have achieved.

The Importance of Diversity

While this is a popular topic, I'm going to go in a bit of a different direction with this one. Diversity can mean different genders and ethnic backgrounds. I think those are vital, but just as significant are the other differences that make each of us unique.

One of my best hires was someone from an audit, accounting, and risk background. She didn't have any security experience but she understood risk management and brought other skills that helped improve the team. She also was able to look at things from a different perspective, which helped us from falling into the rut of the status quo. When hiring, I highly recommend looking at candidates who have a unique background to see what unique experiences they bring and how they can push your team to be better.

The other trap companies fall into is only hiring from within the same industry. It amazes me how often healthcare, technology, and financial services companies in particular will favor the candidate from a similar company. If every team member only ever worked in banking, thinking outside of the box would be more challenging. Look for qualified individuals that come from a variety of backgrounds, experiences, and industries. Assess where the team has weaknesses and hire individuals that possess those attributes and skills as core strengths.

Why We Need to Create Clear Expectations

Expectations equate to how you write the job description. If a company needs to hire an entry-level security analyst, it's not realistic to expect ten years of experience or a plethora of certifications. Do you really need to have a PhD or MBA to do the job? Do they have to have the CISSP certification to be successful in the role?

Write job descriptions that will give you the broadest reach and the ability to find high potential candidates. I believe the cybersecurity labor shortage is more of an expectation gap than a true lack of qualified candidates. If you set expectations significantly above what is needed to get the job done successfully, it will take forever to find the perfect candidate. If you do happen to find that unicorn, chances are you won't be able to afford them, or they won't stay that long because there will be a long line of suitors already approaching them on LinkedIn, offering even more money than you did. While it's more work to comb through candidates, a realistic job description will give you a better chance of finding someone that can grow within the organization and stay long-term, ultimately providing more benefit to the company.

Finding the Right Cybersecurity Employees

Ultimately, finding the best information security professionals for your organization is about a mix of these things—creating clear expectations for the role, looking for the right mix of education and experience, and being willing to look outside the box for the right candidate. In my career, I’ve hired a number of qualified employees who didn’t necessarily have a traditional security background, but who had transferable skills and a love of learning, both qualities that I look for when building my team, and which I encourage others to seek out as well.

Interested in working at Abnormal? Check out our open roles and apply today.

Related Posts

B 12 03 22 SIEM
Learn about Abnormal’s enhanced SIEM export schema, which provides centralized visibility into email threats
Read More
Blog phishing cover
The phishing email is one of the oldest and most successful types of cyberattacks. Attackers have long used phishing as a common attack vector to steal sensitive information or credentials from their victims. While most phishing emails are relatively simple to spot, the number of successful attacks has grown in recent years.
Read More
Blog brand cover
For those of you who have visited the Abnormal website over the last month, you’ve seen something different—a redesigned brand focused on precision. It’s new and innovative, and different from any other cybersecurity company, because it was created with one thing in mind: our customers.
Read More
B 11 22 21 AAA
At Abnormal, our customers have always been our biggest priority. Customer obsession is one of our five company values, and we live this every single day as we provide the best email security protection available for the hundreds of companies who entrust us to protect their mailboxes.
Read More
Blog microsoft abnormal cover
Before we jump into modern threats, I think it’s important to set the stage ​​since email has been around. Since email existed, threat actors targeted email users with malicious messages, general spam, and different ways to take advantage of the platform. Then of course, more dangerous attacks started to come up… things like malware and other viruses.
Read More
Blog black friday scam cover
While cybersecurity awareness is a year-round venture, it is especially important to be mindful during certain times of the year. With Thanksgiving here in the United States on Thursday, our thoughts will likely be on our family and friends and everything we have to be thankful for this holiday season.
Read More
Blog automation workflows cover
Our newest platform capabilities help customers streamline critical security workflows, like triaging phishing mailbox submissions or triggering tickets to investigate account takeovers, through automated playbooks. Doing so can decrease mean time to respond (MTTR) to incidents, further reducing any potential risk to the organization and eliminating manual workflows to save time and increase the efficiency of IT and security teams.
Read More
Blog tsa scam cover
On November 9, 2021, we identified an unusual phishing email that claimed to be from “Immigration Visa and Travel,” inviting the recipient to renew their membership in the TSA PreCheck program. The email wasn’t sent from a .gov domain, but the average consumer might not immediately reject it as a scam, particularly because it had the term “immigrationvisaforms” in the domain. The email instructed the user to renew their membership at another quasi-legitimate-looking website.
Read More
Blog pyspark cover
At Abnormal Security, we use a data science-based approach to keep our customers safe from the most advanced email attacks. This requires processing huge amounts of data to train machine learning models, build datasets, and otherwise model the typical behavior of the organizations we’re protecting.
Read More
Blog tiktok attack cover
As major social media platforms have expanded the ability of creators to monetize their content in the last few years, they and their users have increasingly found themselves the targets of malicious activity. TikTok is now no exception.
Read More
Blog ransomware guide cover
While various state agencies and the private sector keep track of ransomware attacks and related tactics worldwide, malicious actors change and evolve their ransomware strategies all the time. We’ve put together a comprehensive guide that will define ransomware, how to detect it, and what steps to take if you’ve fallen victim to a ransomware virus attack.
Read More
Blog detection efficacy cover
One of the key objectives of the Abnormal platform is to provide the highest precision detection to block all never-before-seen attacks. This ranges from socially-engineered attacks to account takeovers to everyday spam, and the platform does it without customers needing to create countless rules like with traditional secure email gateways.
Read More