Hiring the Right Information Security Leaders for Your Organization

With October recognized as Cybersecurity Awareness Month, it is a great time to train employees on how to stay safe, but it is also an opportunity to reflect on how to solve the problem for those employees, before they have to deal with them. As with every equation, there are always two sides and while it can be easy to blame users when they fall victim to scams and attacks, we also need to examine how we build and staff security teams.

Whether or not Albert Einstein said it as he's oft-quoted, "The definition of insanity is doing the same thing over and over and expecting different results" aptly applies to the mindset of hiring information security professionals. This conversation comes up frequently among CISOs and security leaders, and the lines tend to be very rigid regarding certifications, education, background, and job descriptions in general.

My experiences may differ from others, but my 25 years in information security have given me a good sample size to see what works and doesn't work. These principles apply whether leading large security groups or starting small and building them from the ground up—both of which I've had the honor of doing throughout my career. They are also industry-agnostic, applying to nearly every vertical. Hopefully, my thoughts on these areas will help encourage others to pause and reconsider the status quo as we fight the battle against cybercrime.

I'm a massive proponent of formal education. It teaches discipline and helps hone writing skills to more successfully articulate and defend a position. I think education is a lifelong endeavor and value it so much that I went back to school to get my M.B.A. well into my career. However, when determining if someone will be a good cybersecurity professional, I don't believe a formal degree should limit the talent pool.

People take different paths in life, and some of those paths are deliberate, while others are due to circumstances beyond their control. One of the most brilliant individuals to ever work for me dropped out of college because a family illness forced him to change priorities. No amount of top-tier computer science education could match his passion and ability to solve complex security problems.

Not only that, but what is learned in college quickly becomes dated over time. For example, when I started college, Windows 3.1 was the latest version of Windows, but now I'm dating myself. You would be hard-pressed to find any employers looking for someone with Windows 3.1 experience. Instead of eliminating candidates without a degree, look for other clues about their passion for cyber or their intangible lessons from life experiences.

Certifications can be a great entry point into a cybersecurity career for those who may lack a formal education, or they can help someone move into a different role. That said, not all certifications are equal and range from hands-on certifications like the ones from Offensive Security to entry-level tests like the Security+ certification.

I'm a big fan of certifications, and in full disclosure, I've achieved more than 15 different ones throughout my career. I encourage my staff to get new certifications when they desire, but when it comes to hiring, a certification tells you a candidate is good at taking tests. It doesn't convey their ability to do the job or overachieve in their career. If you want to delineate candidates from a technical perspective and need to assess specific skills, consider a 'capture the flag' simulation rather than relying on the certifications they have achieved.

While this is a popular topic, I'm going to go in a bit of a different direction with this one. Diversity can mean different genders and ethnic backgrounds. I think those are vital, but just as significant are the other differences that make each of us unique.

One of my best hires was someone from an audit, accounting, and risk background. She didn't have any security experience but she understood risk management and brought other skills that helped improve the team. She also was able to look at things from a different perspective, which helped us from falling into the rut of the status quo. When hiring, I highly recommend looking at candidates who have a unique background to see what unique experiences they bring and how they can push your team to be better.

The other trap companies fall into is only hiring from within the same industry. It amazes me how often healthcare, technology, and financial services companies in particular will favor the candidate from a similar company. If every team member only ever worked in banking, thinking outside of the box would be more challenging. Look for qualified individuals that come from a variety of backgrounds, experiences, and industries. Assess where the team has weaknesses and hire individuals that possess those attributes and skills as core strengths.

Expectations equate to how you write the job description. If a company needs to hire an entry-level security analyst, it's not realistic to expect ten years of experience or a plethora of certifications. Do you really need to have a PhD or MBA to do the job? Do they have to have the CISSP certification to be successful in the role?

Write job descriptions that will give you the broadest reach and the ability to find high potential candidates. I believe the cybersecurity labor shortage is more of an expectation gap than a true lack of qualified candidates. If you set expectations significantly above what is needed to get the job done successfully, it will take forever to find the perfect candidate. If you do happen to find that unicorn, chances are you won't be able to afford them, or they won't stay that long because there will be a long line of suitors already approaching them on LinkedIn, offering even more money than you did. While it's more work to comb through candidates, a realistic job description will give you a better chance of finding someone that can grow within the organization and stay long-term, ultimately providing more benefit to the company.

Ultimately, finding the best information security professionals for your organization is about a mix of these things—creating clear expectations for the role, looking for the right mix of education and experience, and being willing to look outside the box for the right candidate. In my career, I’ve hired a number of qualified employees who didn’t necessarily have a traditional security background, but who had transferable skills and a love of learning, both qualities that I look for when building my team, and which I encourage others to seek out as well.

Interested in working at Abnormal? Check out our open roles and apply today.