Both triple-threat movie stars and cybersecurity employees need the “it” factor. It can be a daunting process to find your next box office hit. Andrea developed a strategy for developing the initial talent pool involving multiple pathways:
Andrea: If I have an open role, I’ll reach out to search placement firms most certainly—there are amazing partners there and they have found me some great candidates. I work with some placement firms that know me and what I expect from a member of my staff, because what I look for is the whole package. So they might have the technical chops and amazing skills from that standpoint, but if they’re missing any of the key important soft skills then they’re probably not going to be a fit. I talk about expectations: they can be brilliant on the technical side, but I also need them to be able to speak to our attorneys and to walk the floor and to have that conversation and to understand our business. But even more importantly, I’ll reach out to my network and see if they know anyone they can refer to me, and I’ve found some amazing talent that way. The most important insight is the insight of that from my peer colleagues at other firms, or within the industry.1
She speaks to the technical skills and the behavioral requirements, and how different candidate streams produce results. On one hand, search placement firms (recruiters) need to “know” her and what she expects from her employees. On the other hand, her network offers “insight and input” that is beyond reproach. These systems can function side-by-side, but building the initial candidate pool is difficult and takes hard work. Adam Lee describes it this way:
Adam: Our recruiters do their best to find candidates via LinkedIn, various job boards, career fairs, a SANS pipeline, veterans groups and personal relationships. We have not found the magic pipeline yet. There are simply not enough GOOD cyber folks out there to fill all of our needs.
The “magic pipeline” may be the combination of pipelines. Michael Woodson underscores the way cybersecurity executives need to be integrally involved in the process of finding candidates:
Michael: You have to think outside the box. HR will post a job, and that’s kind of old school. I’ve had to be proactive. When I have an open position I have to go shop, I have to go out to the market. They’re not equipped to do what they should be doing, and that’s been my problem. A generic HR recruiter will not be able to find candidates. You need to have technical knowledge and be proactive. You can’t just post the job and they will come.2
Wheeler Coleman furthers this perspective, advocating for cybersecurity leadership to actively dig into the prospective talent pools:
Wheeler: Whenever I attend conferences, I look forward to the sessions, but I really like to interact with other attendees. I collect many cards, always scouting out talent. Recognizing that there are many people in the security world with talent, I go a step further to conduct behind the scene investigations to find out the reputation of leaders that trigger my interest.3
There are a few keys to the development of an initial cybersecurity talent pool, and our experts above each use them in different ways. First, cybersecurity leadership—whether that’s the CIO, CISO, CSO, or other executive—must be outwardly facing, and involved in the tight knit cybersecurity community. Going to conferences inherently includes the educational aspect, but it importantly includes the networking aspect; leaders should know what is happening in their field, both content-wise and talent-wise. This allows the corporate leaders to ensure that their company culture, vision, and mission are known to potentially interested talent pools, while at the same time seeing what those interested talent pools actually are.
Do You Know What You Want?
Shockingly, some companies may not know who they’re looking for—despite having full and active job postings and “We’re Hiring!” campaigns. Sometimes, completely new skills are necessary, behaviors and talents specific to what your organization is doing—whether that’s migrating to the cloud, building an in-house SOC, or transitioning to new authentication measures. Importantly, due to the evolving nature of cybersecurity, every organization must take a deep dive into what their needs really are. Nick Davis explains how the field has changed and continues to change:
Nick: The work has changed in the past twenty years. It used to be extremely technical in nature. That was the person who was responsible for engineering, architecting, building out, and then dayto-day operational management of information security-related technologies and infrastructure. What that has changed to (and is accelerating now), is that because of the prevalence of cloud service, we’re looking more for people who are able to analyze information security controls, or are able to ask questions about compliance and regulation and governance, and understand how things are built and configured in the standards that they need, rather than actually have the hands-on expertise of running those applications and hardware themselves.4
Frustratingly, companies that need to hire may not have the right tools to figure out who they’re looking for. So they generally fall into the trap of The Big Mistake or banking on Can (without completing the process of Trust–Will ). We focus on The Big Mistake in Chapter 4; without giving too much away just yet, this can occur when hiring parties either look for, or are given referrals to, candidates that are “a good fit” or a “great person.” On the other hand, focusing solely on Can, again either through the hiring party’s own searching mechanisms or a referral, only looks at the candidate’s technical skills. Both of these paths lead to random results. While any hires referred to you through someone you trust could succeed, they may be the opposite—and in the end, it’s random and does not take into account who you truly need.
Spotlight: “We Just Can’t Find Good Candidates”
The executive coaching session had just started and the client, the COO (Chief Operating Officer) of a big-city nonprofit, had launched quickly into a frustrated outburst. It seems they had a VP (Vice President) opening which remained unfilled after nearly a year of searching, headhunters, and interviews. During this time, the COO was struggling to do the VP job on top of his own job and was getting increasing levels of criticism for doing both poorly.
As we dug into the problem, it soon became obvious that there were two camps: one thought the salary should be raised, the other thought the best available candidate should be selected. And then there was the CEO who demanded to know, with a certain level of frustration, why a candidate able to deliver on the job requirements (ten out of ten) at the going market rate could not be found? They were stuck arguing and not getting anywhere.
Why should we pay more?
Why should we settle for less than we need?
Why can’t we find good candidates?
Recruiters in the IT and cybersecurity sphere should be well-equipped to help employers understand the market, as it can be overwhelming. Paul Casale,5 Senior Vice President of Recruiting at Mitchell Martin, illustrates the widespread confusion, speaking almost directly to the spotlight mentioned earlier:
Paul: When I’m talking to hiring managers, I’m transparent with them. I may say the things you’re asking for at this rate probably are not going to happen. Are you willing to be flexible on your wish list? They may have a laundry list of skills and experience that they want. When we read the description we may find their price point is lower than what we might be seeing in the market. We may be only able to find three or four of those skills at that rate. Part of our job is market education, especially in the cyber security space. I talked to a manager recently, for the first time, who had an opening that was cybersecurity related and it also had infrastructure and networking components to it. The role was open for eight months. I said you might have to ease up your requirements to find the right person or come up on the rate to get everything you need. And how vital of a need is this if it’s been open this long?6
Sound familiar? Particularly in today’s cybersecurity hiring market, as employment rates are high and skill levels are low, jobs stay open for too long and frustration continues to build. According to CyberSeek,7 a project supported by NICE that focuses on supply and demand in the U.S. cybersecurity job market, there were approximately half a million open cybersecurity job listings from June 2019 through May 2020.8
The solution is to begin at the beginning: by clearly establishing what you actually need. If you don’t know what you need, you can’t look for it. And even worse, you won’t recognize what you need in the event you happen to stumble across it by chance. “But,” you reply, “we know what we need—we have a job description.” And that’s where the problems begin. Take a look at your job description. Who wrote it? How old is it? When was it last updated? What does it include?
Well-defined job roles and responsibilities (including both technical and behavioral aspects) set you up for hiring success. Bill Brennan explains the significance of first defining exactly what you need:
Bill: For any company, small or large, it’s about defining what you actually need. We found over time that you might need someone who can run vulnerability scans, or I may need someone who can do computer network defense, or I may need someone who understands how to do security engineering, or I may need someone who understands how to do workforce development. Really understanding what you mean when you say I need a cyber person, whether that’s going to the NICE model or defining it for yourself, massively increases your ability to not only work within your own recruitment, but also search for the folks that have the skills you need.9
The process will vary depending on the entity hiring, as Bill highlights. It follows that clear descriptions of job roles and responsibilities should aid in recruiting. The research shows that professionals in the field of cybersecurity respond better to clearly defined job requirements and descriptions. Lack of specificity is not only a “turn-off” to those with experience, it creates confusion for newbies.10
Job descriptions can be classified into one of three general categories:
1. The industry standard: This version can be developed internally or externally. Internally, it might come from an HR department or maybe from the department that has the vacancy. It might also come from an external expert, a consulting firm that sells research on industry trends, or a recruitment firm which offers job posting services in addition to talent acquisition. Regardless of where the industry standard version of a job description comes from, it generally has two deficits: first, the job competencies are so general they are meaningless, and second, the competencies are based on surveys, which only produce industry averages. The net result is a search for an average candidate which draws a candidate pool clustered around an average set of competencies driven by industry trends. Using an industry standard job description means you’ll spend this year looking for a last year’s average candidate. Both of which lead to problems.
2. The ideal candidate: This version can also be developed internally or externally, but it tries to solve the problems found in the industry standard description by going to the other extreme. The ideal candidate job description usually begins as an exercise—let’s start by describing the perfect candidate and see who we get. This approach creates several problems, some of which were faced by the client company we met at the start of the chapter. First, the ideal candidate description is a fantasy. And since the existence of such a candidate has no connection with reality, such a candidate is never found.
3. The last person who had it: This version is most often found when decision makers want to get hiring done quickly. Surprisingly, as a strategy, it is not too far off the mark. Unfortunately, it often falls short because, to get done quickly, it’s done thoughtlessly. What we often see is a list of certifications and skills which the last person had or which others in the department have, with no attention paid to critical behaviors that are also needed for a candidate to thrive and a work unit to succeed. This is another version of “let’s see who we get” by quickly putting up a job description on a few job boards. The problem comes in sifting through responses because there are no candidate differentiators when the job description only includes specific skills and certifications.
Whether your job descriptions fall into one, or more than one, of these categories, once it is written, it may as well be set in stone. We beg you to write in pencil from now on.
Spotlight: Can, “Competency” and Certifications
Competency can be attained in many ways, especially related to cybersecurity. While it is largely dependent on the specific role and/or responsibility in question, competency may come from experience (work or personal), education (formal or self-taught), certifications, and training (either pre- or post-hire). Even though the intent at the outset is often to set the bar high, see who applies, and then compromise on one or a few competencies, the compromise often fails to emerge. This is because once a “good enough” candidate is identified, at least one person in the approval pipeline will ask why a candidate who fails to meet the job description is being considered at all. Rodney Petersen helpfully calls the problem of asking for everything plus the kitchen sink “over spec’ing”:
Rodney: Traditionally, the big three credentials to get a job are degrees, certifications, and experience, and everybody’s looking for people with some combination of those three. Position descriptions are overspec’ed, and the number of open jobs with certification requirements often exceed the number of people available who even hold them in the universe. So there’s not enough people to fill those jobs.11
This problem is compounded in today’s market, where the national average cybersecurity job supply–demand ratio is one to eight (versus the national average for all jobs, which is three to seven).12 There are valuable cybersecurity candidates—whether for technical, compliance, risk, legal, or executive roles—that come from all different backgrounds.
Failing to capture talent pools without certain “buzzword” backgrounds is the problem our anecdotal COO client had with the CEO earlier in the chapter. The lesson is clear: if a competency is in the job description, very few hiring processes will permit a candidate without that competency to proceed. This is problematic on multiple levels: first, job descriptions for ideal candidates often include competencies which are not relevant to the job being performed. Most often this issue takes the form of requiring leadership ability of some type for individual contributor roles. Even in the cybersecurity world, not everyone needs to be, or should exhibit, leader behaviors when they are assigned to an individual contributor role. Individual contributors need to make individual contributions to the team they work on, but they do not need to lead the team. This could also include “ideal” or “mandatory” degrees, certifications and training, or decades of experience. But are they always necessary?
Some may quarrel with even posing this question. First, related to leadership: in a focused way, we agree that leadership is important, particularly when looking at business resilience processes and frontline leader development. Leader development is critical to any organization, and resilience requires the establishment of processes which identify leadership potential. However, that does not mean leadership ability should become a job competency for individual contributors. Individual contributors should be selected based on the ability to make an individual contribution. Those few who are identified as having leadership potential, which we address in later chapters, can and should, be brought into a leadership development pipeline. Second, related to education and experience, opinions are mixed. Rodney Petersen offers insight regarding knowledge and competencies:
Rodney: Both degrees and certifications tend to test knowledge and memorization skills; the ability to take multiple choice, true/ false tests, and that is not nearly as important as what you can do, how your skills can demonstrate your ability to apply the knowledge. We’re moving the NICE Framework towards competencies because we think that’s a better way for learners to demonstrate their accomplishments or what they can accomplish with the kind of competencies they both acquire and have the capacity to continue to acquire over time.13
Austin Berglas,14 the Global Head of Professional Services for BlueVoyant, explains his thought process in hiring college grads without typical backgrounds or certifications to entry-level positions:
Austin: I have a penetration tester who leads my penetration testing team, a former NSA cyber operations specialist—and that is where, underneath these guys and gals—these directors—is where I’m able to take that college graduate who has spent his high school time basically hacking boxes in his basement and getting up to speed, really growing a passion for understanding vulnerability. I’ll hire that person—number one is they want to learn, they want to grow, and they’re affordable.15
What does the college graduate who has spent his high school years passionately hacking boxes in his basement demonstrate? He may not have the standard understanding of the requisite tools or software. But behaviorally, he is a learner. We can break it down with an analogy in a completely different field: cargo pilots versus test pilots. Generally, flying cargo is very simple—you go from point A to point B and back from point B to point A. If you’re a test pilot, your job is to actively put yourself in situations where you need to quickly and accurately solve problems. Test pilots are learners, just as hackers can be learners. This behavior can be uncovered with correlating behavioral question sets during the Will phase.
In cybersecurity, we hear more and more stories about hiring managers finding the ideal candidate—but having trouble dealing with an organizational response to that candidate’s missing fill-in-the-blank formal education requirement. Michael Woodson still remembers the “one that got away”:
Michael: Sometimes you miss a good candidate because he or she didn’t finish the degree. I have found an individual like that. However, he didn’t have a degree, and the requirement was for a degree. So that put him out of the loop. We had to take a look at that, and it was hard for people to understand that this guy has everything we’ve been looking for—but he didn’t have the degree. His was one of the best interviews. But I couldn’t hire him. They wouldn’t allow me. He was going to be my report, my deputy, and I couldn’t hire the guy.16
Good candidates, sometimes the very best individual contributors or go-to employees, will be overlooked if the ideal job description requires behaviors and abilities which are great to have, but do not correlate to successful performance of the job described.
But there are significant ways in which formal education, certificates, and training can truly make a difference. Most obviously, the knowledge gained can be a game-changer, and many of the requisite degree and certificate requirements we see in cybersecurity job descriptions make sense based on the defined responsibilities. It may depend on how mature the company’s cybersecurity team is, it may depend on how senior the role is, and it may depend on what the particulars of the job are. Nick points out that companies without mature cybersecurity teams tend to be looking for people early in their careers:
Nick: They’re looking for someone who’s eager to take on work across multiple areas of search, a jack-of-all-trades in information security. And they’re looking to hire people at the entry level, rather than at the seasoned level because they know that a person they hire at the entry level can take them from zero to fifty percent which is a lot better than where they were. It’s only when you have a very mature information security program that companies are interested in hiring people that have experience in working in some other organizations. Since the company is immature, they’re basically looking for a warm body that can do basic work. They’re usually looking for individuals that can do five or six different things relative to information security, who can be the go-to person for information security. But they’re not looking for specialists, they’re not looking for people to join a team already in place.17
Formal education certainly points to behaviors that correlate to success as well, and Nick’s analysis of when and why to hire recent grads highlights why these newly formally anointed cybersecurity professionals can be a serious asset. John Kolb,18 the Vice President for Information Services and Technology and CIO of Rensselaer Polytechnic Institute, explains what degrees demonstrate to him:
John: I actually think the credentials, a lot of times, is what gets you in the door. And to me, what it typically says is that you’re disciplined enough to make it through the course/curriculum, and you’re able to stay up with the work, learn a new subject, pass the assessments and so on. And that’s useful, because you want somebody who’s disciplined—you don’t necessarily just want the smartest person in the room. You want somebody who’s going to be disciplined about how and what their approach is, and how they’re going about things. You might find the unicorn, the smartest person in the room that didn’t go to school and so on—and that’s okay. But I think the degree is important for me. It says that somebody applied themselves and came out the other side. One of the most important personal traits is persistence. A lot of these problems don’t get solved in minutes or days or weeks, even—they take some time to really think through and test and so on.19
The behaviors John describes—discipline and persistence—are essential to many cybersecurity job roles. As Adam Bricker,20 the founding Executive Director of the Carolina Cyber Center, explains, the Carolina Cyber Center aims to integrate “essential life skills” into a student’s cybersecurity professional development program:
Adam: Our goal is not to just get you the interview (e.g., with certifications and experience), or simply to get you the job (e.g., by adding in professional skills like interviewing and speaking). Our superordinate goal is to prepare you for a successful career to serve our nation, and we do so by integrating the development of one’s essential life skills such as discipline, creativity, collaboration and grit. We can all differentiate between “just a job” and a “profession.” Professionals should have a growth mindset.21
Adam is describing behaviors that correlate to success for many cybersecurity professionals. Attempting to describe this concept reminds us of the great, but relatively unknown mountaineer, Dr. Thomas Hornbein who, with Willi Unsoeld in 1963, made the first ascent of the West Ridge of Mount Everest, and by descending the Southeast ridge, made the first known traverse of Everest. When asked why he climbed such dangerous mountains, he did not repeat George Mallory’s “because it’s there” answer. Dr. Hornbein, an anesthesiologist and Professor at the University of Washington Medical School, said that he climbed because it was such a deep part of who and what he was as a person, that not climbing was not an option. That’s the depth of character you need to look for when assessing Adam’s “essential life skills.”
Students, nonpros, and transitioning candidates may demonstrate these essential life skills—the behaviors that correlate to success in cybersecurity job roles. Still, regardless of all experience, employers tend to request many of the four-letter certification abbreviations on candidates’ resumés. As Paul has seen from some of his clients:
Paul: A lot of times you’ll see requirements, and it’ll say, “We require 1,700 certifications in cybersecurity.”22
Fortunately, certifications may be acquired by the right candidate, post-hire. There are a variety of organizations that offer certifications related to cybersecurity, and some are more well-respected and well-utilized than others. The well-known certifications include offerings from nonprofit and for-profit organizations, ranging from information systems security, to cloud security, to privacy, to ethical hacking, to digital forensics work. There are many levels of certs, all geared toward different aspects of cybersecurity. New certifications, whether based on new technologies or new vulnerabilities, crop up every year. In a recent survey which was skewed toward defining cybersecurity professionals as more technically skilled,23 eighty-one percent of respondents anticipated that they would need to obtain additional certifications or training in their preparation for future roles.24 More generally, eighty-four percent of respondents took the position that they were planning to pursue a new cybersecurity-related certification at some point, as employees and candidates look to working toward certifications to improve or add to their skill sets, to stay competitive, and to advance or develop their careers.25
There are many certificate options to demonstrate increased education, skill, and ability—each at differing levels (beginner, career advancement, and specialty). But there may be a catch in hiring someone just for the certifications, as Austin explains:
Austin: When you spend thousands of dollars and hours on those certifications, that time can be spent toward actually having hands on data, actually ripping apart hard drives and actually doing penetration testing, and learning. Because what you read in the book, if you’ve ever gotten one of these certifications, what you read in the book is really just learning the page. It’s not that way in reality; I want to hire somebody who has done penetration testing, has developed their own skill set, understands the tools, understands how to get around things that you can’t find in a book. That’s what I’m looking for. And if a client wants to hire us and needs a certain certification, and we don’t have it—it’s very simple for me to send one of my people to study for an online certification for a couple weeks and get it.26
Inherent in what Austin is saying is that “book learning” needs to be balanced by experience—whether that’s on-the-job, in school, or in one’s basement, And the candidate needs to be able to, and want to, learn. Andrea points out that leaders must be willing to invest in their team:
Andrea: My role is to invest in my team and get them “skilled up” or “leveled up” with new skills, be it training, or going to attend conferences where they’ve not had that exposure before, but most importantly understanding what are the new skill sets that are going to be critical so that we can grow as a thriving IT organization.27
So, some aspects of competence may come post-hire, whether they are foundational or expansive. The key is to know what the necessities are for your job description. Creating a functional, rational, and evolutionary job description begins with understanding that each job in your company needs its own job description. Some jobs may be fairly close, but each role must have its own, focused summary of requirements. First, use what you already know. If this is an existing job, analyze prior performance in the specific job role. If this is a newly created job that is being filled for the first time, review the growth that has occurred within your organization, recognizing that the person currently performing related job tasks cannot meet demand, and/or an audit has revealed new necessities.
Good candidate pools come from clear and focused job descriptions which are relevant to what you actually need in your business. Industry trends, ideal candidate descriptions, and “throw it against the wall to see what sticks” do not draw in the candidates you need. Without a properly formed candidate pool, nothing you do in a selection process or in an interview phase matters. It’s the job description which drives the candidate pool, and the candidate pool provides the foundation for finding the employee you need. These complex and difficult trade-offs are exactly why capability, skill, training, and certification are placed at the very top of the process in the Can phase. By being first, these most difficult tradeoffs can be made before time and resources are spent by both employers and candidates on other parts of the hiring process. While different companies will work through these trade-offs in very different ways as they set up their testing programs and identify their certification requirements, there is one issue all companies will have in the hiring process: Where do you find candidates?
This is not about finding “good” candidates or “high-quality” candidates. Remember, the hiring model will produce that outcome if properly structured and operated. Regardless, any process needs candidates, people interested in working for the company and willing to apply for the job. What happens when you have a great process, focused testing, the right certifications identified, but nobody applies? Or (and more common) most of your applicants simply don’t meet the basic capability requirements. What then? Debate usually ensues. The standard approaches are either to attempt to restructure the job requirements so more applicants will have the necessary skill (dumbing down) or to raise the offered salary. Neither works. Unless you need a person with truly unique capabilities, the problem isn’t the requirements. And if the salary is within five percent of market rates, it’s not the salary. The key is to find out what the cause is, and the solution is to go to the source. Where do your prospective candidates come from?
Where you look depends on what you need. And how you create a steady stream of candidates depends on where you look.
For Entry Level, Go to School
The most important thing any company of any size can do to ensure its cybersecurity hiring funnel remains full is to establish and maintain relationships with schools to offer cybersecurity training, certifications, or internships. This does not mean having a booth at the job fair each year. It does not mean offering tours to the graduating class, and it does not mean making a donation to the annual auction. You must build an ongoing values-based relationship with the school and with the students as they are coming through the program. Not all of them will be interested in your company, not all of them will want to stay in town when they are done with school. But some will. And the key is to make it easy for them to get to know you and for you to get to know them. Offer to be a guest lecturer on whatever your specialty is. Be an adjunct professor if they need one. Get involved in the mentoring program. If they don’t have one, find out why. Alexi Michaels details her experience in the job market directly after college:
Alexi: My current boss said I was part of a very competitive applicant pool. But since starting at BlackBag, I have already contributed so many new suggestions to make programs better—which no one has yet brought to the table. And I think that is because, as a “newer” examiner, I have different views on examinations compared to the senior examiner who has been doing investigations the same way with the same tools for as long as he or she can remember. Now a lot of people rely on their tools to find the answers for them, and in my college courses we didn’t just learn about how to use the top tools, but we learned how to do an investigation without the tools. Undergrads study and are heads down in their textbooks learning about digital forensics and the information is fresh in their brains when graduating. I think companies should 100% take advantage of this!28
Alexi’s first job after college was actually related to an internship she had with the same company. Remember, the key to a strong team is relationships which are built on communication and trust. Building relationships takes time, and one can never predict which relationships will be productive and which will be short-lived. The key is to position your company to have as many relationships as possible with the pool of people who are working toward the education and experience you need in your company. You’ll learn about your candidate pool long before you need to make a hiring decision. And with more data, you’ll make a better decision. Does the CEO need to go? It depends. If you have a five-person firm, everyone should participate. If your company is very large, then the most senior person who works at the location should be involved. If you send last year’s new hire to mentor their friends who are graduating this year, you lack legitimacy. Share your time and expertise, and serendipity will work in your favor.
For Laterals, Go to Your Networks
Some are leery about poaching talent from other companies. Others are only concerned about being caught poaching talent. The reality is, employees move through the market and companies’ needs change over time. The key here is to be in the market in order to understand what everyone is doing, to reiterate the tactics discussed in the beginning of this chapter. As Stewart Gibson explains:
Stewart: The initial job requirement I presented to our recruiters was that I was looking for a direct report to a CISO that wants to make that next step and become a CISO. Hard core coders did not seem to be able to demonstrate they could make that step, and so I did refine what I was looking for. I started looking for sitting CISOs who were already successful and liked their current position, but maybe did not like the commute, or wanted to be closer to family. They were willing to make a move but not because they were not happy in their position. I did not want someone who was disgruntled with their current employer and was just itching to get out.29
The knowledge Stewart mentions can be gained from building and knowing your network. The cybersecurity community is tight knit and, at times, competitive. The best way to attract the best talent is to set high standards and adhere to them and to treat everyone in your company well and make sure it is well known. There are ways to combat a competitive mentality when seeking out laterals externally. First, it’s understanding that some people are happy where they are no matter what, and they are simply not going to move. But second: some people are happy where they are, while also having goals which cannot be met there (whether that’s a promotion that can’t happen because the company structure won’t allow it, or the person in that slot is staying put). Those candidates can find growth by moving laterally to another company and then potentially transitioning back to their former employer at a higher level. Companies can find ways to make this mutually beneficial; it does not have to be a negative process. Orchestrating lateral movements properly can be a win–win.
For Laterals, Look Internally
The new cybersecurity workforce members you need may already be at your organization. Whether they have always been under the IT umbrella or have worked in a completely different line function (but know the business), internal employees may be a secret weapon. Amanda acknowledges how her internal career path from a management reporting analyst (where she reported to accounting, risk, and operations), to assisting the infosec team with developing incident response and business continuity plans, to officially starting in the infosec arena with a role as an information security analyst (focusing on governance, risk, and compliance):
Amanda: Hiring a known entity from within the organization can reduce training time, even if the hire is outside of information security or information technology. An understanding of different business lines and knowing the organization is a crucial part of identifying unusual activity and potential threats.30
Amanda’s employer acknowledged her talent, interest, and motivation—and allowed her to grow within the structure of the bank. Mid- to large-size businesses have an advantage in being able to seek out and develop a cybersecurity workforce (to an extent) from within. While IT professionals have the “solid foundation to contribute to an organization’s cybersecurity practice,” the shared responsibility across an organization, which is inherent in cybersecurity, means employees with transferable skills could be trained up as well. If they understand the inner workings of the business, know the way data flows in, out, and through, and/or are experienced in the existing risks (whether that’s through legal or compliance), passionate, dedicated, and interested employees can be leveled up accordingly.31
Larger organizations may strive to put in place a similar proficiency assessment and mobility process that Leidos has perfected. Building on the concepts discussed in Chapter 1, and Bill Bender’s explanation of the Leidos cybersecurity workforce program, Leidos’ defined work roles and related Can assessments allow for ease of mobility within the organization. Bill continues:
Bill: I think it’s something on the order of 1,700 different sort of proficiency assessments that can take place over time for individuals. It allows us to have mobility within the organization as a result; this is a set of very sophisticated and measurable field aptitudes and experiences that lead to proficiency levels and the ability to move vertically and horizontally without always having the need for more training. There’s a good alignment between what you do and the experience you’ve had and the proficiency you hold to this next job or set of jobs; it allows a lot of movement which is seen as a very positive thing. It’s not the redundancy that comes with just one role for as long as you’re willing to stick around, and that’s proven to be very effective. I think, generally speaking, the proficiency levels have motivated people to stretch and to attain; it becomes competitive in nature—and of course it’s purely based on what they’re able to attain and it’s very clearly defined and measurable outcomes. And therefore, there’s the self-motivation that takes over and they’re compensated appropriately for those additional proficiency levels that they’re able to attain. A lot of it is self-initiated, so that’s a positive for us.32
Self-motivation among internal employees, and organized processes for vertical and horizontal mobility, mean valuable sources of cybersecurity hires already trained up on the business.
What About Jobs With High Turnover?
Many companies struggle with high turnover and ensuring you have a well-tuned hiring process and a steady stream of interested candidates entering your system can help. There is one key pitfall to avoid: don’t presumé the solution is to stop the turnover.
This may seem counterintuitive, but it actually goes back to one of our initial rules: Don’t try to solve a problem until you know the cause. Sometimes, high turnover is a symptom of a problem which needs to be addressed, and when fixed, the high turnover disappears. However, in some very specific situations, high turnover is not indicative of a problem; it’s just part of the job. Many entry-level jobs have high turnover because they are entry level. Security guards may be gaining experience which qualifies them for law enforcement jobs, and retail employees may be learning the business to qualify for a management track.
If the nature of the job means that most employees stay, for example, two years, then it’s a mistake to try creating incentives designed to keep people longer. Better outcomes can be obtained by planning for high turnover and facilitating the transition. Build relationships with schools or other companies who provide you candidates to ensure you have a steady supply. Help your soon-to-depart employees find the next step in their careers by maintaining connections with the companies who need their newly developed experience. The entry-level employee who you set on a development path may come back to you in a few years as a seasoned leader, capable of doing more than if she had stayed.
What happens if you discover that the type of person and the type of qualifications you’re looking for simply can’t be found in the area? Actually, that’s valuable information. Even though it’s frustrating, knowing there are not qualified candidates available in commute distance will drive necessary strategic changes in your business. This lets you know you have to draw candidates in based on geography, or figure out how you can leverage that skill remotely. The point remains: putting capability first is critical because it reveals and informs the rest of the process. The last thing you want is to keep looking for a person who simply doesn’t exist where you are located.
Working With a Recruiter
Recruiter services can appear to be a miraculous fountain in a sandy desert. But recruiting firms are only valuable if they are properly utilized. If you choose to retain a recruiter, you must ensure that recruiter is more than just a mirage. Most importantly, you need to manage that recruiter—meaning, you must find a recruiter who is willing to be managed. Bob Keegan,33 the Vice President of Cybersecurity Sales at Mitchell Martin, explains why the right recruiter needs to be a partner, both to listen and advise:
Bob: We are not going to a client looking to get a requirement from them—we work together on requirements. We really want to go in from day one and truly be a partner. What I’ve seen in the cybersecurity market reminds me of way back when, when I was working a Lehman Brothers account. Lehman Brothers back in the early days used to promote people very quickly to managers, and they would be asked to make management decisions when they’ve never hired a person in their lives—they were in charge of writing requirements. The same thing is happening in cybersecurity. People are being asked to take on roles inside cybersecurity groups within their organization, which they may not understand fully. So when they write requirements, they end up putting a laundry list of things together because they think that’s what they really need. So we end up educating the client, many, many times, and hopefully we can get to it early in the process, but sometimes it takes a long time to get to help the client figure out what they really need to be effective to get the job done.34
Working with a recruiter requires skillful communication. In order to manage a recruiter, a few preliminary puzzle pieces must be in place: knowing what you are looking for, having a draft job description to work from, and understanding and establishing specific filters for the recruiters to use and quality checks to ensure you are getting what you have requested. Recruiters may push to simply take a job title from you and then sell their reputation to get the position filled (“We provide the best candidates in the industry,” to “We have the best access to the best candidates,” to “We know best”). But relying on a vendor to provide “the best” will most often not get you what you actually need. A good recruiter can get you a pool of applicants that fit your true needs and may proactively confirm background information before your team digs in. They may also help you with the other layers of the hiring process—especially if you have not hired in cybersecurity before, with guidance on what the market looks like, what employee concerns and requests are, and what turnover looks like in certain fields.
The Right (and Wrong) Way to Use a Resumé
There are countless books, seminars, and counseling services dedicated to helping job-seekers create, hone, and manage their resumés. But the same is not true for hiring managers and HR professionals. The teams sifting through and reading resumés need guidance as well, and the fundamental problem is that resumés, even good resumés, don’t reveal that much. Consequently, after you post a job, your intake process immediately gets overwhelmed by the volume of resumés which land on somebody’s desk or computer.
Generally, the first step in reviewing resumés is to determine who meets the job requirements and who is aspirational. Often, a large percentage of applicants fail to meet the job requirements and are just hoping to impress somebody if they can just get an interview. This immediately causes a volume problem which Bill Thornton,35 the Vice President Risk Management and Technology, Fraud and IT Security at Discover Financial Services, recalled the last time he posted a job and got seventy resumés in response:
Bill: I don’t have time to go through seventy resumés, so HR does that. Then, once they start feeding me resumés, I pick who I want a quick phone call with, and we’ll do a quick phone screening which I will conduct if it’s a direct hire for me.36
And in addition to the volume problem, there’s a valid concern over accuracy. Do the resumés accurately recite the applicant’s qualifications? Michael Woodson offers his opinion:
Michael: So you know what you’re looking for, they’re going to give you a bunch of resumés. The reality is, how much truth is in that resumé? It’s often that I find the very people that I’m looking for aren’t the ones that have applied for that job.37
And for ultra-high volume postings, where there are keyword searches and even AI reviews, are the resumés being selected the best candidates, or just the candidates who figured out which keywords to use? Paul Casale opens us up to the problem and the beginnings of the solution:
Paul: My team has all the latest and greatest technology around to find the right people in the cyber space. We give our recruiters the tools they need to succeed but they are especially trained at digging down on the soft skills. We can find buzzwords on a resumé all day, but if we didn’t really narrow down what they have done on the job and their personality in explaining it, then match it up to the hiring managers’ requests, we wouldn’t be as successful as we are. Our candidate pitches are tailor-made to what the manager is seeking when we find the right talent.38
This is a problem which has both practical and legal ramifications. Faced with a stack of applicants who all meet whatever the initial resumé review process is, how do you decide whom to interview? How do you treat everyone fairly?
The bottom line is actually simple: The resumé doesn’t really give you much. Candidates spend a huge amount of time and effort to write resumés, and then put in ongoing effort to mold a unique version of the resumé to correspond to the job. We know because we’ve learned how and we’ve taught the techniques to many job-seekers. HR departments spend a good deal of time analyzing resumés to determine if there is a “match” between the candidate’s background and the hiring manager’s requirements. But in reality, other than a generic sense of “who should we interview” which is often driven by how close to the top of the stack a given resumé randomly appears, how resumés are written and how they are reviewed does not extract differential data regarding whether an applicant can or will do the job you need done. It’s truly a waste of effort.
And after the initial review, what happens most often is a stack of resumés will land on the desk of a frontline manager with a verbal instruction to “hire the best three” or some other arbitrary number. This leads to a variety of problems ranging from hidden bias, to relying on feelings like “good fit,” which seem relevant but are actually not indicative of high job performance. We have mentioned this before and will go into detail during Chapter 4’s discussion about The Big Mistake. But with an essentially arbitrary approach, you not only fail to identify people who will succeed at your company, you become open to a host of legal issues ranging from failing to meet diversity and inclusion requirements to discriminatory hiring practices.
The good news is, when you use Can–Trust–Will, you don’t need to look at resumés because all of the data you need to make the best possible hiring decision will be extracted during the process. Consequently, we strongly recommend chucking the old process of resumés and applications for your cybersecurity hiring program and building out a Can–Trust–Will process which identifies the technical skills and behavioral characteristics which correlate with success for each work role in your company.
However, for the intervening time, however long it might be, that you continue using a process which involves collecting and reviewing resumés, it is critical to analyze the resumé to answer just two questions. The first question is whether the resumé shows sufficient training or experience to conclude that the candidate has the technical skill to do the job. If so, the training and experience claimed should be quickly verified before the candidate moves forward. The second question is whether the resumé shows experience or other data which gives insight into the candidate’s behavior characteristics. The final step is to decide, based on the totality of what you have extracted regarding the applicant’s verified technical skill and potential behavior, whether to recommend the person be interviewed.
This process should seem faintly familiar because it’s a resumé-review version of Can–Trust–Will. The sole purpose of this resumé review is to help you decide whom to interview. Plain and simple. And that’s all the resumé should be used for. Hopefully, at this point, you’ll have a number of objections to this resumé-review recommendation—it’s imprecise, it’s too shallow, I won’t be able to tell who to interview. And you’re right. But you’re right for a very specific reason. By going through this process, you are clearly seeing how little you can learn about a person from a resumé. In addition, you are using a process which is sufficiently structured, so you can no longer hide behind imprecise evaluating phrases. No more “good fit for the team,” “understands our culture,” or “great resumé.”
After resumés have been reviewed and interviews offered, the purpose of the resumé ends. The resumé should not guide interview questions, or even be present at the interview. The worst interviews are conducted by a person looking at the candidate’s resumé and asking questions while working through the job history section. Such an interview reveals nothing about the candidate and gathers no differential data regarding whether the candidate fits the behaviors you need for the job vacancy you have. The interview should be used as a quest to gather behavioral data, per the final phase of our hiring model, Will—and using a resumé during the interview prevents you from doing so.
In fact, an interview centered around a resumé (“What was it like working at ABC Corporation?”) results in a conversation that will leave you comfortable or uncomfortable—meaning, you either “like” the candidate or you don’t. And, as illustrated earlier, we are likely to be comfortable with people who are like us and uncomfortable with people who are not. Resumé-based interviews, it follows, may actually be at the root of most diversity and inclusion problems. We will examine in depth how to conduct effective interviews in Chapter 6.
The only thing worse than a resumé-based interview is a resumé-based hiring decision. Candidates, if they are getting good advice, understand the resumé gets them the interview, not the job. The same advice applies to the hiring manager. The resumé, however impressive, should never be used as the basis for a job offer. For every one story of a successful hire off of a resumé only, there are perhaps hundreds of stories (which never get told) of failures. “Great” resumés simply don’t correlate to job performance.
A Final Observation
If you’ve ever written a resumé, you know that it never tells the whole story of a candidate. Resumé writing is difficult principally because of the necessity to omit significant events and accomplishments due to space and relevance considerations. It never reveals the whole person. To make a good hiring decision you must know the whole person. Creating and operating the Can–Trust–Will process will ensure you know the whole person before you make a job offer. Getting derailed by a great resumé is always a mistake. Not just because you probably will hire someone who isn’t what you need, and not just because that bad hiring decision is expensive. But mostly because your immediate decision to snatch up the great resumé—the shiny object which catches the eye—operates to preempt the truly great candidate who is in your interview pool but is never found because you sent them a “the position has been filled” message. They are right there, waiting to be a great part of your extraordinary team, and you missed them because you chanced across a good-looking resumé which just happened to be higher in the stack.
Interestingly, a similar theory applies to resumés that appear to show a lack of experience or relevant Can skills. Just as a stellar resumé will not reveal the entire person, a less-than-sparkling resumé doesn’t tell the whole story either. Going back to our earlier discussion of hiring recent grads or candidates that need to be “trained up,” these resumés may have a diamond-in-the-rough new hire hiding behind them. Amanda explains:
Amanda: We just hired someone that if you just made a decision based solely on the resumé, the candidate probably wouldn’t have made it to the video interview round; however, after getting to know the candidate through these multiple interview rounds, we found the perfect fit for our team. How the candidate conducted herself—calm under pressure, being able to speak eloquently, presentation, and being able to explain technical concepts simply, set this candidate apart. We’ve also had candidates with perfect resumés, but in the end weren’t up to par.39
The common error comes when reviewing a stack of resumés or interviewing candidates in groups—the natural tendency is to begin evaluating on the curve. The result is you interview the best candidates from the stack when you should only be interviewing the candidates you need. It might be all of them, it may be none of them, but the critical point remains: interviews should be given to candidates who are likely to be what you need—it’s the first step away from the old confirmation mindset and toward the much more effective selection mindset.
1 A. Markstrom, in discussion with the authors. June 24, 2020.
2 M. Woodson, in discussion with the authors. July 20, 2020.
3 W. Coleman, in discussion with the authors. August 12, 2020.
4 N. Davis, in discussion with the authors. July 27, 2020.
5 Paul Casale has over fifteen years of experience in IT staffing, and is currently the Senior Vice President of Recruiting, managing a team of over eighteen recruiters at Mitchell Martin, a national IT staffing and recruiting service provider.
6 P. Casale, in discussion with the authors. June 26, 2020.
7 CyberSeek, About This Tool. www.cyberseek.org/index.html#about
8 CyberSeek, Cybersecurity Supply/Demand Heat Map. www.cyberseek.org/heatmap.html
9 B. Brennan, in discussion with the authors. August 04, 2020.
10 (ISC)2, Hiring and Retaining Top Cybersecurity Talent. www.isc2.org/-/media/Files/Research/ISC2-Hiring-and-Retaining-Top-Cybersecurity-Talent.ashx (10)
11 R. Petersen, in discussion with the authors. July 28, 2020.
12 CyberSeek, Cybersecurity Supply/Demand Heat Map. www.cyberseek.org/heatmap.html
13 R. Petersen, in discussion with the authors. July 28, 2020.
14 Austin Berglas is the Global Head of Professional Services for BlueVoyant, a cybersecurity provider. He previously served twenty-two years in the U.S. Government as both an FBI Special Agent and head of all cyber investigations in New York City, and as an Officer in the U.S. Army.
15 A. Berglas, in discussion with the authors. June 30, 2020.
16 M. Woodson, in discussion with the authors. July 20, 2020.
17 N. Davis, in discussion with the authors. July 27, 2020.
18 John Kolb has worked with Rensselaer Polytechnic Institute for over thirty years; he currently is the Vice President for Information Services and Technology and CIO, and previously served as the Dean of Computing and Information Services, amongst other leadership roles.
19 J. Kolb, in discussion with the authors. July 28, 2020.
20 Adam Bricker began his career as an aerospace engineer. He has worked as a Director of Information Systems, CIO, and founder of EdTech, medical informatics, SaaS software and product development companies, and became the founding Executive Director of the Carolina Cyber Center in January 2020.
21 A. Bricker, in discussion with the authors. July 13, 2020.
22 P. Casale, in discussion with the authors. June 26, 2020.
23 Specifically defining “cybersecurity professionals” as “. . .a mix of certified professionals in official cybersecurity functions as well as IT/ICT professionals who spend at least twenty-five percent of a typical work week handling responsibilities specifically related to cybersecurity.” (ISC)2, 2019 Cybersecurity Workforce Study. www.isc2.org/-/media/ISC2/Research/2019-Cybersecurity-Workforce-Study/ISC2-Cybersecurity-Workforce-Study-2019.ashx (4)
24 Id. at 30.
25 Id. at 31–32.
26 A. Berglas, in discussion with the authors. June 30, 2020.
27 M. Andrea, in discussion with the authors. June 24, 2020.
28 A. Michaels, in discussion with the authors. July 03, 2020.
29 S. Gibson interview, July 27, 2020.
30 A. Tilley, in discussion with the authors. July 02, 2020.
31 (ISC)2, 2019 Cybersecurity Workforce Study. www.isc2.org/-/media/ISC2/Research/2019-Cybersecurity-Workforce-Study/ISC2-Cybersecurity-Workforce-Study-2019.ashx (35)
32 B. Bender, in discussion with the authors. July 08, 2020.
33 Bob Keegan started in the IT staffing business in 1990, in downtown New York City. Currently, Bob manages the cybersecurity niche at Mitchell Martin, with a national scope.
34 B. Keegan, in discussion with the authors. June 26, 2020.
35 Bill Thornton has over twenty years of leadership experience that includes multiple C-level roles and the rank of Brigadier General in the United States Air Force. His current role is with Discover Financial Services, where he is the Vice President Risk Management and Technology, Fraud and IT Security.
36 B. Thornton, in discussion with the authors. July 29, 2020.
37 M. Woodson, in discussion with the authors. July 20, 2020.
38 P. Casale, in discussion with the authors. June 26, 2020.
39 A. Tilley, in discussion with the authors. July 02, 2020.