The “infosec talent shortage” is a bit buzzwordy and cliche by now -- and rightfully so. Hiring security talent is not easy, but many organizations are making it so much harder than it needs to be. In many cases, the unfortunate result is an organization throwing their arms up in defeat and blaming the talent shortage instead of owning the blame.
Before accepting defeat, there are three hiring and team building strategies you should consider:
1. Look internally for a ‘security growth transfer’
Before venturing into the competitive public market for security talent, first look inside your own company. When you review the different security disciplines, fundamentally each one is a security specialization on top of a robust core set of knowledge. For example, a solid application security engineer requires the fundamental skills of a software developer. A network security engineer requires a networking background.
Identify the core skill disciplines that feed into the security role you need and reach out to those teams. Within these teams identify strong performers who have an interest in security and perhaps have worked on a security project. These individuals that have already demonstrated themselves as high performers at the company, and have an interest in security, are great potential transfers into a security organization.
To ensure a successful transition be sure to build an onboarding plan. Review the fundamentals of security with the transfer to fill any knowledge gaps and then pair the individual with existing senior security members of the team for initial projects. Luckily, the individual is already aware of how internal tooling, processes, and standards work.
2. Build a pipeline of security talent
While the next approach won’t help with your first few security hires, it will ensure you have a continuous pipeline of security talent to build your security organization over the years.
Identify a partnership with a source of eager and talented junior security team members. This could be a local university, security bootcamp program or a great organization such as Year Up. Host rotational internships or be the first job opportunity for a junior security individual.
To prepare for your junior employee, look at the work the security team is doing overall. If you haven’t already, I recommend building an activity and skills matrix across your security teams. This activity creates a table of core activities and skills along with the names of team members who can perform the activity. You’ll quickly identify crucial operations that only have one person who can complete. Separately you’ll also identify junior scoped routine work that is occupying time from your senior staff. This junior work is a great target to turn into a runbook (well defined series of procedures) and used as an initial project for your junior hires.
This exercise will create a pipeline of amazing talent that will continually flow into your organization and grow into senior roles over time.
3. Look externally, but do so realistically
After exhausting both above paths, it’s time to look externally for security talent. Be honest with yourself about the job description and role. Of course, you’d love to hire someone that has it all: 8-10 years in incident response, plus ability to reverse malware and experience with application security audits. But be realistic. The pursuit to have everything will result in nothing. Instead, build a tight and well-defined role that represents an actual set of experiences. Define key soft skills that are equally crucial to your organization, such as collaboration, teamwork, curiosity, etc.
I’ve found the best security engineers have a passion for learning, solid experience in the underlying fundamentals of technology for the role, and have demonstrated success in previous challenging roles, inside or outside the field of security. Notice what I didn’t say there. I didn’t mention a specific certification like CISSP or a specific degree. Hard requirements for these items are a crutch and should be struck from job descriptions. There are many ways that a candidate has grown and learned their skills. Your job as a hiring manager is to figure out if a candidate can be successful in your role, team and company. Your role is not to build a naive regex (or keyword matching system) for resume filtering.
Don’t just throw this job description onto a hiring board and expect a company recruiter to find candidates. It is your responsibility to work with the recruiter and ensure they understand what you’re looking for. Share profiles on LinkedIn that match what you’re looking for. If the source is sending you the wrong candidates, then iterate.
Next, be sure that each interviewer has an interview objective. Define the relative skill level needed for the role. For example, a role may need excellent skills in security code auditing but only basic skills in shipping and deploying code. Be sure your interviewers understand the needs and craft interview questions accordingly.
Lastly, if your team is not already trained in unconscious bias and the importance of building a team with a diversity of thought and backgrounds, be sure to spend considerable time on these areas. They are critical.
While there is no silver bullet for attracting and hiring great security talent, there are many techniques and approaches that can dramatically increase your team’s success. And like the overall engineering practices, attempt to track metrics and perform retros on the process. Hiring can improve just like all other disciplines.
Michael Coates is the CEO & co-founder of Altitude Networks. Previously, Coates was the Chief Information Security Officer at Twitter. He also served for six years on the OWASP global board of directors, three of those years as the chairman. Prior to Twitter, Coates was the Director of Product Security at Shape Security. Before that, he was head of security for Mozilla where he built and lead the security assurance program to protect nearly half a billion Firefox users, Mozilla web applications, and infrastructure.