Hiring practices are different for every field, and for cybersecurity professionals, there are many opinions. In a growing and evolving industry, some standardization exists, including a significant focus on certifications. But do certifications equal talent? Not always. As a cybersecurity leader with years of experience building teams, I want to teach you how to hire cybersecurity professionals so they and your organization can be successful.
The Failures in the Hiring Process
The number one failure by cybersecurity hiring managers is the blindness around certifications. Certifications should illustrate skillsets and experience; however, as I write about in my book, The Smartest Person in the Room, that over-dependence leads to retaining paper tigers. Paper tigers are the folks that look great on paper but aren’t ready for the real world of cybersecurity.
Why Certifications Don’t Hold Too Much Weight
The problem with cybersecurity certifications is that structure isn’t conducive to training people to be job-ready. The design of many is a quick multiple-choice test, which anyone can memorize. It’s not like a skilled trade, requiring hours of training or apprenticeships.
The rush to earn certifications accelerated because of the constant call of a lack of talent in the industry. That is certainly true, but many saw it as an opportunity to have a piece of paper that would lead them to a lucrative career.
Most certifications don’t test for practical, real-life skills in cybersecurity. Some are credible and mix hands-on experience with testing, such as CompTIA and EC-Council. So, if you’re going to look at certifications, investigate what they really mean about that candidate’s acumen.
Hard and Soft Skills Matter
Another area to discuss in hiring cybersecurity professionals is seeking a broad skillset. Cybersecurity is a technical field, so the person you’re interviewing should certainly understand:
- Penetration testing
- Ethical hacking
- Incident response
- SIEM (security information and event management) tools
- Audit and compliance rules
- Malware
- Device management
- IAM (Identity and Access Management)
These are all essential hard skills. Certifications and job experience can offer evidence of these. The questions you ask can as well (more on this in the best practices section).
However, don’t focus solely on hard skills. There are lots of great candidates out there that might fall short on an exhaustive list of technical prowess. If they have soft skills and an open mindset, they could be an excellent hire.
These soft skills should be on your radar when hiring cybersecurity professionals:
- Leadership qualities: Gauge their ability to lead, no matter their career level. Cybersecurity is an intense field and having leaders on your team means they look at the big picture strategically.
- Passion: One of the things most lacking in cybersecurity teams is passion. I firmly believe that the enemy — hackers — are deeply passionate about what they do, and that’s why they win a lot of the time. If you can find people that have a fire in their gut to learn and grow, they will care very much about keeping your data safe and secure.
- Collaborative: Cybersecurity professionals shouldn’t work in silos. There are many specialist roles within the field, so it takes a team to execute a strategy and remain vigilant. Lean toward those applicants that appreciate collaboration and want to work in that kind of culture.
- Communicative: Communication can be challenging for technical professionals. It’s a bit of a stereotype but also true. Being a good communicator isn’t about being articulate or having a large vocabulary. Rather, it means someone is a good listener and that they use communication to understand, show empathy, and work together. There are many ways to foster communication skills for tech folks, and I talk about this a lot in my book.
- Curious and inquisitive: Cybersecurity professionals should not be afraid to ask questions. Only through these can they determine the organization’s needs and challenges around security. Some people don’t ask questions; they make assumptions. It doesn’t mean they aren’t talented. In fact, much of the time, those in this situation learn this from life experience. Having a curious nature is a great trait for cybersecurity candidates, and you can assess by the way they interact and if they actually ask you questions during the interview.
- Empathy: Empathy is an attribute that’s an asset in every job. I find it’s constructive in cybersecurity because it enables people to be in the shoes of another and see their perspective. People who can do this can go far in their careers. There’s no substitute for empathy in professional or personal relationships. You can evaluate this characteristic by how the candidate talks and frames situations.
These are outlines of hard and soft skills and not an exhaustive list, but they are good points to consider as you rethink how to hire cybersecurity professionals. Next, I’ll share some best practices for hiring managers.
Best Practices for Cybersecurity Hiring
Whether you’ve been a cybersecurity manager for years or are just starting, this advice can support your recruiting efforts and help you avoid hiring unqualified people. Because once you do, it can become a bad cycle. Ultimately, you want to hire people that have the right skills and fit your culture. Success for all should always be the goal.
Recognize Past Mistakes
If you’ve been recruiting for some time, I would first recommend recognizing past mistakes. We’re all human and make mistakes. What’s important is we learn from them and do better the next time. The reality is that bad hiring hurts everybody. Turnover costs your company real money, and the effect of hiring candidates that are lacking could lead to expensive errors. So, face your past gaffes and go forward without those dragging you down.
Have Real Conversations with Candidates
An interview is a chance for the candidate to sell him or herself. Most interviews are very rigid with detailed questions or checklists. I’m not saying you should toss that out, but this is your chance to get to know the person and vice versa.
Having a natural conversation that touches on who they are and what they know will allow them to feel less nervous and be vulnerable. They may be more honest and introspective, and you can learn a lot about somebody when this happens. You’ll never find that on a resume.
Use an Assessment Tool
In my company, I use the TriMetrix HD. Such a tool allows you to discover important things about an applicant:
- How they behave and communicate
- Why moves them into action
- What personal talents they have
- Which competencies they have mastered, and to what degree
These aren’t technical tests. They give you insights into soft skills. It’s a good next step in the process after you determine they have technical acumen.
Screen Out Job Hoppers
I typically eliminate job hoppers from the applicant pile. This is not a finite rule; some people with multiple shorter job histories may have been the victim of layoffs or acquisitions. However, in the field, it’s rampant. Most of the time, if somebody is changing jobs every six to 18 months, it’s a red flag. If that looks to be the case, you should probably move on to others.
Don’t Rush Hiring
In many cases, the need to hire cybersecurity professionals is urgent. You needed somebody yesterday, but don’t let that guide you. You’ll make rash decisions that may not pan out just to have a body in a chair. Instead, have a strategic plan that will lead you to the right people. It will take longer, but it’s worth it in the long run.
Ensure Candidates Align with Organizational Values
Most companies, big and small, have a set of company values. Hopefully, these are more than in name only. Your values create your culture. The expectation is that your employees live and respect these.
You can ask candidates questions about your values. Talking about your culture and its attributes with the person should also give you insight into if they believe in them. You can find someone with amazing tech skills, but the employment will likely not last if they aren’t a good culture fit.
Seek Out Those with Great Focus
Monotasking is a pillar of my Secure Methodology, a framework for nurturing and fostering cybersecurity professionals to have better habits and behaviors. Monotasking is the opposite of multitasking and requires focus, which is very important in cybersecurity. You can tell a lot in body language about focus. Another way to assess for it is to ask them how they work. Those who see the value in monotasking could be great team members.
Cybersecurity Hiring: Get It Right So It’s Mutually Beneficial
Cybersecurity hiring can be challenging. There are many considerations — things to do and not to do. Focusing on hard and soft skills, deprioritizing certifications, and implementing these best practices can help. You can learn more about my hiring advice and the Secure Methodology by reading The Smartest Person in the Room.