Paper tigers may be scarier than the real thing because they are killing the cybersecurity industry. The concept comes from the Chinese phrase “zhi lao hu (纸老虎),” and it has significant importance in how successful a cybersecurity team is. Unfortunately, there are a lot of these people out there, so you’ll need to be vigilant to avoid hiring paper tigers.
In this post, we’ll define the term, explain how it relates to cybersecurity, and share critical tips to ensure you skip over these folks.
What Are Paper Tigers?
As noted, paper tiger is an English translation of a Chinese concept. Zhi lao hu refers to a person or thing that only appears to be powerful but, in actuality, is ineffectual and unable to overcome challenges.
A modern interpretation is that people look “good” on paper but don’t have the skills, experience, or expertise to perform as expected. In most cases, paper tigers also have a deficiency in interpersonal skills.
Another aspect of the paper tiger is that they are in it for the money. It’s not to say that people shouldn’t be paid a fair salary for their work. It’s just that when people are driven solely by this, they have a very self-centered view, and that can be disastrous for cyber teams. Ultimately, it’s ideal to have employees that care about making a difference and what to contribute.
Another explanation of the term is to consider that tigers are naturally solitary animals, unlike lions that have prides. If someone has the attributes of a tiger, they likely aren’t great collaborators and communicators. Both these people skills are critical for cybersecurity teams.
So, how did paper tigers infiltrate the cybersecurity industry?
The Rise of Paper Tigers in Cybersecurity
Based on my experience and research with paper tigers, I can identify several trends that got us to this place. It’s a key component of my book, The Smartest Person in the Room.
The trouble began when training and education for cyber professionals pivoted toward tests that rely on memorization versus practicing the skill. Gaining certification isn’t the magic ticket to winning the cyber war.
Some certifications are easy to obtain. Those responsible for this area of the field have made it too easy for some. All they need to do is pass a test of multiple-choice questions that they can memorize. That doesn’t really translate to the real world, as incidents don’t present you with four options to avert a breach!
Those tests often focus on theory, not practice. They earn this “badge,” and then these folks get jobs. That’s when things turn bad. The bar is too low on many of these certification courses. But it’s not all courses. Certifying organizations like CompTIA and EC-Council are the real deal if you take the practical or scenario-based exams, rather than just multiple choice exams. These test the practical aspects of cybersecurity instead of just theory.
Another issue is that paper tigers often find ways to cheat cybersecurity exams. Cheating devalues the certification and can cause everyone to question its validity.
Spotting the Signs of Paper Tigers
So, how can you avoid hiring paper tigers? They aren’t always easy to identify in the wild. You’ll be able to gather some data from resumes, so that’s the first place to evaluate.
Scrutinizing Certifications and Education
It would include their earned certifications, which will either boost your interest or negate it. As noted, CompTIA and EC-Council have more credibility than others. If the person has a whole list of certifications, they could be a red flag, too, especially if their experience is brief.
The alternative to certifications is a college degree. Many think a degree is superior to certifications or experience. If you make this a requirement, the talent pool will shrink even more. A four-year degree isn’t something to discount. It’s an accomplishment, but it doesn’t mean they are cyber-ready.
Most degrees lean on theory versus practice. Additionally, the classroom can’t keep pace with the real-time changes in the field. What they learn from a book could be obsolete when they start their career. You can give more credence to those who graduate from universities of applied science. These programs are more practice-based.
How they look on paper will also depend on their experience. Younger applicants may have limited real-world exposure. You shouldn’t discount them just because of that. Others may appear to have a wealth of knowledge based on how they present what they did. For those that have any types of metrics or accomplishments listed, they likely have valuable experience.
Dropping Rigidity in Hiring Practices
If your ideal candidate fits only inside a very small box, you’ll have recruitment challenges. Relying on rigid industry standards and education requirements doesn’t mean the quality of applicants will improve. Worse, if you put such an emphasis on these things, you could inadvertently hire paper tigers. After all, they certainly look the part.
Interview Tips To Identify Paper Tigers
When it comes down to the interview, that’s when you can weed out paper tigers. Your approach and style will be critical here. You want to understand their experience, knowledge, and people skills.
That often involves providing them with situations and asking how they’d respond. It’s not just the technical steps they’ll take but also how they would communicate and collaborate. A lack of this in their answer could reveal them as paper tigers.
Ask their opinions on cybersecurity trends and noted incidents. Can they tell you what possibly went wrong? Again, it’s not solely about the technical missteps. Those with a true passion for cybersecurity will have the perspective of explaining holistically why the breaches occurred.
Screen for People Skills
The last part of how you assess candidates should focus on their people skills. You’ll want to ask them questions that demonstrate their passion for the industry. Pose situations to them and how they would handle them with communication and collaboration.
Paper tigers will struggle with these questions. Their answers can be very telling of how they would handle incidents. If you don’t feel confident in their people skills, then their technical aptitude or education isn’t going to matter. Conversely, if they tell you stories about how they collectively solved problems and improved performance, you’ve found a great new employee.
You can also request that candidates take assessments that “score” their people skills. We use the TriMetrix® HD assessment, and it evaluates:
- How people behave and communicate
- Why people move into action
- What personal talents they have
- Which competencies they have mastered and to what degree
What you can glean from this will help you avoid hiring paper tigers. It will ensure a cultural fit. When someone doesn’t fit your culture of highly communicative and collaborative work, it doesn’t matter how smart they are. They’ll cause chaos and disrupt your team for all the wrong reasons.
Don’t Cave to Hiring Paper Tigers Because of Labor Challenges
Labor challenges are a concern for every organization and industry. Without skilled workers, it’s hard or impossible to meet goals. Acquiring talent is a major concern for tech companies. A CNBC poll found that 57% of tech executives said finding qualified talent is their biggest challenge.
If you’re feeling that same pinch, you might think just having a warm body in the chair is better than nothing. You may overlook those paper tiger signs because, again, they look great on paper.
The consequences of letting these people on your team are much worse than having vacancies. Paper tigers can cause havoc in several ways.
How Paper Tigers Can Cause Chaos
Before you succumb to hiring someone who might be a paper tiger, consider the turbulence they can create:
- Their knowledge is book-based, not experience-based, so they don’t know enough to help with cybersecurity defense. Yet, they may be in a position to control, plan, police, and train. That can be detrimental to your defense posture.
- They’ll bring on more paper tigers because they want someone “like them,” so there’s no threat to their egos. They will always choose to hire those with less knowledge than them.
- A lack of passion means they are complacent. They don’t want to grow, evolve, and learn. They’d rather keep things at status quo so they can keep drawing that salary. They’ll work on being competent enough but won’t be motivated to do more.
- Poor communication skills will cause strife and antagonism within a team, rendering them ineffective. As a result, you’ll be much more susceptible to cyber threats.
Hire Smarter and Dodge Paper Tigers
Hiring for cybersecurity roles can be a complex process. You may sift through many resumes until you find a person that looks like a good fit. Keep the tips and information shared above at the forefront so you can hire smarter and avoid paper tigers. That may mean the process takes longer, but your organization will be stronger in the long term with the right people.
Get more tips on hiring and developing your cybersecurity staff by reading my book, The Smartest Person in the Room.