hiring

How to Recruit and Hire Cybersecurity Professionals to Help You Win the Cybersecurity War

September 27, 2022 by Christian Espinosa

cybersecurity jobs The field of cybersecurity is growing, but the pool of qualified candidates is not. Nearly every industry deals with labor shortage challenges due to the pandemic, the Great Resignation, and other factors. However, cybersecurity was already experiencing recruitment and retention problems. Even with new people entering the market, it would be remiss to count them all as ready for the cybersecurity war. So, how do you recruit and hire cybersecurity professionals in these times? And is technical prowess the only factor to consider?

The Cybersecurity Labor Landscape

To begin the discussion on recruitment and hiring, let’s look at some of the data on the cybersecurity labor landscape.

The shortage of cybersecurity professionals is 2.72 million globally.
As of June 2022, there were 714,548 total cybersecurity job openings.
78% of decision-makers stated that it’s hard to find certified people.

So, it seems there is a tremendous opportunity for those that want to enter the field. Many employers welcome them, with 91% willing to pay for training and certification. Cybersecurity is an attractive field with the potential for high earnings and upward mobility. With such an appealing opportunity, you could argue that labor shortages will dwindle, especially as more digital natives enter the workforce. So, maybe recruiting and hiring cybersecurity professionals will get easier.

The risk of these presumptions goes back to the idea of qualification, which goes beyond technical skills. In fact, leaders said the highest skill gap in cybersecurity is people skills. This response demonstrates a needed shift from what makes someone a good hire for these roles.

So, why should you care about people skills if candidates have the credentials and experience? As I’ve learned in my decades in the industry, people skills should always be a priority for technical roles. Without these, cybersecurity professionals make crucial missteps based on their own hubris and over-confidence. They don’t communicate or collaborate, and that’s the real reason we’re losing the cybersecurity war. It’s the central theme of my book, The Smartest Person in the Room.

So, let’s talk more about people skills.

Why People Skills Matter in Recruiting and Hiring Cybersecurity Professionals

There are many stereotypes about those in technical roles. It’s easy to lob them all together as bad communicators, inflexible, stubborn, and difficult. Some of this is true, as technical folks often eschew people skills as being important. Yet, they are so vital! Without people skills, these people won’t learn, grow, collaborate, or adapt, and those things are crucial in cybersecurity.

People skills matter because the war zone of cybersecurity isn’t just ones and zeroes. There are hackers on the other side who are deeply passionate about what they do, even though it’s illegal and immoral, to say the least.

Your cybersecurity team needs to have that same passion, which comes only from people skills. The most adept technical professional can be a bad hire when they come up short here.

These are the people skills I think are the most critical:

Empathy: When someone can understand another’s perspective, it makes them better at their job. They can comprehend someone’s mental state and what that might mean, whether that’s a coworker or a criminal on their other side.
Communication: This is the number one people skill for cybersecurity candidates. It’s the core of how we operate. Being a great communicator doesn’t mean you say whatever comes to mind. Rather, it balances expressing thoughts wisely and being excellent listeners. Successful interactions within the team and with other stakeholders are imperative to avoid miscommunication and misconceptions, which are the leading causes of cybersecurity failures.
Adaptability: Cybersecurity is a dynamic field, so those working in it must adapt quickly and be willing and open to change. A lack of this people skill could sink your cybersecurity operations.
Vulnerability: Being vulnerable is really about being honest and having trust. You’ll have to create a safe place for people to be vulnerable, where no one is scared to be wrong. Making this part of your people skills list can provide an ideal environment for solving cybersecurity challenges.

Gauging these people skills is much more complex than testing technical ability. There are many candidates out there masquerading as qualified applicants. They may be, on paper, that is.

Avoiding Hiring Paper Tigers

Paper tiger is a term in the industry that originates from the Chinese phrase zhi lao hu (纸老虎). In the technical world, it simply means that people look good on paper—resumes with an extensive list of certifications, for example. Yet, they lack the skills, experience, and expertise to succeed in cybersecurity.

Candidates like these will land in your inbox. You may not be able to spot them at first glance. So, you’ll have to draw conclusions based on interviews and conversations. Here are some key things to consider:

Where did they earn certifications? Not all organizations that provide credentials are “cyber mills,” taking in money to deliver the certification. The most legitimate and credible are practical and scenario-based exams from CompTIA and EC-Council.
How do they speak about their work experience? Not every applicant will have multiple years of experience, and you shouldn’t discount those new to the field. For those that do, you’ll want to hear about specific projects or responsibilities. Someone who uses a lot of jargon and buzzwords and talks in the abstract is likely a paper tiger.
What motivates them? Different people have different motivations for why they work. Money is at the top of the list. It’s not necessarily a red flag for those that are money motivated. After all, we’re not working for free. However, you’ll find that those who desire meaningful work (roles that are fulfilling), a collaborative team, and being part of something bigger will rank highly on people skills.
What kind of people skills do they exude? Ask questions that tie into the people skills described above. You can even “score” their people skills with assessments like TriMetrix® HD.
Is their knowledge book-based or experience-based? This evaluation concerns your defense posture and whether someone can react in the real world where stress and pressure exist.
How big is their ego? Ego can be a detriment to cybersecurity when your employees believe they can never be wrong. They will be wrong eventually and many times over. If their ego doesn’t fit through the door, it won’t fit on your team, either.
How do they work? Someone’s approach to the day-to-day matters, and you want to see someone with focus. Ideally, in cybersecurity, your employees should be mono-taskers (the opposite of multi-taskers). That undivided attention is necessary in the high-stakes world of cybersecurity.

Now that you know what people skills are critical and the steps to avoid paper tigers, I’ve got a few more tips for recruiting and hiring cybersecurity professionals.

Final Takeaways on Recruiting and Hiring Cybersecurity Professionals

Look to past hiring decisions as learnings, whether they turned out good or bad. Even as you evolve how you hire and recruit, you won’t always make the perfect hire. If you can learn from the past, you’ll be better prepared for the next hire.
Treat the interview as a conversation. You want to learn about the candidate, and they need to find out about the organization. Making these interactions rigid and controlled is a disservice. That’s not how things play out in the real world, so don’t treat this like an inquisition.
Don’t sell your organization short by filling the chair with anyone. A chair occupied by a paper tiger could cause more chaos than harmony. Don’t rush the hiring process because of these feelings. It’s always better to wait for the right person than make do with someone who isn’t.
Be sure the candidate fits your culture. When there’s misalignment here, the hire often becomes turnover. Talk about the culture of the organization and your department to discern how they’ll fit in with your organization. The assessment discussed earlier can help you determine this, too.
Be wary of job-hoppers. I typically screen these people out, but it’s not a rule without exceptions. They may have shorter tenures because of things outside of their control (e.g., layoffs, relocations, etc.). For anyone who’s trying to hire cybersecurity professionals, you know job-hopping is rampant. Consider the circumstances and context, then exclude anyone that looks like a risky hire.
Remember that people skills are teachable, and you can help your team develop them. That’s the sentiment behind the Secure Methodology, a seven-step guide to advancing technical folks from two-dimensional stereotypes to fully engaged and highly communicative team members. Of course, your staff has to be open to change and growth for this to work, which is one more reason to look for those with high potential for people skills in the hiring process.

Get more tips and strategies on how to build a team of cybersecurity professionals to help you win the cybersecurity war by reading my book, The Smartest Person in the Room.

The Truth About Cybersecurity Certifications

February 4, 2021 by Christian Espinosa

Almost every industry has certifications. Some carry more weight than others, but it’s clear there’s a trend of over-certification in cybersecurity. Most cybersecurity certifications aren’t hard to obtain and thus are not an illustration of someone’s expertise. The industry is creating many paper tigers — someone who claims to have knowledge but just passed a multiple-choice test to earn a certification.

The Certification Structure Is Failing Us

The explosion of paper tigers in the industry is setting businesses up for cybersecurity failure. The bar for earning certifications has become dangerously low. Equally concerning is that there are no specific regulations on training or hours for cybersecurity professionals. In contrast, skilled trades require a certain amount of training hours, apprenticeships, and more. That’s a problem because those that are in place to protect one of your company’s most valuable assets — your data — aren’t ready to be in that position.

Certifications Do Not Equal Quality Talent

For many years, the industry has been buzzing about the lack of talent; there weren’t enough cybersecurity professionals to feed the demand. With this alarming message, certifications in the field became like a golden ticket to employment. The industry needed an influx of talent. Unfortunately, certifications do not equal quality talent. IT leaders, however, believe that certifications bring value. They do at times, but it’s risky to put so much emphasis on a few letters.

They are merely Band-Aids placed on the problem of putting effectual people into roles. Hiring demand was high, and certifications suddenly became what every hiring manager was seeking.

The proliferation of certifications is a cause-and-effect situation. Technology innovation and advancements required more professionals in the industry. Then there was a talent gap or a lack of people in the field. In turn, organizations promoted certifications that would give anyone a prosperous career path — except most certifications don’t test for knowledge, rubber-stamping individuals to increase the number of certified professionals. More education, however, isn’t the answer either.

College Degrees Don’t Solve the Talent Gap Either

The next logical answer to the talent gap is college degrees. Because surely, those graduating from university are prepared for the world. We know that’s not the case, as many graduates walk out into the real world and find themselves lost.

If every company required a four-year college education to get a job, there would be fewer candidates. But those candidates aren’t always going to be qualified. That’s because the university model has its own shortcomings, especially in the technology realm.

Think about how fast cybersecurity is changing. Every day, there are new attacks, each one more complex than before. It’s hard to capture all this movement in a textbook. How could a professor keep pace with this, especially one that’s not in the trenches? Frankly, there are a minimal number of capable professors with real-world experience. So, it’s all theory, and that’s what they teach. Theory very seldom equals reality.

Even applied sciences universities, which aim to be more practice-oriented, don’t adequately prepare students for a real job in cybersecurity. I was a cybersecurity professor at a university and attempted to bring practicality into the lessons. I framed my classes as real scenarios, leaving the books behind. I was trying to lead with practical knowledge, except the students complained and said it was too hard.

This experience proved to me that cybersecurity students wanted an academic degree, not a practical one. They either lacked passion or had no cognition of what cybersecurity work really is. Maybe Hollywood movies about hacking influenced their field of study. And that portrayal of the industry is anything but realistic.

What I learned from this was that the university system, like the certification one, is broken. Higher learning is not preparing students for the day to day of cybersecurity careers.

Hiring Practices Need to Evolve, Too

The other part of the cybersecurity certification and degree problem is hiring practices. Certifications are given far too much gravity over having useful hard and soft skills. Industry experts are aware of the over-certification, giving little importance to those pieces of paper. However, mainstream corporate hiring managers still give credence to the fact that someone passed a test, for which they could have easily memorized the answers.

Applicants then quickly update their resume and soon land a job in cybersecurity. Cybersecurity teams then become overrun by paper tigers. These individuals don’t have the skillset or experience to face the many challenges of the cybersecurity war. They are up against a more sophisticated army of hackers with a much higher acumen than those on the front lines protecting your organization.

The cycle continues. These paper tigers then hire more unqualified people. A paper tiger isn’t going to bring on someone that knows more than they do because they need to be the smartest person in the room. So, yes, the bar’s that low.

A disruption to the cybersecurity certification system needs to occur. Companies can push back on the certification ecosystem by requiring that certifications be practical.

The Shift to Practical Cybersecurity Certifications

So, how do we turn things around and be real about certifications while also improving them? The first step is to emphasize practical certifications.

Even though I believe there is an over-certification issue in the field, and most are worthless, I’m not counting out all certifications. The industry of training and companies hiring cybersecurity professionals needs to shift to practical certifications.

Practicality is not acing a multiple-choice exam. It’s functional and puts students in real-world scenarios to respond. As someone that holds over 25 certifications, I have a good idea of which ones are actually proof of expertise, and those are few.

Some certification bodies are evolving and doing it right. I’d be remiss not to call out some of the companies helping to fix the cybersecurity talent problem.

CompTIA

CompTIA offers cybersecurity certifications that combine hands-on experience and performance-based and multiple-choice questions. Their curriculum stays up to date on what’s happening in the field, focusing on techniques to combat new and emerging threats.

Their PenTest+ certification includes the elements discussed above and the management skills necessary to scope and manage weaknesses, not just exploit them.

EC-Council

The International Council of Electronic Commerce Consultants (EC-Council) is the world’s largest cybersecurity technical certification body. They have developed several well-known and respected certifications:

Certified Ethical Hacker (CEH)
Computer Hacking Forensic Investigator (CHFI)
Certified Chief Information Security Officer (CCISO)
License Penetration Testing – Master (LPT Master)

The National Security Agency (NSA) and the Committee on National Security Systems (CNSS) endorse their programs, and they have accreditation from the American National Standards Institute (ANSI).

The CEH program, which I think is one of the best, is an immersive class that includes 24 hacking challenges across four levels of complexity, covering 18 attack vectors. It’s a real hands-on practical learning experience. The practical part of the exam would be unpassable for paper tigers. You can’t memorize how to apply techniques to scenarios. It requires critical thinking and knowledge.

If you’re looking for a certification that translates into a cybersecurity job, the CEH should be at the top of the list.

Fixing the Hiring Practice Problem

The first thing any company should do regarding hiring is to let go of the fallacy that a certification is a mark of expertise. You need to have a broader view of what certification means. Simply put, was it a practical or a multiple-choice test?

Even if the person has a long list of certifications, this still isn’t a sign they have the skills you need. If you want to know whether the candidate has the knowledge you assume comes with these certifications, ask the right questions. If they can validate with their answers, you can feel more confident in the worth of those certifications.

The next part is to focus more on hard and soft skills. Hard skills align more with certifications and degrees. They are also testable. You can quickly discover if they have these. Soft skills are harder to gauge. You’ll learn that soft skills are often more valuable. They include being a good communicator and collaborator. Others are a willingness to change and evolve, staying curious and perceptive. In the end, they are people skills, and that may be the real skills gap in cybersecurity.

People Skills Are More Impressive than Certifications

Helping cybersecurity professionals enhance and grow their people skills could be the answer to winning the cyberwar. It’s not an easy proposition, but it’s possible to transform your employees (if they have the right mindset) and build their people skills. That’s the heart of my book, The Smartest Person in the Room. Read it today to learn more about cultivating your people.