What to look for when hiring Security Talent: Hidden talents
- 25 October, 2018 09:18
Cybersecurity and ICT security talent is a highly sought-after commodity in today’s market, in Australia this seems to be driving up the cost for companies to actually obtain security talent. This is understandable considering the increasing level of breaches we are seeing worldwide, and this is not going to slow down anytime soon from what I can see.
So how can we find the talent we need to fill the thousands of positions that we need to fill in order to ensure that our systems are as protected as they can be?
Let’s first look at a problem which I stated in one of my previous articles You want a career in cybersecurity, are you crazy? In which I received a lot of feedback from my peers indicating similar beliefs and experience trying to move into a career in cybersecurity. Basically, the problem is many hiring managers and recruitment professionals are overlooking great candidates for positions in which they could be really great at for two reasons, one of which is a bit of a conundrum.
The first is due to candidates or budding cybersecurity professionals not having those coveted certificates such as CISSP or CISM. Now let’s lay this out, I understand for senior positions that this may be a requirement to solidify one candidate over another but for entry-level security positions is this realistically something that organisations can ask for?
Let’s review the CISSP cert just as an example as it is a regular requirement in security positions. With the CISSP you need to study and take the exam (which costs around $700 to sit) but to be awarded the cert you need to have 5 years of experience in one or more of the 8 security domains. If you don’t have the required experience you are only able to be awarded an Associate of (ISC)², you will then have a maximum of 6 years to gain the 5 years of experience to be awarded the CISSP.
So, if the CISSP, for example, is a requirement of a junior security position then how do you acquire the 5 years’ experience to get the certification if they won’t give you the position without the certification? Strange situation here, really need the cert to get the job but can get the job without the cert, I really don’t know how that one works but it doesn’t seem like an ideal position for the recruiter or the candidate.
That kind of brings us to the second reason for many being knocked back for positions and that is the lack of experience. For some reason companies want someone with 10 years security experience to fill junior security jobs (People with 10 years’ experience are overqualified). This is the conundrum I mentioned earlier, companies want someone with experience to fill junior positions that most applicants for these positions don’t have and the people who do have that level of experience wouldn’t even consider a junior position that is being offered.
This is a vicious circle that just won’t solve our problems, especially if we all stay on this same path and don’t look for candidates outside of the box. Now let’s dive into some things I personally feel companies should look out for that will give them a great candidate for a junior position not just industry certs or specific experience if you have already tried to get a candidate of that level and really need to fill the position.
- Interest in Cybersecurity – if a candidate has a strong interest in cybersecurity and can show they have been trying to educate themselves this to me shows that they will be a hard worker and really push to achieve the skills that is needed for the position.
- Programming or strong IT background – if a candidate has a strong background in either or both (both would be a unicorn – but it could happen) and they have that strong interest then they could become one of the best security professionals you have with some time spent in developing them.
- Industry certifications or formal training – in this situation you may have a candidate who can show that they have spent the time to complete training in areas of security and build those foundational skills that are needed to be able to successfully work as a junior in this industry.
- Participation in the security community – if a candidate attends meetups or is an active member in industry associations, doesn’t it show that they are trying to get involved and become an active participant in our industry. Candidates can learn a lot from the people they meet at these and I feel that we could all learn something from our peers no matter what our experience level is.
- Attitude and personality fit – I find this one to be very important and to me can be more valuable than experience or certification in many situations. If someone has that right attitude and will fit well with the current team they will connect and learn from them quickly. They will also not cause issues in a team that works well which can be a big problem in our industry with ego’s sometimes getting in the way.
Now don’t get me wrong this is not an exhaustive list and there are many more things that a candidate could need but I feel that if you find someone with these characteristics and you have a team in place that could help bring them up to speed quickly you should consider helping that candidate out. If you give them a chance to get into the career they have been really trying to get into they will be a loyal member of your team and not forget that help you gave them in the beginning.
I know this for a fact as I have been given similar opportunities in the past to prove myself in a position that I might not have been 100% qualified to do and I believe that it has worked out well for both parties. I was a loyal employee and worked very hard for the organisations I worked for, yes that doesn’t mean you stay with them forever or that every chance you take on someone will pay off but if you truly give someone a chance it could be the best thing you do all year or even the decade.
Now some of you may just dismiss my opinion but please truly consider what I have said and don’t do what you have always done, give someone a chance. Again, as I always say, if you don’t agree with my opinion that is fine, leave a comment and let’s start a conversation about this. We are all individuals and have our own views on things but we should keep an open mind and be open to others views.