Every business is now a digital business. According to the UK Department of Culture, Media and Sport (DCMS), 96% of UK businesses have “some form of digital exposure”, offering cyber criminals more opportunities than ever. From the spectacular breaches that attract global attention to the everyday lapses, the cyber security threat landscape is evolving rapidly, with cybercriminals emboldened to strike at a world that hastily embraced digital technologies. ForgeRock’s 2021 consumer identity breach report revealed a 450% increase in username and password breaches, costing an average of $8.64m, partly attributing this increase to a lack of cyber security preparedness.
It’s a shame, too, because CEOs had been working hard to prioritize cyber security before the pandemic. Some 77% of businesses now treat it as a board-level priority, according to DCMS. But the changes wrought by the pandemic present business and security leaders with new challenges while exacerbating old ones. And perhaps the most persistent obstacle to achieving a sufficiently cyber-solid security posture has been building, retaining, and scaling cyber security teams. So, in today’s post-pandemic digital world, where cybercriminals see a feast of opportunities, what are the secrets to building a world-class cyber security function? I believe the three key elements are attributes, personality types, and expectations.
Hire for attributes, not experience.
The staff shortage of highly technical cyber security skills like secure system design is well-documented (see here and here). Still, something that is often overlooked by cyber security leaders is the importance of hiring for soft skills too. This is an area where there has been improvement recently – a Tripwire survey found that 21% of respondents rated soft skills as more important than technical skills.
However, it’s still common to find a business trying to build its cyber security team by chasing an elusive unicorn with 15 years of experience in the one domain they need at that particular moment – for example, DevSecOps or intrusion detection – and not considering the other skills they’ll need in the long term. They can be the most talented person in that one domain, but they need enough of that work to keep them busy and passionate, which is difficult in the fast-moving world of cyber security.
And hiring for the business today does not equate to success tomorrow. Technology changes, threats evolve, and your cyber security tech base falls in line. Today’s technical standards will soon be out of date, so the most important attribute is being able to problem-solve and adapt, so they can respond to and overcome new challenges.
How can you keep someone happy if you fit them into an attribute rather than a skull-shaped hole? Ground your hiring within a three- to five-year roadmap. For example, if you hire a cyber security graduate, that person won’t want to be in that role for ten years. It’s up to you to create a plan to grow them professionally.
It would help if you utilized them in projects that will provide additional experience and skills while looking for opportunities to match their existing technical skills to other projects. For example, have them shadow other team members. That’s how you retain talent: with a guided roadmap. And if you need that single-aspect technical specialist, hire a contractor rather than a permanent employee.
Be sensitive to personality types.
Another trait that is often overlooked is emotional intelligence and personality types. This is changing – this year’s F-Secure survey of chief information security officers (CISOs) found that two-thirds understood the increasingly important role of emotional intelligence in helping them navigate the business. This mentality can, and should, apply across the cyber security team as it can fundamentally alter its cohesion.
Ensuring you’re forming a cohesive group will help ensure team members work well with others. Even if they have the most impressive CV, their way of working could be at odds with the team and may upset your team balance. No expertise can compensate for that damage, so making the right judgment call about how a candidate will fit into the existing ecosystem at the outset is just as important as sizing up qualifications to build an impactful team.
This is where CVs and many interviews are seriously deficient. You get zero insight into someone’s personality by reading through a sanitized list of experiences or asking their opinion of a security framework. So use interviews to get behind the veil by asking unusual questions to which candidates are unlikely to have rehearsed answers to get an insight into who they are. I often ask, ‘What’s your idea of a good weekend?’ to determine how they prioritize things in life – and their willingness to answer questions honestly.
Be realistic about expectations.
Many graduates have been fed inflated ideas about the cyber security job market, creating the risk of a mismatch of expectations versus reality. As a result, it’s up to hiring managers to be clear about what a career looks like – at the same time as creating future development opportunities to help new employees’ careers progress.
The best antidote to unrealistic expectations is total transparency. Hirers should paint a detailed picture for the candidate of the reality of new employees, including putting the salary in the job advertisement. If asked in California, companies must tell applicants the role’s salary band, but I don’t see any point in waiting.
Ensure these align requirements early in the recruitment process – it’s one of the most common hiring stumbling blocks, so don’t put it off. AnTo make sure these align with your geography and the seniority of the role, use Radford’s compensation benchmarks for due diligence. d combine this early realignment with a genuine commitment to long-term career progression. So, even if graduates aren’t getting the glamour they were falsely promised early on, they know growth opportunities exist.
It may seem obvious, but scaling and strengthening your cyber security team and talent is fundamental that many businesses still get wrong. Companies can’t afford to have a cyber security team of ineffective professionals in this climate – they will fail before they even start. But by hiring for soft skills, not experience, being sensitive to personality types, and being upfront about role expectations, companies can shore up their defenses at elevated risk and equip their teams to adapt for the future.
