“We can't find enough good cybersecurity employees; we're going crazy!” And yet, are you still searching and hiring the exact same way you always have? Albert Einstein is widely credited with saying, “The definition of insanity is doing the same thing over and over again, but expecting different results.”
Step 1 - Spend more money and take more time to find the right candidate.
I see many organizations doing cost cutting while trying to find top notch candidates. Just how badly do you want these people anyway? This isn't the time to be doing that.
Step 2 - Improve your needs analysis.
I often hear people say, “We've already done this; that's how we layout our job request profile.” But you need to re-examine your criteria carefully: did you make some criteria MANDATORY instead of OPTIONAL when it really doesn't need to be? (See Step 3) Are you really *weighing* NEED versus WANT? Or, are you just scanning down the resume looking for the first unmet possibly-erroneous need, making their job easier by killing off as many resumes as possible? Do a realistic needs analysis, disrupt the standard job request template, disrupt the process, disrupt the people, and “Make It Better”.
Step 3 - Use people to find quality people.
What if I told you that upwards of 75% of your candidates were being blocked by a program/application and no human was in the loop? Stop using automation for cyber positions. Only PEOPLE can properly ferret out good cyber personnel qualities and separate the “wheat from the chaff.” Automation merely verifies checked boxes and can kill off some of your best prospects. Do you often say, “But that costs more money!”, or “It takes a lot longer!”, or “I don't want to use recruiting firms, they cost too much.” (See Step 1)
Step 4 - Get more candidate context.
Don't just hop on LinkedIn and do a quick scan of their profile or a once-over of their resume. READ the cover letters, do some Google searches, and ask around. If you already have a cyber person who can do OSINT (Open Source Intelligence), use that.
Step 5 - Adjust your resume expectations.
Are you looking for that “cyber genius” that can do awesome “low-level” work but, should never be put in front of a customer? Will that person know how to craft that Nobel Prize-winning resume that screams “I'm the ONE”? The savant you're looking for may be very one-dimensional, so don't expect scintillating CV prose. Adjust your expectations.
Step 6 - Use more job context.
Who should be reviewing this candidate's potential? Human Resources? A hiring manager who primarily knows how to “herd angry cats?” Or the people either currently doing the job or directly related to the job? If you perform Step 3, perhaps you'll find that you're rejecting valid candidates because the people doing the evaluation don't know what's important.
Step 7 - Analyze your rejections.
Did you “ax” someone you shouldn't have? Find out why you're rejecting people. (See all 7 Steps above.) That alone may disrupt your current failure pattern.
Are you having problems finding great cyber people? Maybe it's time to “disrupt your hiring process” instead of just using “disrupt” as a catchy (albeit dated) marketing buzzword. I'm NOT suggesting you should do this for all recruiting/hiring, only for cybersecurity personnel and possibly other high-value positions which are inexplicably difficult to fill.
Cameron Matthews vCISO & Sr. Security Consultant