Rethinking Cyber Talent: Take a New Approach to Recruiting

From the Great Reshuffle to the Race for Talent, there is no question that recruiting talented employees is a hot topic across all business functions – but perhaps even more so in cybersecurity. CISOs have been articulating the need for more security professionals for several years, and as the pace and nature of cyber attacks rapidly change, the need for skilled workers only seems to grow. 

According to a CBS News report, there are almost 500,000 unfilled cybersecurity job openings in the US today. Finding and retaining security talent is a frequent topic across Evanta CISO communities. Here, Steven Aiello, Security and Compliance Practice Director (CISO) of strategic consulting company AHEAD, and member of the Detroit CISO community, shares some key takeaways about an unconventional approach he spearheaded at AHEAD to build their pipeline of talent in cybersecurity.
 

Why Talent Development Is a Hot Topic in Cybersecurity

With such a strong demand for candidates, the cost of a good cybersecurity engineer or architect is growing by the day. This is especially true in niche cybersecurity spaces, such as application or cloud security. A business partner in Chicago recently told me that he was looking for a cloud security architect and was paying north of $450,000 a year! We are truly seeing the effects of low supply and high demand.

Cybersecurity has also become more complex, and there are more risks to mitigate. Organizations are moving to the public cloud; and we have a workforce that has become mobile first and is working from anywhere. The “perimeter is dead,” as they say, and Covid killed it. 

Because of this new business operating model, organizations must now contend with struggles that weren’t as pronounced three years ago. Securing roaming endpoints, managing secure application delivery, and managing data governance from devices that aren’t owned by the corporation all add to complexity. In short, over the last three years, not only did the demand for cybersecurity talent explode, but the areas cybersecurity professionals have to cover evolved rapidly. It's nearly impossible for businesses to keep up – or educational programs.
 

The Unique Recruitment Pipeline at AHEAD 

Our recruitment pipeline started like most organizations:

• Interns out of college
• Scouting for talent on LinkedIn
• Referrals from friends and family
   

What we found is that many people from the traditional recruitment channels weren’t meeting the qualifications we were seeking. After months of poor candidates from LinkedIn and students who were underqualified, I decided to go where the people are. I asked myself: “Where are people who are really passionate about cybersecurity hanging out?” The first location that came to mind was Reddit. Conventional? No. Effective? Yes!

I hired my first employee from Reddit roughly two years ago. He was a machinist with no degree, but rock-star level Python skills and a solid understanding of cybersecurity. He became one of our fastest learners on the team. The second person I hired was new to the IT field and had no formal information security job experience, but again, he had a strong drive to learn, and cybersecurity was his passion. Within 90 days, he was performing at an exceptionally high level.

When I go to various forums or sub-Reddits, I will usually get 100 applicants within a 24-hour timeframe. This allows me to be selective about who to bring on board.
 

Identifying talent that spends their personal time learning about cybersecurity has been a massive boost to our recruitment pipeline.”

What Prompted a New Approach to Recruiting 

The new approach was prompted by my experience dealing with standard recruiting channels. I sit on the advisory board for two higher education institutions, and neither of them is keeping up with the skills required for cybersecurity. I have interviewed students graduating with their master’s degrees in cybersecurity that can’t articulate how to properly manage vulnerabilities.

The people who are truly passionate about cybersecurity don’t seem to be spending time on LinkedIn looking for their next role. Usually, they are spending time teaching themselves about cyber, so I had to find them.

In addition, salary expectations for students graduating with a cybersecurity degree were not in line with the value they were bringing to our organization. I had to find individuals that were eager to learn, not necessarily ones with degrees. Getting a degree is expensive, and graduates necessarily are looking for high-paying roles.
 

3 Lessons Learned and Key Takeaways for CISOs

1. Ditch the college degree requirement. Unfortunately, right now information security moves too fast for colleges to keep up.
2. Hire for attitude and aptitude, and then create a training budget to develop talent.
3. Think outside the standard recruiting “box.” Find the places where cybersecurity self-learners are spending their time, and recruit from those places. 

I would encourage other CISOs to think about hiring junior software developers if they have a strong background in Python. Everyone should be thinking about security automation right now because budgets are only going to get tighter. A low- to medium-tier Python developer is a lot less expensive than a cybersecurity engineer. Someone who knows how to write code can automate all of the repetitive tasks that burn through a security operations team’s cycles. Automating some of the routine, low-value work will allow the team to focus on the bigger picture. 

To learn more from security peers and participate in discussions on topics most relevant to CISOs, find your local Evanta CISO Community and join today.