Assembling a strong, productive and skilled cybersecurity team is a challenge at the best of times. Cybersecurity leaders must juggle a myriad of factors including culture, skillset, ability to learn and the immediate needs of the business, alongside additional factors such as budget and the availability of people.
Building cybersecurity teams is difficult. Finding people with the skills we need is inevitably difficult, as demand for specific skills can frequently exceed supply both internally and externally. Employers face intense competition when trying to recruit good team members. To build a good cybersecurity team we therefore need to break from the traditional approach of: advertise a job description; wait for applications; shortlist a handful; interview; make the offer.
Rethinking the Team Assembly Approach
Hiring managers and HR can be forgiven for beginning with a less than effective approach when defining the type of person needed – particularly in the days of AI, where few can resist the temptation to ask an AI engine things like: “Write a job advertisement for a SOC analyst”. The output will, by definition, be a generic job description that almost certainly omits many of the characteristics and skills the organization actually requires.
Instead, we should take the approach that we do to other IT and cybersecurity problems: begin by examining our requirements, our critical cybersecurity risks, the problems we are trying to solve. If we can, we can even borrow a business analyst from the mainstream (that is, non-cybersecurity) IT team and ask them to give an independent view of the needs of our cybersecurity team. It is surprisingly common that very few of the requirements discovered are cybersecurity-specific: we have data that needs analysis, problems that need logical deduction, management reporting needs, gaps in user knowledge that we need to fill and so on. All of this means that we do not need to confine our search – and hence our job advertisement – to mainstream cybersecurity-focused candidates.
The other misstep to avoid is to assume recruitment partners – either external agencies or, in the case of larger companies, internal recruitment teams – can be instructed to find someone and then go and do so. It is therefore essential that cybersecurity leaders building their teams spend as much time as possible collaborating with the recruitment specialists: recruiters know how to find candidates, but they will look to the cybersecurity leaders to handle questions and generally fill their knowledge gaps when prospective team members ask questions.
On top of this, there is nothing to stop leaders taking an active part in the recruitment process, by using the channels available uniquely to them to make their organizations known. Leaders will have access to the independent directors of the business (U.K.-based readers will know them as “non-executive” directors) who always have tendrils across many organizations and enormous contact networks that we can take advantage of. Local chapters of professional bodies are often looking for speakers for their events: if we take part we will be forgiven for dropping a subtle hint that we are looking for people. Even the post-event drinks reception after a conference has the potential to use all our networking skills to pass the message that we are looking for good people to bring in specific skills.
Keeping Good People and In-Demand Skills
So, we have opened out the definition of the type of person and the skills we need, increasing the potential talent pool from which to draw. We have done everything we can to maximize the number of channels through which we pass the message. There is one more essential consideration: retention. After putting vast amounts of effort into recruiting the right people, the right skills or the basis to develop those skills, if the people you attract only stay a few months and then leave, that is both an expensive and disruptive undertaking.
Rapid turnover can be a sign of burnout. It is estimated that this is the reason up to 35% of people are leaving cybersecurity jobs – though professionals leave for many other reasons, from being bored to having no visible upward career path. At the very least, then, cybersecurity leaders must work with the senior team to identify ways to engage staff and to do what they can to ease the task of retaining them. This does not mean one-size-fits-all things like Friday evening beers, team-building days, inter-team bowling tournaments, and the like. We need to consider factors like some people having children to put to bed, for example, while it is also likely that we have neurodiversity across the team and thus a variety of preferences for our engagement efforts. There is not always an answer that fits everything: promotion paths cannot be created from thin air and some people just don’t like doing team or social events. But doing nothing is also not an option.
Of course, we are likely still to have a need for specific types of individuals with stated cybersecurity-specific skills, certifications such as the CISSP, several years’ experience in key roles etc. If we do, we can at least use some of the techniques discussed in this article to help us recruit those people. Leaders should embrace the opportunity to attract people with different backgrounds, potentially with little or no direct cybersecurity experience, because it maximizes the chances of finding people who can do what we need and who can grow as the needs of the organization change because we have looked outside of narrow sets of pre-existing skills and certifications.
Regarding the challenge of keeping the people we take on, alongside specific proactive actions we take in the interest of engagement and retention we should do everything we can to ensure that our team members get on with each other and can work effectively with those in other teams. To quote the chairman of an extremely successful global asset management company we know – a company that has a reputation for retaining its employees: “I only employ nice people”.
