Organizations need to drastically revamp their cybersecurity hiring practices to plug the skills gap and create an effective security team. This was the message of Leeza Garber, a renowned privacy & cybersecurity attorney, during her keynote address at the Infosecurity Magazine Spring Online Summit - North America 2022.
Garber began with an anecdote from a job she started 10 years ago when she clicked on a malicious link. Here, she observed how effectively her cybersecurity teammates dealt with the incident, which was “vast, efficient and effective.” This ranged from a leader assigning staff to go through the response protocol to digital forensics to understand how the scam worked. This experience demonstrated to Garber the importance of human behaviors and having a range of personalities in cybersecurity. “In cybersecurity especially, no matter what the role, from CIO to entry-level IT support, everybody needs to capitalize on their inherent behaviors in order to succeed together,” she said.
Citing her recently published book, Can, Trust, Will: Hiring for the Human Element in the New Age of Cybersecurity, Garber set out common mistakes organizations make in hiring cybersecurity talent and detailed steps they can take to improve their recruitment practices.
She highlighted the following common problems with hiring in this field:
- That resume was awesome/terrible: Garber cited research showing that a significant number of resumes contain falsified information, such as changing previous job titles. In addition, no matter how impressive the information looks, “you still have to prove the skills and determine the behaviors of the person behind that resume.” Conversely, she pointed out that resumes that look poor do not necessarily mean the candidate wouldn’t be suitable for the role, as it won’t display certain relevant life experiences. For example, they may have acquired outstanding real-world hacking skills by themselves, even in the absence of formal certifications and qualifications.
- We get along great: Garber said hiring managers should question the relevance of getting along personally with someone applying for a role. “Does that lead to success in that open role?” she posited. In fact, this could be a dangerous path to take, as it could lead to a lack of diversity in the team, both physically and neurologically. This could mean you all “miss the same threat surfaces, vulnerabilities and attack vectors.”
- We’ve got a guy for that: While many organizations use the services of vendors to tend to aspects of their cybersecurity needs, this should not lead to them neglecting their own internal cyber skills. Garber noted: “A relationship has to exist – the vendor needs to know, and appreciate your business, no matter what size you are.”
- Did you like her?: Related to the ‘we get along great’ point, Garber said one of the most common questions hiring managers ask each other is, “did you like her?” Hiring people on this basis of making you feel comfortable, or if they fit in, is a mistake. Garber added: “The stakes are very high in cybersecurity, and the field spans many departments. Differences of opinion, background, experience and approach matter – but it still seems so hard for people to hire someone who seems to be different from themselves.
- Where’s the value-add: Prevention and being proactive are the best approaches to take in regard to cybersecurity, noted Garber. This involves viewing cybersecurity as a profit center, looking ahead at potential losses and brand damage caused by cyber-attacks. This mindset should be a major consideration when hiring security staff.
Garber then outlined a number of questions organizations should ask themselves to contextualize their hiring needs:
- What are my legal obligations? Garber outlined the importance of discussing cybersecurity personnel needs with legal professionals, given the increasing range of regulations in areas such as privacy and data security. Indeed, some laws require specific appointments, such as New York’s Shield Act, which mandates the appointment of somebody to coordinate its data security program.
- What is my actual risk? Companies’ clients may have their own obligations, which will be in addition to legal obligations. “This needs to be addressed alongside what your actual risk is,” commented Garber.
- Who do I have? Garber cited an interview in her book in which a financial institution allowed one of its staff members to move to different roles in the company, such as legal and security. “The employer recognized her transferable skills and behaviors and respected how she knew the business inside and out as she had learned from multiple roles from within,” she explained. This is a lesson other organizations should take on board to help fill cybersecurity positions.
- Who do I need? Organizations should carefully analyze their open cybersecurity job descriptions, asking who wrote them, how old they are and when they were last updated. If not updated, these may lead you to miss the skills you actually need in your organization.
- What don’t I know? Garber said it was important for organizations to utilize non-traditional security approaches, such as bug bounty programs and tabletop exercises, looking beyond regulatory requirements. This requires a coordinated discussion across all departments, such as human resources and hiring managers, to determine who you need for such approaches to work. In addition, Garber noted that “there are jobs that may be completely new.” For example, roles specific to cybersecurity in new areas of technology like the metaverse. She added: “We have to proactively think about what new things are on the horizon and how to hire for them.”
- What is our shared intention? Garber highlighted the importance of establishing bonds and partnerships within cybersecurity teams. “Cybersecurity teams need to not only be high functioning but well integrated,” she observed. She added that these teams are the most difficult for hackers to penetrate, as they are constantly seeking to improve and adapt.
Garber also discussed the importance of having a variety of human behaviors in cybersecurity teams. She went back to her opening comments about the time she clicked on a malicious link, after which a range of team members performed different tasks to respond to the incident, each of whom had different personality traits. For example, the senior infosec manager was “organized, efficient, calm and focused under major stress and highly confident in his ability to problem solve.” In contrast, the digital forensics expert “was curious, attentive to detail and passionate about the subject area.”
Garber commented: “Matching behaviors to what tasks must be accomplished creates a true person description for a role, not just a job description.” Therefore, hiring managers should ask themselves: “What characteristics does this role need for success?”
Concluding her presentation, Garber said: “Cybersecurity as a cross-disciplinary necessity, needs all types of people, and diversity is imperative to success. We need to hire better, and that means hiring for the human element.”