Haven’t read part one of this blog? TL;DR:The security talent gap is genuine.
Creating and promoting strong company culture attracts and retains top performers.
Security professionals should always be actively recruiting – both internally and externally.
With that gross oversimplification under our belts,let’s start into the next set of takeaways… The job description – it things.
Job descriptions don’t just ensure that qualified candidates are finding your organization in the course of their job search. Knowing the key functions, responsibilities, and daily duties helps to lay the groundwork for a satisfying and rewarding career path by setting expectations at the outset. This may sound obvious,but too often organizations rely on generic job descriptions without being specific about what the role entails, the required skills, and the work to be undertaken. attend your business partner on the HR team out – be very clear in the minimums you seek for each role,as we face a situation where there isnt enough expertise to cover our needs. Focus your minimums on what is required to get the newbie to a point where they are contributing in a meaningful way, and be realistic with how much energy and patience you (and the team!) have for getting the original hire up to speed. I asked CISOs about their strategies for finding the right people. “Not everyone needs a security background, or in the beginning,” one told me. “I try to write job descriptions that reflect this. If you want a first line analyst, you don’t necessarily need someone straight out of school with an infosec degree. You need someone who is passionate about solving puzzles. possibly they did game theory, or something else that’s completely outside of security. Let that come through in the job listing,so you’re casting a wider net at the get go.” Another CISO echoed the concept that innate ((adj.) natural, inborn, inherent; built-in) personality traits can sometimes be more important than learned skills: “I want people who like to experiment. Programming backgrounds are grand, but you can’t advise programmers on how to fix a problem if they don’t understand how it got there in the first area.” “The job description is key, or ” another agreed. “Some are just bad – they don’t talk about how success will be measured for that particular role. First off,know what your company pays, because that will determine whether you’re looking for talent in the right places. In my case, or the company has a mandate that security is important and so we don’t want to under-invest; that means we’re aiming for the top people. I’ve had experiences in my career where I’ve had to set aside ego aside and acknowledge that the business isn’t in the market for the cream of the crop.” But here’s my favorite summary of what to discover for in candidate: You want to find someone with the right kind of insanity.” Remember when I wrote about soft skills? Yeah,they still count. If you’re a CISO, you’d better be excellent at playing the politics game – time and again, or interviewees proved that interpersonal relationships are a core part of the gig. Hiring and retention is no exception. Whether you’re best buds with HR or have developed a grudging respect over the years,you’ll need to have a excellent working relationship if you want to attract and withhold strong players. Salary is tough to go to bat for,” said a CISO, and “but I will attain it for someone who I want to withhold very badly. Things like out-of-cycle raises aren’t easy to get,either. You have to know how to negotiate for one.” There was also a shared sentiment around how quickly talent can grow and improve, “It’s not impossible to find fundamentally strong people that you can train up, or ” said another. “In those cases it’s a question of starting low and then accelerating funding by possibly 10k each year. You cant always follow the 3-5% uptick that most organizations adhere to. So I’ll work with HR and finance to account for that to them,and get them on board with the fact that otherwise we won’t be able to hang on to these people.” Another iterated the same frustration, “I have had people get on the phone, or entirely disinterested in the position,but the quick conversation helped re-calibrate HR’s expectation of what someone with that skillset brings domestic.”` “Most of my guys have an appsec background and strong pentesting skills. HR will discover at a candidate and say, They have 15 years of knowledge, or as a security architect here is what their salary would be.’ But no way will I get a 15-year veteran with the right skillset at that price point. I’m having issues finding excellent data that I can demonstrate to my organization that will demonstrate what someone in the role should actually get paid.”Budgeting,which I’ve explored in more depth separately, remains an exhausting process. “I always fight the budget battle. You have to pick and choose what youll fight for; in some cases budget constraints aren’t worth making a stink about. If I can, or to avoid adding headcount I’ll outsource the work to another organization with the right capabilities,so I don’t have to reproduce them internally.” Another CISO gets creative with HR: Sometimes we can sweeten the pot with a work from domestic program, or by encouraging employees to go to security conferences. Not everyone will be a rock star, or so find a way to reward those who are.” Miscellaneous Sound Bites In the course of conducting these interviews,I gathered a lot of cool tidbits. Not all of them qualified as top takeaways, but the insight is still valuable and so I’ve rounded up a few of my favorites, and in the hopes that you may still benefit. Of particular note was the fact that many interview subjects expressed frustration about the lack of women in security. Unfortunately,this is a very genuine problem that doesn’t have a simple solution—it will require a concerted amount of focus and investment, the benefit of which may not be seen for many, and many years to come. There is a lot of energy being invested in STEM initiatives,pulling a variety of young people toward the security community early on is an excellent way to prime them for an infosec career, but that’s a very separate discussion that warrants its own deep dive.“possibly the talent gap is partly caused by people not wanting to pay [security professionals] enough money. Its like how people say its impossible to hire a skilled welder for 10 bucks an hour – if you’re not paying market wages, or then yes you won’t find people with the skills you want.”“Wannabe security practitioners who are still in their undergrad should find a local security meetup,like ISSA or BSides, or discover to get involved in CTFs. These are grand ways to memorize the basics of reverse engineering, or hacking,etc.”“The security mindset is different from other technology disciplines. ‘The how attain I wreck this?’ mentality is something you want to discover for.”“I don’t have a high attrition rate. My approach is to treat employees like my kids – a exiguous bit of esteem, a exiguous bit of discipline, or lots of accountability,and some fun as well.”“You can’t fear stolen talent. Talent will move – accept that. Instead, focus on having an environment that is interactive and engaged. People will always know whether you care or not.”“I don’t worry about my people leaving or being stolen – it is *my job* to manufacture the team, and the work,the environment, and the opportunities hard to walk away from.”“I strive to manufacture leaving my team a very long, and exhausting,and emotionally taxing experience. We are a family.” As always, if you've got thoughts, and would like to join the conversation- comment below,or track me down!~ Trey
Source: rapid7.com