Every business is now a digital business. According to the UK Department of Culture, Media and Sport (DCMS), 96% of UK businesses have “some form of digital exposure”, offering cyber criminals more opportunities than ever before.
From the spectacular breaches that attract global attention to the everyday lapses, the cyber security threat landscape is evolving rapidly, with cyber criminals emboldened to strike at a world which hastily embraced digital technologies. ForgeRock’s 2021 consumer identity breach report revealed a 450% increase in username and password breaches, costing an average of $8.64m, partly attributing this increase to a lack of cyber security preparedness.
It’s a shame, too, because CEOs had been working hard to prioritise cyber security before the pandemic. Some 77% of businesses now treat it as a board-level priority, according to DCMS. But the changes wrought by the pandemic present business and security leaders alike with new challenges, while exacerbating old ones. And perhaps the most persistent obstacle to achieving a sufficiently strong cyber security posture has been building, retaining and scaling cyber security teams themselves.
So, in today’s post-pandemic digital world, where cyber criminals see a feast of opportunities, what are the secrets to building a world-class cyber security function? In my view, the three key elements are attributes, personality types and expectations.
Hire for attributes, not experience
The shortage of staff with highly technical cyber security skills like secure system design is well-documented at this point (see here and here), but something that is often overlooked by cyber security leaders is the importance of hiring for soft skills too.
This is an area where there has been improvement recently – a Tripwire survey found that 21% of respondents rated soft skills as more important than technical skills.
However, it’s still common to find a business trying to build its cyber security team by chasing an elusive unicorn with 15 years’ experience in the one domain they need at that particular moment – for example, DevSecOps or intrusion detection – and not considering the other skills they’ll need in the long term. They can be the most talented person in that one domain, but they need enough of that work to keep them busy and/or passionate, which is difficult in the fast-moving world of cyber security.
And hiring for the business today does not equate to success tomorrow. Technology changes, threats evolve and your cyber security tech base falls in line. Today’s technical standards will soon be out of date, so the most important attribute is being able to problem-solve and adapt, so they can respond to and overcome new challenges.
How can you keep someone happy if you’re fitting them into an attribute rather than a skill-shaped hole? Ground your hiring within a three- to five-year roadmap. For example, if you are hiring a cyber security graduate, that person won’t want to be in that role for 10 years. It’s up to you to create a plan to grow them professionally.
You should utilise them in projects that will provide additional experience and skills while you’re looking for opportunities to match their existing technical skills to other projects. For example, have them shadow other team members. That’s how you retain talent: with a guided roadmap. And if you really need that single-aspect technical specialist, just hire a contractor rather than a permanent employee.
Be sensitive to personality types
Another trait which is often overlooked is emotional intelligence and personality types. This is changing – this year’s F-Secure survey of chief information security officers (CISOs) found that two-thirds understood the increasingly important role of emotional intelligence in helping them navigate the business. This mentality can, and should, apply across the cyber security team as it can fundamentally alter its cohesion.
Making sure you’re forming a cohesive group will help to ensure team members will work well with others. Even if they have the most impressive CV, their way of working could be at odds with the team and may end up upsetting your team balance. No amount of expertise can make up for that damage, so making the right judgement call about how a candidate will fit into the existing ecosystem at the outset is just as important as sizing up qualifications in building an impactful team.
This is where CVs and many interviews are seriously deficient. You get zero insight into someone’s personality reading through a sanitised list of experience or asking them their opinion of a security framework. So use interviews to get behind the veil by asking unusual questions to which candidates are unlikely to have rehearsed answers, to get an insight into who they are. I often ask, ‘What’s your idea of a good weekend?’ to find out about how they prioritise things in life – and their willingness to answer questions honestly.
Be realistic about expectations
Many graduates have been fed inflated ideas about the cyber security job market, creating the risk of a mismatch of expectations versus reality. As a result, it’s up to hiring managers to be clear about what a career actually looks like – at the same time as creating the future development opportunities that will help new employees’ careers progress.
The best antidote to unrealistic expectations is total transparency. Hirers should paint a very clear picture for the candidate of what the reality actually is for new employees, including putting the salary on the job advertisement. In California, companies have to tell applicants the role’s salary band if asked, but I don’t see any point in waiting.
To make sure these are in line with your geography and the seniority of the role, use Radford’s compensation benchmarks for due diligence. Make sure you discuss salary requirements early in the recruitment process – it’s one of the most common hiring stumbling blocks, so don’t put it off. And combine this early realignment with a genuine commitment to long-term career progression, so even if graduates aren’t getting the glamour they were falsely promised early on, they know there are opportunities for growth.
Businesses can’t afford to have a cyber security team made up of ineffective professionals in this climate – they will be failing before they even start. It may seem obvious, but scaling and strengthening your cyber security team and talent is a fundamental that so many businesses still get wrong.
But by hiring for soft skills, not experience, being sensitive to personality types and being upfront about role expectations, businesses can shore up their defences at a time of elevated risk and equip their teams to adapt for the future.
Russ Kirby is CISO at ForgeRock.