Every business is now a digital business. According to the UK Department of Culture, Media and Sport (DCMS), 96% of UK businesses have “some form of digital exposure”, offering cyber criminals more opportunities than ever before.
From the spectacular breaches that attract global attention to the everyday lapses, the cyber security threat landscape is evolving rapidly, with cybercriminals emboldened to strike at a world that hastily embraced digital technologies. ForgeRock’s 2021 consumer identity breach report revealed a 450% increase in username and password breaches, costing an average of $8.64m, partly attributing this increase to a lack of cyber security preparedness.
It’s a shame, too, because CEOs had been working hard to prioritize cyber security before the pandemic. Some 77% of businesses now treat it as a board-level priority, according to DCMS. But the changes wrought by the pandemic present business and security leaders alike with new challenges while exacerbating old ones. And perhaps the most persistent obstacle to achieving a sufficiently cyber solid security posture has been building, retaining, and scaling cyber security teams themselves.
So, in today’s post-pandemic digital world, where cybercriminals see a feast of opportunities, what are the secrets to building a world-class cyber security function? In my view, the three key elements are attributes, personality types, and expectations.
Hire for attributes, not experience
The shortage of staff with highly technical cyber security skills like secure system design is well-documented at this point (see here and here). Still, something that is often overlooked by cyber security leaders is the importance of hiring for soft skills too.
This is an area where there has been improvement recently – a Tripwire survey found that 21% of respondents rated soft skills as more important than technical skills.
However, it’s still common to find a business trying to build its cyber security team by chasing an elusive unicorn with 15 years of experience in the one domain they need at that particular moment – for example, DevSecOps or intrusion detection – and not considering the other skills they’ll need in the long term. They can be the most talented person in that one domain, but they need enough of that work to keep them busy and/or passionate, which is difficult in the fast-moving world of cyber security.
And hiring for the business today does not equate to success tomorrow. Technology changes, threats evolve, and your cyber security tech base falls in line. Today’s technical standards will soon be out of date, so the most important attribute is being able to problem-solve and adapt, so they can respond to and overcome new challenges.
How can you keep someone happy if you fit them into an attribute rather than a skull-shaped hole? Ground your hiring within a three- to the five-year roadmap. For example, if you hire a cyber security graduate, that person won’t want to be in that role for 10 years. It’s up to you to create a plan to grow them professionally.
You should utilize them in projects that will provide additional experience and skills while you’re looking for opportunities to match their existing technical skills to other projects. For example, have them shadow other team members. That’s how you retain talent: with a guided roadmap. And if you really need that single-aspect technical specialist, just hire a contractor rather than a permanent employee.
Be sensitive to personality types.
Another trait that is often overlooked is emotional intelligence and personality types. This is changing – this year’s F-Secure survey of chief information security officers (CISOs) found that two-thirds understood the increasingly important role of emotional intelligence in helping them navigate the business. This mentality can, and should, apply across the cyber security team as it can fundamentally alter its cohesion.
Making sure you’re forming a cohesive group will help to ensure team members will work well with others. Even if they have the most impressive CV, their way of working could be at odds with the team and may end up upsetting your team balance. No expertise can make up for that damage, so making them suitable judgment call about how a candidate will fit into the existing ecosystem at the outset is just as important as sizing up qualifications to build an impactful team.
This is where CVs and many interviews are seriously deficient. You get zero insight into someone’s personality reading through a sanitized list of experiences or asking them their opinion of a security framework. So use interviews to get behind the veil by asking unusual questions to which candidates are unlikely to have rehearsed answers to get an insight into who they are. I often ask, ‘What’s your idea of a good weekend?’ to find out how they prioritize things in life – and their willingness to answer questions honestly.
Be realistic about expectations.
Many graduates have been fed inflated ideas about the cyber security job market, creating the risk of a mismatch of expectations versus reality. As a result, it’s up to hiring managers to be clear about what a career actually looks like – at the same time as creating the future development opportunities that will help new employees’ careers progress.
The best antidote to unrealistic expectations is total transparency. Hirers should paint a detailed picture for the candidate of the reality for new employees, including putting the salary on the job advertisement. If asked in California, companies have to tell applicants the role’s salary band, but I don’t see any point in waiting.
To make sure these are in line with your geography and the seniority of the role, use Radford’s compensation benchmarks for due diligence. Make sure you discuss salary requirements early in the recruitment process – it’s one of the most common hiring stumbling blocks, so don’t put it off. And combine this early realignment with a genuine commitment to long-term career progression, so even if graduates aren’t getting the glamour they were falsely promised early on, they know there are growth opportunities.
Businesses can’t afford to have a cyber security team made up of ineffective professionals in this climate – they will be failing before they even start. It may seem obvious, but scaling and strengthening your cyber security team and talent is fundamental that many businesses still get wrong.
But by hiring for soft skills, not experience, being sensitive to personality types, and being upfront about role expectations, businesses can shore up their defenses at a time of elevated risk and equip their teams to adapt for the future.