#ISC2Congress: How to Hire and Retain the Best Cybersecurity Talent

At (ISC)² Congress in Orlando, Florida, on September 12 2016, a panel of experts discussed how to hire and retain top information security talent. 

What are your thoughts on the current information security skills gap?

David Shearer: The skills gap is across the board. We have to take a holistic approach to security, so there is more demand for soft skills. The industry needs people that are good at technology, but also good at communication, business, and people. We need to build out the deep specialists to be able to communicate.  The CISSP is often criticised for being too broad – and I don’t disagree. But the power of CISSP is that you understand the breadth of any [information security] problem.

Kevin Flanagan: In my opinion, the biggest part of the skills gap is emotional IQ.

Deidre Diamond: There’s a huge skills gap with minorities and that problem is getting worse. Minorities are leaving security, not joining. A lot of women are moving out of cyber into risk.

How hard is it to find good talent?

DD: My business can’t stop growing and that’s a problem. I have an issue with there being more staffing agencies than there are companies looking for the right people.

KF: There are always openings in my team and it’s really hard to find the talent we need, and just as hard to keep it – salaries are climbing and in hard-demand. It’s not helping the industry’s cause with people jumping from company to company all the time. Escalating salaries keep me awake at night. My job is to try to get people through the door and to stop people quitting.

DS: Only six percent of the (ISC)² global workforce survey respondents are under the age of 30. We need an army of people to take on this global fight and the cavalry isn’t coming. Under-represented minority groups have to be part of the solution, we need to draw on talent from wherever we can. African-Americans are even more under-represented than women.

What do you look for when hiring?

KF: Résumés are only part of it. LinkedIn connections and references are important. But I look for people that can deal with change and ambiguity – I always ask for examples on this during interview. It’s about adaptability to change and aptitude. A technical screen will happen later in the interview process.

DS: I look for experiences – have they taken on the tough jobs? Do they throw their hat in the ring? I look for great interpersonal skills.

DD: I always want to know why they’re leaving where they are at and whether I have the right job to offer that person, for them. Because if I don’t, they’re going to leave anyway.

If you’re faced with recruiting with a limited budget, what do you do when candidates want money than you can offer?

KF: If someone is coming to my company just to make money, they’re not right for my company. You have to look at what drives them. Sometimes you also get the individuals who think they’re worth more than they are.

We could look for all the CIISPs out there, and just look for experience, but I just want a couple of those folks. Then I want midstream people 3 or 4 years out of college – they have a great drive, and are half the price. They rob the 10 year veterans of their complacency – it drives the performance of everyone.

DD: My statistics show that only 10% leave jobs because of salary. HR departments keeping up with salaries is a real problem, but the main reason people leave roles is due to broken relationships, broken promises, and cultural problems.

What impact does staff turnover have on a company?

DS: There is always a financial cost associated with turnover. We’ve had these same problems in IT for years and years. To retain folks, you need a culture that will keep them there. People will stay someplace if they think it’s a cool place to work. People want to know their employer empathizes with them, and cares.

KF: It means more work for people when someone leaves. There’s also the cultural erosion by losing a ‘rock star’. People doubt whether it’s a good place to work when people around them leave. Political capital is important, and recognition. But don’t generalize – figure out exactly what an individual needs and wants.

DD: One thing that is universal to all humans is kindness. It’s the number one thing that everyone wants from an employer. These are the things that make people stick around. Love in the workforce can exist. That kind of culture can breed a lot of success.

How do you deal with someone who over-sold themselves in the hiring process?

KF: The security community is so small, I can usually find what I need on LinkedIn. It’s hard to lie. You need trust and transparency – if that’s broken, that relationship won’t survive.

DS: Screening during interview is vitally important. Integrity in the process has to be paramount. We want people that operate with the highest degree of integrity. If they break trust to get in the door, imagine what they’d do once they’re in?

DD: We’re starting to SEO our résumés, it’s all about getting to the top of the digital resume file – it’s not fair on people, so we need to talk to them.

What’s the make or break question or quality in an interview?

DD: If I don’t enjoy the conversation, I’m not hiring them. I look for laughter, dialogue, sharing and willingness to get to know each other.

DS: I like to ask candidates what’s the toughest decision they made in the last 3-6 months, and what they did to resolve it. I also ask about a time when their boss didn’t agree with their approach and how they dealt with that.

KF: Conflict and behaviour-based interviewing. I always ask ’when did you last disagree with a management decision?’ I look for engagement and fun too.

What is the worst hire you ever made?

KF: The worst hire I made was when I knew my headcount was going away, so I went in to a day of interviewing three candidates saying “I will make a hire”. At the end of the day, I took the least ‘suckiest’ person and hired him. It didn’t work out, the role wasn’t a good fit for him, it messed with his life and I never want to do that again.

DS: The worst person I hired had a PhD and actually said that he struggled to communicate with “average people”.

DD: I once hired someone and trusted that they were on the same page as me, but they went to my Board with a different page. I still wonder where I went wrong with that, rather than blaming the person.