Just when the industry mantra has finally been set in stone, leading cybersecurity talent recruiter challenges the belief that there just aren’t enough talented people to fill the mounting number of open cybersecurity positions. “The difficulty companies are facing recruiting has led to an all-out bidding war,” tells Karl Sharman, Vice President of BeecherMadden, a leading UK and US cybersecurity recruitment business. “Top professionals are constantly being offered more money to move to another company, much like professional athletes.” For cybersecurity professionals, this market promises skyrocketing earning potential and career trajectories. Employers, on the other hand, are facing one of the most serious human resources quandaries imaginable.
Sharman’s firm specializes in recruiting the cybersecurity professionals that run enterprise SOCs (security operations centers) and knows firsthand the challenges his clients face hiring and retaining the cybersecurity talented individuals who are responsible for keeping all our essential digital assets safe. His clients include fortune 500 companies, financial institutions, critical infrastructure, and government institutions. This unique vantage point led to a few key strategies that help companies win the cybersecurity talent war.
Open the Pipeline to Non-traditional Talent
Many of the best cybersecurity talents doesn’t have the standard 4-year university degree. These highly creative and analytical specialists are highly intelligent and autodidactic. Some taught themselves to code when they were children, others started out in IT and curiosity led them to develop their security skills. The very best pentesters and ethical hackers I know started out in the field as a hobby that got out of control and turned into a very lucrative career. In more technical areas, including penetration testing, asking for a Bachelor’s degree can sacrifice nearly a quarter of your talent pool. So, scrapping the degree requirement could potentially double your available candidate pool.
Another way to open the cybersecurity talent pipeline is to do non-traditional outreach. Consider sponsoring a hackathon at a local college and make sure you encourage students from all areas of study to participate. You will likely discover some amazing analytical thinkers in non-technology majors; philosophy, design, linguistics? Great minds and potential can be found everywhere. Make sure you keep an open mind about ‘who’ can become a great SOC analyst and ‘where’ talent can be found.
Also, consider those who are making a career change. There is a huge pool of motherslooking to rejoin the workforce after taking time off to start a family, people transitioning from other areas of IT and people from all industries who have heard about working in cybersecurity. Looking for candidates with an interest in the sector and the aptitude can help fill the gaps in that pipeline. It just requires teams to be openminded.
Hire Talent, Train Skills
Once you open the talent pipeline and recruit gifted, motivated people, all you that is left is train them with the relevant security skills. This is relatively simple. The best example of fast, effective skill training comes from military cyber intelligence units who train their young recruits in 4-6 months. If the best SOC analysts in the world are recruited before they are even old enough to have a bachelor’s degree and are ready to take a seat in the most attacked SOCs in the world within just a few months, surely enterprises can do the same.
How do the elite cyber units do it? First, they recruit based on innate talent, analytical aptitude and ability to work as part of a team in high-pressure situations. Once recruited, they put them through an intensive training course that leans heavily on simulation training. Instead of sitting in a classroom reading books and taking tests, they take a seat inside a realistic SOC environment replete with all the same networking and security tools they will use after they graduate. They experience the pressure of being overloaded with alerts, quickly deciding which are false alarms and which must be urgently investigated and communicating clearly and calmly with all the other members of the team to coordinate every move and ensure no information is lost. Immersive simulation training is so effective that large SOCs are setting up their own in-house simulators, while smaller organizations are increasingly contracting with MSSPs that have their own cyber range simulator to outsource training. In the long run, this approach allows companies to keep their SOC fully staffed with highly qualified SOC analysts.
Personalized Onboarding
The cyber boot camps type of program certainly works well for the military, but the private sector is very different and requires more flexibility and accommodations. The boot camp works great for brand-new entry-level recruits with little or no experience, but what about more experienced recruits? They still require onboarding to get familiarized with the network architecture, tools, and playbooks of your SOC. Onboarding of new employees is critical and innocent mistakes can cost your team good people. I often see good hires get up and leave within the first few months in a new job, usually because something about their onboarding led them to believe they wouldn’t enjoy working in that SOC long-term. Some people like to jump-right-in and immerse themselves in a very intensive, fast learning process. Others like to take a slower pace, taking it one step at a time and moving through the process at a more relaxed rate. If your SOC has a rigid onboarding program, it will not be a good fit for all new team members. Some will feel rushed and overwhelmed, others bored and unchallenged.
The key to successful onboarding is being flexible enough to personalize it for each new hire. Your ability to retain newly hired cybersecurity talent will increase dramatically if every individual is given a healthy measure of control over the style and pace of their training. Cloud-based e-learning platforms are a great way to let each employee work through the entire training program at their own pace to ensure they not only learn everything they need to know to succeed as part of your SOC team, but that they will stick around in the long run to make a meaningful contribution.
Top of the Line Tools and Technology
We all know the numerous reasons SOC teams suffer dearly form fatigue and burnout, but you know who doesn’t? Ferrari owners. How could anyone ever get tired of driving a Ferrari? A top of the line driving machine, a Ferrari is powerful, responsive and delivers an exhilarating, satisfying driving experience. Your SOC should aim to be a Ferrari-like experience for your team. Make sure you don’t skimp on equipment or tools. The design of the room, chairs, screens, and keyboards should all be state-of-the-art. The SOC should inspire pride and confidence that they have everything they need to be successful in the battle against cyber attackers.
The technology is equally important. Top cybersecurity talent will not be willing to work in a SOC with outdated technology. An advanced SOAR is an absolute necessity as it frees analysts from wasting their time on mundane tasks, being constantly bombarded with false-positive noise and dealing with unnecessary escalations. SOAR technology uses big data analysts and machine learning to make sure everything that can be automated is automated, so humans don’t have to.
Invest Heavily in Training Opportunities
Yes, you have to pay top salaries for top cybersecurity talent. There is no way around it, but a high salary alone isn’t enough. Especially not to the highly intelligent, curious, motivated kind of people you want in your SOC. BeecherMadden’s salary survey puts career development as the number one reason for changing jobs for five years out of the past six. Therefore, one of the most important areas to invest in is training opportunities. Not so much because you want your team at the top of their game, but because your team wants to be at the top of their game. Be very generous with ongoing training budgets so that everyone is constantly challenged and developing. Ample training opportunities will keep your entire team up-to-date on the emerging threatscape and give them a chance to practice operating the most malicious attacks, before they hit for real.
The most successful SOCs offer: accreditation (CISSP, SANS), online courses, simulation training in a cyber range (on-site or online), Conferences (Black Hat, hackathons and SOCathons) and a personal training budget worth thousands of dollars per year.
Trusted WorkForce/ Flexibility
Trusted workforce is being adopted throughout the technology sector, and is already widely available in cybersecurity. The idea that you have to travel to a physical office and clock-in to work has become an outdated, inconvenient and somewhat insulting approach to employees. On the one hand, you trust your SOC team to keep your most valuable digital assets safe, but you can’t trust them to work from home? It just doesn’t make sense. The idea that organizations and manager can trust their workforce is nowhere more relevant than in the SOC. Employees accept and appreciate some flexibility in when and where their work is performed, and it contributes to improved quality of life and prevents burnout and churn.