Hiring Top Cybersecurity Talent
Conquering the Talent Shortage
If you’re in the position to hire staff, you are aware of how problematic it has become. Between the never-ending pandemic and the “Great Resignation,” hiring talent in cybersecurity has never been more difficult. In fact, according to the company Cyberseek, from October 2020 through September 2021, there were over 162,700 openings for Information Security Analysts and nearly 600,000 cybersecurity positions in total.
I’ve spent nearly 15 years in the industry as a practice manager, hiring pen testers and advanced operators for several different companies. Since the start of the pandemic and the push to work from home, the need for IT people has never been greater, and cybersecurity talent is at the top of the list. The old approach of opening a job req in Workday or listing a job ad on LinkedIn and waiting for the applications to roll in simply doesn’t work anymore. We need to better understand who we’re hiring, and what motivates them.
We must start with a painful reality: They don’t need your job. In today’s market good talent can go anywhere, which puts employers in a tricky situation. However, with a better understanding of your candidate’s motivations, you can attract and hire the right people.
What are they looking for? In my research, I found the following job attributes were the most important to cybersecurity professionals:
Instituting Flexible Work Hours
This is one of the most important things managers of highly technical people need to learn. Hackers will work long, hard hours when they’re engaged with a difficult or interesting problem. You can look at Slack or Teams late at night and find members of your team logged on and chasing down an exploit or following an attack path. Don’t force a 9-5, 40 hour week on them. You’ll stifle their creativity. As long as the work gets done, and within whatever time limits imposed by a client’s rules of engagement, it doesn’t matter if one week is 30 hours and the next is 60.
P.S. Some team members will work themselves to exhaustion. Check in with the team regularly and make sure they’re not taking on too much.
Enabling Flexible Working Locations
We’re talking about much more than working from home. Think “work from the beach.” Nearly all of the work we do in pentesting and red teaming can be done remotely. Blue teamers might need to be onsite during an event, but as long as they’re near an airport or railway, there’s no reason for them to roll into the office every day.
Another word of caution (and true story)…I’ve had testers go on vacation to another country and decide they love it so much that they’re going to stay. Because they’re working remotely, nobody noticed until it came up in conversation four months later. There are, at a minimum, tax implications to that decision, so it’s worth suggesting it being a bad idea when you approve their time off.
Keeping Hackers’ Focus on Hacking
Hackers gonna hack.
Those who work in cybersecurity aren’t always known for their people skills. Forcing these individuals to manage their projects, chase down clients for scoping details, or *shudder*, assigning sales goals will cause them to pack up and move on. Use project managers or the operations team to set up their engagement, and use tech leads or supervisors to do the read-outs.
Cultivating a Culture of Talented Professionals
This is an interesting workplace attribute that I’ve never had to worry much about. The old adage goes “if you’re the smartest person in the room, you’re in the wrong room.” Talented cybersecurity professionals want to work with other talented professionals in the industry. These people want to be challenged by their colleagues and grow by a sort of peer pressure. Striking a winning balance between junior and senior people on staff is not only important for client engagements, but also so your team has plenty of wisdom to pass on to your junior practitioners.
Prioritizing Time for Creativity and Research
The work we do as pen testers is exciting, but a combination of late nights and repetitive engagements can become tiresome. Block off time for the testers to take a breath between engagements and do the research that excites them. It will pay dividends, whether that’s through thought leadership-focused blog posts or speaking engagements at industry conferences.
There truly is no better recruiting tool than a top-notch presentation at DefCon or Shmoocon.
You’ll notice that gobs of money and months of vacation aren’t the first things on their list. Yes, they want to get paid and in this market, you’ll pay them well. But as you can see, money typically isn’t what motivates them. Hackers ultimately want interesting work, flexibility and autonomy, a sense of community, and appreciation for what they do.
PlexTrac’s Solution to the Cybersecurity Talent Shortage
Now at the moment, PlexTrac can’t write your job description, find you candidates, alter time, speed up the harvest or teleport you off this rock. But what we CAN do is enhance your security team’s efficiency, making it easier to stay happy while on the job.
PlexTrac is ideal for building an online process for engagement setup and configuration. It can substantially reduce the need to play phone tag or chase down a client for information. Our granular role-based access controls mean you can give your points of contact access to the platform to upload documentation and diagrams, eliminating the back and forth email chains.
Our Runbooks feature is used to design repeatable attack chains for purple team engagements and table-top exercises. But it can also be used to build internal playbooks, documenting the steps, tools, syntax, and exact steps developed by your senior staff. Building a library of proprietary Tactics, Techniques, and Procedures (TTP) can make everyone on the team an InfoSec rockstar.
When it comes to the readout phase of the engagement, not everyone is comfortable with being in the spotlight. The PlexTrac Readout and Attack Path modules let someone else step into the role and be able to accurately and smoothly describe the results of the test. Our Findings pages allow for the raw evidence to be associated with the finding so you can answer deep technical questions as if you participated directly in the test. The Attack Path page provides a way for the pen tester to graphically recreate the attack chain. This makes it easy for everyone on the readout to understand what happened, and what the risk is to the organization.
Hiring is at an all-time high. I hope this blog post has demystified what candidates are looking for and what motivates them, as well as demonstrated how PlexTrac provides workflows that make their jobs easier… Now let’s go make these new hires into long-time employees!