Organizations need to drastically revamp their cybersecurity hiring practices to plug the skills gap and create an effective security team. This was the message of Leeza Garber, a renowned privacy & cybersecurity attorney, during her keynote address at the Infosecurity Magazine Spring Online Summit - North America 2022.
Garber began with an anecdote from a job she started 10 years ago when she clicked on a malicious link. Here, she observed how effectively her cybersecurity teammates dealt with the incident, which was “vast, efficient and effective.” This ranged from a leader assigning staff to go through the response protocol to digital forensics to understand how the scam worked. This experience demonstrated to Garber the importance of human behaviors and having a range of personalities in cybersecurity. “In cybersecurity especially, no matter what the role, from CIO to entry-level IT support, everybody needs to capitalize on their inherent behaviors in order to succeed together,” she said.
Citing her recently published book, Can, Trust, Will: Hiring for the Human Element in the New Age of Cybersecurity, Garber set out common mistakes organizations make in hiring cybersecurity talent and detailed steps they can take to improve their recruitment practices.
She highlighted the following common problems with hiring in this field:
- That resume was awesome/terrible: Garber cited research showing that a significant number of resumes contain falsified information, such as changing previous job titles. In addition, no matter how impressive the information looks, “you still have to prove the skills and determine the behaviors of the person behind that resume.” Conversely, she pointed out that resumes that look poor do not necessarily mean the candidate wouldn’t be suitable for the role, as it won’t display certain relevant life experiences. For example, they may have acquired outstanding real-world hacking skills by themselves, even in the absence of formal certifications and qualifications.
- We get along great: Garber said hiring managers should question the relevance of getting along personally with someone applying for a role. “Does that lead to success in that open role?” she posited. In fact, this could be a dangerous path to take, as it could lead to a lack of diversity in the team, both physically and neurologically. This could mean you all “miss the same threat surfaces, vulnerabilities and attack vectors.”
- We’ve got a guy for that: While many organizations use the services of vendors to tend to aspects of their cybersecurity needs, this should not lead to them neglecting their own internal cyber skills. Garber noted: “A relationship has to exist – the vendor needs to know, and appreciate your business, no matter what size you are.”
- Did you like her?: Related to the ‘we get along great’ point, Garber said one of the most common questions hiring managers ask each other is, “did you like her?” Hiring people on this basis of making you feel comfortable, or if they fit in, is a mistake. Garber added: “The stakes are very high in cybersecurity, and the field spans many departments. Differences of opinion, background, experience and approach matter – but it still seems so hard for people to hire someone who seems to be different from themselves.
No tags.
