Creative Hiring From Non-Traditional Places
The lead story in the SANS NewsBites from today was "White House/DHS Announce New Cyber Skills Pipeline Initiative.” The two statements below caught my attention.
1 - “The Federal Government struggles to recruit and retain cybersecurity professionals due to a shortage of talent along with growing demand for these employees across the public and private sectors.”
2 - “As agencies prioritize their cyber workforce needs, they will likely need to adopt innovative hiring techniques to ensure the best and brightest cyber talent can seamlessly enter the Federal Government.”
With the cybersecurity talent shortage, we must get creative in where we look to fill our open cybersecurity positions. Many years ago a good friend in the Human Resources department gave me the advice to hire character and train skills. For many years I have experienced success in finding team members from non-traditional areas and then sending them to learn our craft. A couple of examples include Fraud and Abuse, Help Desk and Network Operations. I found it interesting to learn from them how their former departments operate as well as learning firsthand how their department viewed the information security program. Yes, it pays to have thick skin.
From what non-traditional areas have you found talented members to join your information security team?
Russell Eubanks
Performing A Cybersecurity Risk Assessment | Online | Greenwich Mean Time | Oct 28th - Oct 29th 2024 |
Comments
Additionally, in the private sector, many firms offer perks which the federal government cannot, including excellent health benefits, more vacation and time off, educational benefits, better ability to cross train, flexible work scheduled (or working remotely), and no need for a security clearance, which can take anywhere from 6 months to 2 years to complete.
We lost 20 analysts in 30 months due to better paying positions in the private sector and the growth opportunities which were available.
It's amazing how much the federal government whines about not being able to attract top talent (if they could compete with the private sector, perhaps they'd get the talent they're looking for)...
hmmmm
Anonymous
Jun 23rd 2018
6 years ago
Taking Stock of the Current Cybersecurity Workforce and Identifying Gaps, Developing Innovative, Recruitment, Retention, and Mobility Strategies, Reskilling Employees to Fill High-Value Cybersecurity Roles and Building a Pipeline of Cybersecurity Talent each resonate with me and I hope that 1 year from today significant progress will be made.
I also like what I see in the National Initiative for Cybersecurity Education Cybersecurity Workforce Framework (NICE Framework).
Thanks for supporting the ISC!
Russell
Anonymous
Jun 23rd 2018
6 years ago
Anonymous
Jun 23rd 2018
6 years ago
I gave up on the idea of working for government when I saw how certain folks with clearances were treated by the NSA and FBI when whats-his-name started leaking info about the NSA's programs to the press. People who weren't responsible for the leaks, who were merely suspected, lost their clearances, lost their jobs, mortgaged their houses to pay for legal defense bills, went bankrupt, etc. So I'm in no hurry to get a clearance again. I don't want to be on ANY access lists for anything someone else might leak.
I think I'll stick with the private sector for now. I just don't trust the government agencies to pay me what I'm worth or to behave ethically.. Or even legally...
Anonymous
Jun 25th 2018
6 years ago
I never shied away from hiring from "outside" security, but I was always wary. The last few years especially, there were a ton of applicants who were all about getting into it because it was the next big thing, and they wanted to cash in, not because they were genuinely interested in the field.
Because of this I rarely made a decision based solely on whether or not they had experience or were already in the field. If their resume looked reasonable for an entry level (they had some knowledge or experience with security tools, maybe a basic cert or two), they would probably get an interview. That interview was always technical to start, and if you could show me your enthusiasm for security, and the ability to teach yourself, I wouldn't care what your current job was, you would immediately jump to the top of the list. I can train you in the tools, I can't train you to love the field.
The other side of things was monetary. Depending on the size of a company, a hiring manager will probably have a strict range where that analyst has to fall in, whether or not it is within "industry norms". I usually couldn't go outside of that unless there was an exceptional circumstance. If you're interviewing at a third-party SOC provider, keep in mind, there are usually contractual limits to the amount a customer is willing to pay, and to make money, the company will try to beat that. That usually doesn't work in the long run, but that's the tactic some places use.
My advice to someone trying to make it from outside, get a couple of basic certs. Understand what you're talking about. Think about why you want to get into the industry, and make it known. You're looking at getting into an industry where you need to be constantly thinking of the security implications of what you're doing, what others are doing, etc. If that makes you tired right from the start, you're not going to last in the industry. Someone who can enthusiastically tell me how they built or hardened their home network, why they chose what they did, what they'd do if they had more resources, will get a better response than someone who says "well, I work with computers all day, so at home I just have the router or whatever the ISP gave me." Go to some of the smaller/free conferences, and start networking. Talk to people who you know in the industry already and make it known you're looking to get into security. Look for a local DC group or B-sides and become as active as you can, in person, on their mailing list, or both.
Anonymous
Jun 26th 2018
6 years ago