Build a Modern, Effective Cyber Hiring Strategy

Posted on by Nicole Dove

Today's cybersecurity teams can’t be built solely with traditional hiring methods that rely on years of corporate experience or academic qualifications as a guide for weeding out candidates. This piece explains why hiring teams must evolve their recruiting methods and offers some effective ways to uncover true cyber talent during the hiring process.

Traditional Hiring Strategies Ignore Practical Experience

Cybersecurity requires a specific set of technical skills and knowledge that can be overlooked when solely evaluating candidates on years of experience, degrees, and certifications. First, cybersecurity is a field where hands-on experience is crucial. While certifications help practitioners have theoretical knowledge of cybersecurity concepts, they do not ensure hands-on experience. For example, the ability to respond to and contain a breach in real time is much more valuable than simply understanding, conceptually, what would need to be done. Similarly, tenure in a job—no matter how lengthy—doesn’t always equate to years of hands-on experience.

As government agencies control critical infrastructure that impacts quality of life for their constituents (e.g., the Ukraine power cybersecurity attack in 2015 resulted in widespread power outages that affected hundreds of thousands of people), having your team staffed with capable, experienced practitioners is critical.

Modern, Effective Hiring Practices to Consider

By adopting nontraditional hiring practices, hiring managers can identify candidates who have practical experience, technical skills, and the mindset to be able to combat cyber threats and help elevate their organization’s security posture.

Hiring practices to consider include:

  • Focusing on hands-on experience: Instead of eliminating candidates who do not have certifications or traditional education, review their resume for hands-on domain experience that aligns with opportunities within the department.

  • Reviewing candidate portfolios for open-source contributions: This demonstrates their technical expertise, as well as a commitment to the field. It also showcases their coding abilities, problem-solving skills, and familiarity with security tools and techniques.

  • Using scenario-based questions for initial screens and behavioral interviews: This will help evaluate candidates’ decision-making processes. Understanding if candidates can effectively perform root cause analyses, use deductive reasoning, and translate strategy into operations will be extremely valuable to the hiring process and help improve team success.

Don’t Forget About Candidate Soft Skills

It is quite common for hiring teams to focus on technical capabilities and overlook soft skills. Cybersecurity teams must work across other functions within their organization to gather information, deploy projects, and improve their services. As a result, it is important that they are able to effectively communicate, collaborate, practice active listening, and adapt their messaging to their audience.

Within screening and interviews, hiring teams should be sure to include questions to assess the candidate’s ability to exercise the following soft skills effectively: attention to detail, adaptability, problem solving, collaboration, resilience, empathy, curiosity, and continuous learning.

Some questions to consider include:

  • Tell me about a time you led a project that required collaboration across more than one team.

  • How do you prioritize tasks when you have more than one deadline to meet?

  • Tell me about the most significant problem you solved for your team or a project.

  • Sometimes results don’t align with expectations. Tell me about a time when you had to navigate a customer or collaborator through this scenario.

  • Tell me about a time where you needed to make a decision without leadership supervision. What did you consider and what was your process?

  • What has been your biggest failure and what did you learn from this experience?

Hire Hands-On Experience, Not Education and Tenure

Traditional hiring methods don’t work in today’s modern cyber environment.

Here are a few small changes that can have a big impact on your talent acquisition process:

  • Increase collaboration between HR and cybersecurity hiring managers to understand the practical skills needed for current and future cybersecurity needs.

  • Enhance resume review procedures to identify more than years of experience, certifications, and degrees. Assess how each applicant has helped contribute to increasing the strength of their organization’s security program.

  • Interview candidates to assess both technical and soft skills because cybersecurity teams require cross-functional collaboration to be successful.

With threat actors rapidly evolving their tactics, it’s more important now than ever to have a cybersecurity team that isn’t just educated but has the practical expertise to help protect our technology ecosystems— especially when breaches can have detrimental effects on our companies and communities.

Although reasonable efforts will be made to ensure the completeness and accuracy of the information contained in our blog posts, no liability can be accepted by IANS or our Faculty members for the results of any actions taken by individuals or firms in connection with such information, opinions, or advice.

Nicole Dove

Head of Security, Games Division , Riot Games

Business Perspectives

professional development Professional / Workforce Development innovation Pen Testing / Breach Simulation Open Source user behavior analytics security operations Consumer Identity

Blogs posted to the website are intended for educational purposes only and do not replace independent professional judgment. Statements of fact and opinions expressed are those of the blog author individually and, unless expressly stated to the contrary, are not the opinion or position of RSA Conference™, or any other co-sponsors. RSA Conference does not endorse or approve, and assumes no responsibility for, the content, accuracy or completeness of the information presented in this blog.

Share With Your Community

Related Blogs