As if hiring cyber security staff wasn't challenging enough, now this: According to a Robert Half International survey, two-thirds of IT decision-makers plan to hire full time employees in the second half of 2019, and their top priority? Bringing in fresh cyber security skills.
Given that this is an issue that weighs on pretty much every cyber security executive we speak with, it seemed an ideal topic for the second installment of The CISO Speaks, a series we introduced recently with a Q&A on innovation with Roland Cloutier of payroll processor ADP.
This month, Scott Niebuhr, CISO of space R&D firm The Aerospace Corp., shares how he's approached the needle-in-haystack nature of staffing cyber security teams today. What follows is a lightly edited transcript of my email interview with him:
TK: What are the biggest cyber security staffing issues you face?
SN: General staffing has been a challenge. In our corporate culture, we have restrictive hiring expectations that place a premium on specific technical degrees over skills or experience gained prior to obtaining that degree. This approach may be valid in the traditional engineering and scientific fields; however, at the rate of speed that technology is evolving, and in the area of cyber security in particular, education comes in non-traditional ways.
For example, candidates may have had many years of technical, hands-on experience while serving in the armed forces, but if they obtain their bachelor’s degrees later in their career, all those years prior to matriculation do not count.
Technical skills are just one part of the equation when deciding if a candidate is a correct fit for a position. Many times people in my organization are asked to translate highly technical problems into what that they mean by way of impact to the mission or business. I try to mentor staff on financial and business acumen every step of the way so that they can see how their roles are contributing to the bigger picture, and speak the same business language that decision makers speak.
TK: How does the industry that The Aerospace Corp. operates in present unique challenges when hiring cyber security talent?
SN: As the only federally funded research and development center exclusively committed to space, we provide technical expertise in every discipline of space-related science and engineering. This places a burden on finding individuals with expertise in the space domain as well as technical cyber skills. Often, this translates into an ability to identify deficiencies in architecture, understand unique and often proprietary protocols, and determine the behavior of how these systems operate nominally.
The Los Angeles and Washington DC metropolitan areas, our largest corporate locations, are both hot markets for cyber talent, yet it is still often difficult to recruit top talent. In our specific area of LA, Silicon Beach, we are competing with the entertainment industry, a large financial sector and, within the past decade, an increase in hiring within the video-gaming market.
Throw in the fact that many of our positions require the ability to obtain and maintain security clearance, and the candidate pool significantly decreases.
TK: What strategies have you used to meet your staffing needs?
SN: Within the past two years we have looked to hire those that may not have the exact experience with space systems, but rather have a propensity or ability to learn. For instance, when a request I posted contained language indicative of an intelligence analyst, we weren’t looking for an analyst per se, but needed someone with those skill sets, as part of our responsibility is supply chain risk management.
A unique approach we have taken is to target highly desired candidates and invite them to an intimate evening gathering to showcase some of the interesting projects we are working on. We have taken a cue from some of the boutique staffing agencies and have begun building relationships with individuals who may not be specifically looking for a career change at the moment by planting the seed of working at Aerospace.
TK: To what extent is retention of cyber security employees a challenge, and what do you do to minimize churn?
SN: Retention has not specifically been a challenge at Aerospace as we offer a competitive salary and excellent benefits for the markets we are located in. In the three cases we lost talent to another FFRDC, all three returned to Aerospace within a year. The biggest contributor to people leaving is when employees are not challenged enough.
Where I do see churn is in the area of systems engineering and technical assistance contractors. These contracts may be bid every two to three years, and sometimes even at one-year intervals, contributing to the phenomena within our industry known as badge-flipping, or leaving your current company to go work for the company that just won the contract for next year.
TK: How do you propose that the cyber security sector, which is such a hot area in terms of both opportunity and innovation, make itself more attractive to a diverse and qualified set of candidates?
SN: If we relax some of the experience and certification requirements and clear away some of the misconceptions of what cyber security is, I think we will see some traction in this area.
While I do feel that certifications provide certain value in some instances, I found that requiring them was severely hampering hiring efforts in what was an already limited candidate pool. If for some reason a certification may be contractually mandated, I normally put in a requirement that the candidate must have the ability to obtain that certification within six months. But I have removed certification requirements from most requests, as I do not want candidates to automatically exclude themselves from applying.
TK: What advice would you give to other CISOs who are struggling to find talent?
SN: Keep an open mind to those candidates who may not specifically have all of the education, experience or certification boxes checked. Sometimes people who are new to cybersecurity can be a huge asset, as they see things from a new perspective and they may not have some of the bad habits or limited adaptability to change that seasoned security professionals may bring.