By Abhiram Shindikar — June 24, 2024

The Science of Hiring Cybersecurity Professionals

World is changing faster than ever! With the rise in digital technology, where digital business information including your personal information is flowing constantly, cybersecurity teams act as a body’s immune system - defending against cyberattacks that can steal data, disrupt operations, and cause financial harm. Having a skilled and smart cybersecurity team is crucial - today we will talk about how businesses build their skilled cybersecurity teams to protect their vital assets and maintain user trust.

Building a cybersecurity team is like assembling a crack squad; you need a diverse mix of skills and experience to cover all aspects of security. It involves defining objectives, selecting the right leader (CISO), assessing skill gaps, recruiting skilled professionals, providing continuous training, establishing the right policies, encouraging certifications, etc.

What skills should you look for when hiring for cybersecurity roles?

As we mentioned above, building comprehensive cybersecurity teams is a challenging task. In our recent ScaletoZero episode with Jesse Miller, we asked Jesse to share some of the qualities and skills they seek when hiring for cybersecurity roles. We were surprised bywith Jesse’s response to look for different non-technical skills such as basic aptitude and attitude, good communication skills, personality tests - making sure people have empathy, and there were a few more.

Below are the skills that we have discussed with different security leaders that organizations should look for when hiring for cybersecurity roles. These include foundational as well as technical skills! Let us take a look at it.

Aptitude and Attitude

This goes beyond technical skills. CISOs look for individuals with a genuine passion for cybersecurity, a strong work ethic, and a commitment to continuous learning. They should be curious, analytical, and possess a problem-solving mindset.

Good Communication Skills

Effective communication is one of the most important skills required internally within the organization as well as externally. Cybersecurity professionals often need to explain complex technical concepts to colleagues from non-technical backgrounds, collaborate with other departments, and report security incidents to management. Thus, speaking the language of the department and communicating the right message stays at the forefront.

Personality Test - Empathy

Remember our podcast episode with Shivani Arni? Where she dived deep into emotional intelligence and explained the importance of empathy. CISOs value empathy because it allows their team members to understand the human element of cybersecurity. Security measures often impact user experience, so having empathy helps the team find solutions that balance security with usability. Additionally, empathy fosters collaboration and a positive team culture.

We curiously exclaimed to Jesse “What about the technical skills” - He simply replied “If you hiring for a senior cybersecurity role, it is assumed that you already have the skills to handle things in the Cloud, networks, and whatnot” which made a lot of sense to us! Because it is a commodity and if you are going for this job, you should know that stuff.

Programming and Scripting

Not a must-have, but strong programming or scripting skills allow security professionals to automate tasks, analyze security data, and develop custom security tools.

Threat Intelligence

The ability to gather, analyze, and interpret threat intelligence helps the team stay ahead of evolving cyber threats and prioritize security risks effectively. You can also understand Threat Modeling in depth in our article here.

Incident Response

Expertise in incident response procedures allows the team to effectively detect, contain, eradicate, and recover from security incidents, minimizing the possible damage and downtime.

Digital Forensics

In case of a security incident, the ability to collect and analyze digital evidence is essential for forensic investigations and potential legal proceedings if required.

Compliance

Understanding relevant data privacy regulations and compliance requirements ensures the team implements security measures that meet legal and industry standards. Dive deeper into cloud compliance in our article here.

By focusing on these areas and evaluating based on your and your management team's experiences, CISOs can create a well-rounded cybersecurity team equipped to handle the ever-changing threat landscape.

How to attract the right talent to your organization?

In our meetings with stakeholders, and cloud partners - we have been asked this question a lot. You know, having team members with expertise in specific areas like penetration testing, malware analysis, or security architecture allows for a comprehensive approach to security.

Remember, a mix of experience levels is always valuable. Seasoned professionals can provide guidance, whereas junior members bring fresh perspectives and new skills.

Above all of these, organizations need to create a culture of knowledge, training, and improvement. And as we said above “Attitude and Aptitude”, people who are curious learners, go-getters, and look for innovation and success - these people are really happy and willing to enter your organization.

In our podcast with Jesse - he shared with us this concept called “Radical Candor” which if asked to define it in simple words is the act of giving direct feedback to someone in a way that pushes them to grow and improve.

How should startups hire their first security role?

Well, we can’t stop you from hiring; but it is always better if you hire a third-party agency or managed service provider for taking care of your organization’s network or cloud infrastructure security.

To make it more consumable and thoughtful for you - A single person cannot look after every aspect of security, whereas hiring a third-party security service provider gets you a team of security experts that look after your infrastructure for a single price. One more way of securing your cloud infrastructure is hiring a generalist who knows ABC of security and handing over a tool like Cloudanix to them.

Life after hiring security teams, are KPIs important?

Focusing on KPIs encourages a proactive approach to security. By tracking leading indicators, organizations can identify potential issues before they escalate into major incidents. Having KPIs (Key Performance Indicators) for your cybersecurity team is crucial after hiring them because KPIs provide a data-driven way to measure the effectiveness of your cybersecurity team's efforts.

They help identify areas where the team is excelling and areas where they can improve. We have listed some examples of KPIs that are instilled by organizations for their security teams.

Number of vulnerabilities identified and patched.
Mean Time to Detection (MTD) and Mean Time to Response (MTTR) for security incidents.
Employee phishing click-through rates (measures security awareness training effectiveness).
Number of security awareness training sessions completed.
Number of penetration tests conducted and critical vulnerabilities identified.
Downtime due to security incidents.

With a subtle change to the thought, KPIs make more sense for managed security services and not for internal security teams. Managed security services are full of KPIs and above are the examples listed to name a few.

On the other hand, focusing on KPIs for internal security teams can have some serious cultural drawbacks;

Limited Scope: KPIs can be narrow and might not capture the bigger picture of security effectiveness. Focusing solely on metrics like "tickets resolved" might not incentivize proactive threat hunting or strategic security initiatives.
Discourages Collaboration: Overemphasis on individual KPIs can create a competitive environment within the team, hindering collaboration and knowledge sharing.

If not KPIs, How should security leaders define security structure for their organization?

Instead of KPIs, Jesse recommends having OKRs (Objectives and Key Results) for internal security teams. OKRs emphasize achieving specific objectives, with measurable key results to track progress. This aligns better with the overall security goals of the organization. Having OKRs meets your two vital goals - Team alignment, and Culture.

Team Alignment: Developing OKRs collaboratively ensures the entire team understands the desired outcomes and works together to achieve them.
Culture and Goals: The CISO emphasizes the link between OKRs and organizational culture. By aligning individual goals with broader objectives, OKRs promote a sense of shared purpose and contribute to achieving the organization's overall security goals.

Conclusion

Building a strong cybersecurity team is crucial for organizations in today's digital world. This team should consist of individuals with a mix of soft skills and technical expertise. CISOs should look for candidates with a passion for cybersecurity, strong work ethic, communication skills, and empathy.

Beyond foundational skills, some desired technical skills include security expertise, programming or scripting abilities, threat intelligence, incident response, digital forensics, and compliance knowledge.