• United States




How to hire top cybersecurity talent for your company

Nov 20, 20176 mins
CareersIT LeadershipIT Skills

As cyber threats continue to grow in volume and intensity, companies need top-tier cybersecurity talent to successfully fend off these attacks.

Talent compass pointing to the most highly skilled jobs hiring
Credit: Thinkstock

Cyber threats continue to grow in volume and intensity. Seemingly every month, another massive security breach dominates the headlines. In an effort to combat these threats, society as a whole is putting a greater emphasis on cybersecurity awareness and training.

Universities in the U.S. are unveiling new cybersecurity programs designed to prepare students for jobs in this booming field. Startups that provide vocational courses in cybersecurity are attracting venture funding. Even the U.S. military is now training active-duty military personnel who, after they leave the service, quickly find positions in the cybersecurity industry.

In fact, there are now more cybersecurity professionals than ever. And yet, there are still nowhere near enough. As cybersecurity threats grow more pervasive and advanced, companies need even more people to fill cybersecurity roles.

How dramatic is the shortage of trained and qualified security personnel? The global cybersecurity workforce will have more than 1.5 million unfilled positions by 2020, according to a report from Frost & Sullivan and (ISC)². And a quarter of all respondents to a survey by ISACA’s Cybersecurity Nexus said that it takes their companies six months or longer to fill priority cybersecurity positions.

If your company needs cybersecurity help, you can’t afford to sit around and wait for it to walk through the door. You need to be proactive. Here are five steps for overcoming the hiring challenge and staffing up your cybersecurity team.

1. Expand the talent pipeline

Consider hiring people from diverse backgrounds who can bring new ideas to the table. In the security industry, we’ve done a good job of converting many IT professionals into security professionals already, but we haven’t done a good job of expanding beyond that. Many cyber agents hired by the FBI, for instance, come to the agency with accounting degrees, partly because there is a level of detail required in finance that proves very useful in cyber investigations. I’ve also been successful at hiring ex-finance professionals, who are passionate about technology, into information security. The good news is that universities are now introducing cybersecurity programs, which are attracting a broad range of candidates. Here in my home state of Colorado, the University of Colorado Boulder offers a master’s degree with an element of cybersecurity training. The University of Denver also has a two-year program in cybersecurity. Accelerators and bootcamps are another good place to recruit fresh talent. Many have six-month to eight-month programs that train cybersecurity professionals in real world information security so they can be effective security professionals as soon as they are hired. The bottom line is that you need to get a pipeline built because not having a pipeline means your positions will remain open for longer periods of time and you might be looking at a lesser qualified talent pool than having the pick of the litter.

2. Look for people with real-world experience

All organizations need entry-level talent. But they also need at least a few seasoned professionals with real-world experience. These are people who are battle-tested and have hands-on experience with different types of scenarios, ranging from incident response to audits. Of course, these experienced professionals are more difficult to find, but they do exist. Look for people who have worked at companies with a dedicated cybersecurity focus. Other excellent candidates are industry consultants who have fought the good fight but have grown tired of being on the road all the time. Many of these folks have knowledge, professionalism and resiliency that can benefit your organization.

3. You pay for what you get

HR departments are working hard to establish a salary range for cyber professionals. But as it stands now, there is not sufficiently detailed salary data for people with skills in various sectors of the field, like, say, malware analysis or deep forensics. Hiring managers end up putting a few different jobs together to create some relative correlation to a cybersecurity professional. If your HR department is determining salary bands for cyber professionals based on incomplete or inaccurate data, it could hurt your ability to recruit. If your HR department has under scoped the value of specialty skills, that will also hurt your ability to recruit. Offer a salary at the low end and you won’t get the best people. The reality is that specialized cyber skills are hard to come by and your organization must be willing to pay up to get them. Organizations that are inflexible on salary will not attract the talent they need to stay safe—and they will almost certainly regret it down the road. Even if they are able to hire talent, retaining them will be challenging as they will constantly receive higher offers and ample opportunities to jump ship.

4. Be selective

That said, take your time when searching. You need to ensure who you are hiring has the aptitude, communication and cultural fit that you are looking for and that is required to be successful at your company. You will also regret it if you make a bad hire. Remember the old 80/20 rule: you’ll spend 80 percent of your time managing 20 percent of your people. That is even more true for positions involving offensive security, where you are often paid to mimic a criminal. You need to make sure that those individuals don’t go beyond mimicry and understand what lines to cross and not cross. Before you bring your new folks onboard, you need to conduct thorough background checks—as well as foreground checks, as it were, to make sure they can adapt to your corporate culture. The same applies to people on the defensive side, those who are responding to incidents. You must have a very high degree of trust in these people because they will have access to your organization’s most critical data and other information.

5. Provide continuous growth and learning opportunities

The technology industry changes rapidly. New systems and tools are constantly being introduced into the enterprise and your cyber team needs to know how to protect them as they come. That’s why it’s vital to constantly re-skill your employees. What’s more, cyber professionals demand this kind of continuous learning. And if you’re not providing your team with ongoing education opportunities—sending them to industry conferences, holding workshops, etc.—your best employees will hop to another company that does. If you don’t have an organizational structure that gives your employees opportunities for advancement, you’ll lose them as well.

Remember, one of the best investments you can make is in your people. And the people you need right now are cybersecurity people. With the right talent, you’ll have a far better chance of successfully fending off attacks, protecting your organization and outdoing your competition.


James Carder has over 20 years of experience working in corporate IT security and consulting for the Fortune 500 and U.S. Government. At LogRhythm, he develops and maintains the company’s security governance model and risk strategies, protects the confidentiality, integrity and availability of information assets, and oversees both threat and vulnerability management as well as the Security Operations Center (SOC). He also directs the mission and strategic vision for the LogRhythm Labs machine data intelligence, strategic integrations, threat research and intelligence, and compliance research teams.

Previously, he served as Director of Security Informatics at Mayo Clinic and had oversight of the threat intelligence, incident response, security operations center, and offensive security groups. He was responsible for protecting, detecting, and responding to a network that consisted of financial systems, industrial control systems, medical devices, and patients. Prior to Mayo Clinic, Mr. Carder served as a Senior Manager at MANDIANT, where he led professional services and incident response engagements. He’s led criminal and national security related investigations at the city, state and federal levels, including those involving the theft of credit card information and other intellectual property, hacktivism, and Advanced Persistent Threats (APT). Mr. Carder is a sought-after and frequent speaker at cyber security events and is a noted author of several cyber security publications.

James holds a bachelor’s of science in Computer Information Systems from Walden University, an MBA from the University of Minnesota’s Carlson School of Management, and is a Certified Information Systems Security Professional (CISSP).

The opinions expressed in this blog are those of James Carder and do not necessarily represent those of IDG Communications, Inc., its parent, subsidiary or affiliated companies.