How to Fill Open Cybersecurity Positions
Let go of the resumes and certifications and let applicant skills guide your hiring.
Have you heard the following concerns on your hiring team?
“I’m concerned that our company is gatekeeping amazing applicants.”
“I need to find someone fast. The team is stretched too thin.”
“The resume was great, but the newest team member doesn’t know what they are doing.”
If you can relate to any of the preceding questions, this article is worth your time.
Often, hiring managers and HR are struggling to get through the volume of applicants for an open security team position. Unfortunately, it can be costly and take time to fill the position. The majority of decisions throughout the hiring process is based on the applicant’s resume. This can lead to issues down the road if the applicant isn’t tested on their actual skills that would need to be performed if they had the role. One of our worst fears is hiring the wrong person. Security roles are crucial to a company’s success by protecting PIIs of consumers and from attackers. Thus, hiring someone to join a security team is not like other roles at the company.
It’s important to note that the communication barrier between the needs of the organization and what the candidate can accurately offer to the position, has been an ongoing problem within security recruiting. But it’s the most important step forward to ensuring you get the applicants you want. For example, you need a Red Teamer; unfortunately, the aspiring penetration tester that has those skillsets didn’t see your job description. Your Blue Team compares computers’ actual configurations against the corporate policy’s documented standards. However, all your applicants want to respond to sensor alerts. These scenarios of miscommunication will always result in extended searching periods and an inability to create a strong team.
Why is fixing the communication barrier between the needs of the organization and the accuracy of the candidate crucial? Resisting to change the communication barrier could result in applicants not being accurately screened, which can result in increased costs in hiring, more time spent hiring, and never receiving qualified candidates. The applicants that are not qualified can result in massive turnover resulting in starting the hiring process starting over and keeping a job position open for long periods.
The best way to receive better candidates is to shape your job descriptions around KSTs (knowledge, skills, and tasks). By doing this, you’ll receive stronger candidates for the role you are trying to fill. The candidates will understand the role when applying for the position and it will help them evaluate if they are the best fit for the job before applying. There is a framework within the information security community that supports these KST building blocks called the NICE framework. Let’s dive into this as part of the 2 steps on how to receive better candidates.
The NICE framework solves communication gaps between the organization and the candidate by providing a straightforward, common language to the cybersecurity industry. The language created identifies workers and their work through common language performed by the public, private and academic sectors.
The National Institute of Standards and Technology (NIST) created these lists consisting of thousands of actions a person can do with a computer. These items are referenced as KSTs (knowledge, tasks, and skills). For example, the KSTs are identified as Knowledge of packet-level analysis (K0062), Skills in using security event correlation tools (S0173), and Tasks to Identify potential points of strength and vulnerability within a network (T0751). The framework lets you define the responsibilities of the person with those KSTs. The previous KST examples de-emphasize job title and tech stacks and instead provide clear language to what an organization is looking for by communicating expectations of the candidate.
Talent screening your candidate is the best way to ensure who you are interviewing meets all of your KST requirements. By doing this you will generate a faster interview process by cutting down on your costs, resources, and times...while reducing unbiased hiring. This directly helps you evaluate if the candidates are a good fit for the employer. It is a good sign for a person to claim they can conduct exploitation of wireless computer and digital networks (T0162). It is a better sign for that same person to demonstrate that competency. Whether they can or cannot, it gives hiring authorities a crucial data point that is often lacking. Maybe you want someone extremely experienced. Or, you want someone who has some of the KSTs but would like to provide internal training to get them where you want them to be. However, you won’t know where the person qualifies without the NICE framework. Without the framework, you will converse with candidates and remain unsure if their resume is accurate to their talents.
By aligning your positions to NICE, it creates defined learning and promotion pathways for teams. NICE also creates a pathway to defining objectives and creating goals. Building goals and objectives lead to clear expectations, increased retention, and a defined career progression path. Another benefit of utilizing NICE includes members interoperating from one team to another. Utilizing NICE avoids the necessity for an expensive hire and creates more contributions within your current team to fill a new role.
“As we formed our penetration offering, there was no real way to confirm the talent we were looking to hire through resumes,” says Brian Hubbard, a manager for Edwards Performance Solutions. “We found candidates that the industry would identify as seniors, but not ultimately, were not the right fit for the position. Once we ran through ESCALATE and assessed our talent, we were able to identify the right candidate based on the challenges provided.”
The NICE framework is the secret ingredient to clear communication when identifying talent during a hiring opportunity. The framework will provide your managers with the tools and data they need to lead, understand the gaps, and plan accordingly to overcome them.