How to Find, Hire Good Security Pros — Even if They’re Already Happy

It’s understandable that the talent pool has practically gone dry. Demand for security professionals continues to soar while new talent production ekes by, and seasoned talent are already contently employed. Recruiting security talent at any skill level seems an impossible task under such circumstances.

“There aren’t many fields where the majority say they’re happy with their profession — except for cybersecurity. Overall, 83 percent say they’re satisfied with their jobs. When it comes to the future, 80 percent feel secure about their role, and 86 percent would recommend a cybersecurity career to new college graduates,” says Stephen Moore, chief security strategist at Exabeam, a security intelligence company (SIEM).

Nonetheless, you need security professionals – you have to have them – and you need them up and running as of yesterday. There’s no workaround or back-order process, nothing you can do but go find them and convince them to join your cause and your payroll. So where do you find these elusive professionals?

Where to Look

“There are three places to find security professionals – in other companies/agencies, at the beginning of their career journey, or hidden in your organization,” says Amjed M. Saffarini, CEO of CyberVista, a Graham Holdings Company. It’s a cybersecurity training and workforce development company.

Finding and recruiting talent from other companies is a tricky business. In many cases they are content where they are and not really interested in entertaining other offers; however, there are established security pros who will be open to an offer than meets their current needs, such as better life/work balance, more interesting challenges, and/or increased opportunities to learn.

Obviously, you can’t just go knock on other companies’ doors and ask to meet their security team. Look for these professionals at conventions, social events that your current security people enjoy, in open-source projects, on speaker bureaus, as authors of blogs and professional posts, attending or competing in security challenges, and other online and real-world hangouts where security-minded people are known to gather.

Finding talent that has not yet fully bloomed, meaning those people who are just beginning their career journey or starting to make a career change, is a bit easier. Look to universities, technical training programs, veterans’ groups, and even high schools and middle schools for talent you can train to your specific needs and their individual capabilities.

“It’s a good idea for organizations to hire from advanced technical training and certification programs where qualified candidates have already been put through a rigorous interview process. This not only reduces the recruiting/hiring cycle but also reduces training and certification expenses that would otherwise come out of the company’s budget,” says John Maddison, SVP of products and solutions at Fortinet.

Don’t overlook military veterans, as most already have a finely tuned security mindset and the discipline necessary to succeed at defending their charges.

“Veterans are already trained in cybersecurity and understand the idea of militarization better than any civilian. Each year over 200,000 members of the U.S. Military change from active-duty positions back to civilian life, facing unemployment once they are done with their service contract,” says Craig Hinkley, CEO of WhiteHat Security.

“Organizations can attract these individuals by continuing to foster programs that train veterans in cybersecurity and provide certification programs. Businesses can also take place in mentorship programs put on by the Department of Defense and any placement opportunities,” Hinkley added.

Finally, look internally for talent you can develop into security professionals. Odds are you’ll find more candidates than you realized were already on your payroll.

“Those employees with the right attitude and desire to learn should be considered for vacant, more senior roles. Assigning an internal mentor, establishing a formal training program and incorporating a little TLC can translate into growth and internal mobility within a company,” says Samuel. “This also sends the right message to the staff that internal promotion is a true and real possibility. Additionally, creating longevity with internal staff is a great sign of a good company that takes care of its own.”

One quick caveat of note: if you’re hoping to recruit ex-government workers, you might need …