Facilitating the Spread of Knowledge and Innovation in Professional Software Development

Write for InfoQ


Choose your language

InfoQ Homepage Articles Sourcing Security Superheroes: Part 1: Battling Retention and Recruitment

Sourcing Security Superheroes: Part 1: Battling Retention and Recruitment

In this three-part series, we will discuss the challenges within organizations to retain and develop top cybersecurity talent, and outline the organizational steps companies can take to keep talent in-house.


Being a security defender means to serve and protect your territory at all times. It’s a never-ending job because, quite simply, the attacks never end. When things go well, you’ve done your job, you go home and live to fight another day. When things don’t, which can be often in the modern threat landscape, the blame immediately lands at your door. It’s a tough job, and those with the desired skills and resiliency to manage such extreme pressure are few and far between. Cyber attacks have grown roughly 35 percent in the last three years, putting every company and individual at risk. Continuously escalating attacks are hard to detect with traditional security tools. Add to that the overall lack of skilled security professionals to prevent, respond and hunt for attacks, and we’re left with organizations dealing with a security epidemic.

According to ESG, in 2014, 25 percent of all surveyed organizations said they had a problematic shortage of infosecurity skills. You may be wondering which types of infosecurity skills had the biggest shortage, and unfortunately skills are lacking across the board. The same ESG survey showed 31 percent of organizations have a problematic shortage of endpoint security skills, with 30 percent of organizations lacking in data security skills, and another 30 percent experiencing a shortage of security analytics and forensics skills. When this skill shortage is paired with rising cyber threats, the effects can be devastating. As revealed in Ponemon’s 2014 Cost of Data Breach Study: Global Analysis, sponsored by IBM, the average cost of a data breach to a company was $3.5 million in US dollars, 15 percent more than what it cost the previous year.

It’s clear the enterprise needs to bulk up cybersecurity teams in order to be prepared to effectively combat cyber attackers and to maintain business and mission continuity. So why has information security been the top “problematic shortage of existing IT skills” category for four years in a row? Let’s enumerate the challenges.

Changing the way we approach recruitment

One of the fundamental issues in the industry is the way departments and organizations in the public and private sectors manage security professionals. The mindset of cybersecurity practitioners is very different from most others in the corporate world. Think about what makes security professionals successful. They are smart, creative and don’t like to follow rules for the sake of compliance. It’s their ability to ignore constraints and to be disruptive that allows them to solve problems in new ways. Structured thinkers are important in all organizations. But the bottom line is that enterprises need creative hunters, not just responders, on the frontlines.

If we apply that way of thinking and interacting to the traditional workforce, we can see where conflicts start to arise. Organizations like to hire from the highest pedigree of universities and pick the best and brightest graduates. But there are only a certain number of these high-performing graduates available every year and they go to the highest paying offers.

Government departments struggle to compete with fast-paced organizations that can react more quickly to pay higher salaries, adjust benefits packages or offer flexible working conditions. Government and more mature organizations are often bureaucratic and rigid in nature and structure. Getting anything changed or approved, like increased pay or job classification for security talent, is usually not an option. So by focusing on pedigree universities, they fail to pick candidates on competency and capability alone.

Recruiters should look beyond resumes and what’s on paper and assess the candidate by determining if they possess the passion, the essential work habits and the intellectual curiosity needed to succeed as a cybersecurity practitioner. The threat landscape is always changing and evolving, a strong cybersecurity practitioner is always tinkering and learning – learning to use new tools and techniques and staying up to date with changing threats and vulnerabilities. A good candidate would be a regular reader of security blogs, such as Krebs on Security or Dark Reading. Stronger candidates would have public projects on GitHub and would show a strong desire towards attending hackathons and meetups. The more involved someone is in the security community, the better versed they will be in their job. Depending on the job requirements, recruiters could focus on candidates who approach security with a more holistic view, or those with specific interests in threat modeling, technology implementation, or testing, specifications or vulnerability assessment.

The experts who will solve some of the greatest security challenges won’t always come from top tier schools with post-graduate diplomas. These people may not have PhDs and may not have been to an expensive private institution. Many will be geeks of diverse backgrounds and self-directed learning attitudes. They may be college dropouts who became impatient with traditional systems and bureaucracy and broke free. They will be individuals who have had experiences that forced them to think outside the box and be creative. We think of hackers as deviant and unpredictable because they are resourceful, creative, opportunistic and focused on their goal. We must hire people who have similar mindsets if we are to prevent future attacks.

Techniques for finding talent in unlikely places

There are companies that do a good job of finding new talent. Some host parties at specific security events like RSA or DEFCON or BSIDES. The idea is to mingle with practitioners in order to foster relationships to build a pipeline of talent. These gatherings provide social validation of skills. It’s where professional and social friendships are formed, helping further strengthen and nurture the community, as well as the pool of resources.

Alternative strategies include sending recruiters to security events to meet potential candidates. This can take time and be a tedious process. But in the long-haul it can be rewarding, especially if the recruiter focuses on individuals competing in events. This can be a great way to identify if a potential candidate is passionate about cybersecurity and seeks to grow their skills.

A hackathon or Capture the Flag (CTF) is a good example of such an event, in which programmers, enthusiasts and cybersecurity practitioners compete to attack or defend live networks; or find / fix bugs in software or hardware systems; or build new innovative solutions for problems. These competitions are usually part of larger events, such as BlackHat, BSIDES, DefCon, regional security conferences (cons) or development conferences, such as TechCrunch Disrupt or DeveloperWeek. Hackathons are typically concluded with presentations from each team demoing the solution or attack they have developed. These events offer recruiters a pool of demonstrated talent.

The companies that truly understand the nature of a cyber defender are going above and beyond to find talent. They are offering internal employees the opportunity to retrain and explore something completely new. For example, a member of the marketing team can spend the day with a security analyst. Some organizations will even encourage employees to attend and compete in contests not at all related to their everyday roles, opening up new trainable talent from an existing pool of resource.

Retaining talent

The current market provides a lot of opportunity for security talent. While compensation is a driving force for many, security professionals are also looking for additional reward and motivation.

Often, security teams find the constant pressures from the ‘blame culture’ of corporate America too intense. The fear of getting your CISO fired, or losing your own job because you were not able to prevent a threat, eventually will take its toll. Furthermore, it’s a signal of a bigger problem; organizations do not understand the work involved and how to motivate the security team as a whole.

By nature, security practitioners are often very loyal. They have a guardian mentality – which is why they work tirelessly, despite knowing that the odds are against them. Most security practitioners have a passion to serve and protect their organizations. If the same sentiment is not reciprocated, this usually triggers them to seek other opportunities. Organizations tend to hold on to traditional policies and fail to invest in training. Management may not recognize the value and the need to provide security teams with the freedom to interact and learn from others in their industry through events and forums. Eventually exhausted, under-appreciated and worn down employees find new opportunities. They may be enticed by money or freedom to learn and pursue their passion for security, leaving the previous organization with another security vacancy to fill.

Overall, organizations need to be more forward thinking and look beyond traditional HR practices when it comes to growing a security team. For those that do have talent they want to hold on to, be diligent! Be deliberate about appreciating your cyber defenders. Invest in the continued growth and education of your team. The cybersecurity epidemic is an everyday reality, and an intellectually curious and devoted practitioner is your only ally on the front line.

About the Author

Monzy Merza serves as the Chief Security Evangelist at Splunk, Inc. He has over 15 years of tactical and cyber security research experience in government and commercial organizations. His experience has included vulnerability management, security product testing, penetration testing, adversary modeling, cyber tools and infrastructure development. He has also served as content developer and instructor for cyber trainings and red/blue team exercises. Monzy has been an invited speaker at government and open conferences. Monzy's current research is focused on integrated approaches to human driven and automated responses to targeted cyber attacks.


The next article will look at the role of security policy. Does policy hinder or nurture the effectiveness of early breach detection for security teams.

Rate this Article