Monday, October 31, 2016

Employment expectations' mismatch and recruitment pitfalls in InfoSec

This article is considered to be a follow-up to the "Hiring your first security professional", so if you haven't yet, I recommend you to read it before you continue with this one.

For a last few years there wasn't a month when I haven't read about InfoSec professionals shortage, security skills gap and what not. To give you a proper context I'll rant a bit about why I don't believe in those dramatic claims and then we'll jump into action items for organisations that want to improve their recruitment processes.
If you already have a great security team, and you don't have any problems with hiring then awesome and I'm happy for you. However, if you're somewhat struggling with building an InfoSec Team, then it's likely that you're making some of the mistakes I described below.
Because of those questionable recruitment practices, great organisations are shutting the doors on great professionals which makes both parties suffer, because even though medias say about 0% unemployment rate in our sector, it's not that easy to find a great place to work.
It's easy to find a job, but there is a difference between a job and a good job.

I really get it that hiring is hard and that's exactly the reason why I want to help you. Reality is what it is and the only way to survive is to adapt. Old days are not coming back and things that worked for last 40 years aren't working as good anymore and if it's going to change even more into the harsh direction I'm describing here.

Let's build a factory to produce masses of security professionals


I do believe that world needs more of creative and skilled people who'll be pushing our industry forward. But I don't believe we so desperately need masses of mediocre security "professionals". 
Some people claim that the ultimate cure are going to be government programs and we need to lure masses into security field using money and easy access to education. Well, most of the highly skilled InfoSec people I've met were at least a bit passionate about security and joined the field without external baits.
I'm not saying that they shouldn't be doing this. If governments and organisations want to spend money on it then that's cool because we'll get more attention which  may spark a passion in youths and can be a great help for poor people who want to break into security, but I truly doubt that's it's going to completely fix the problem of professionals shortage. 
If we create a factory to produce people who were attracted only by fancy buzzwords and easy opportunity, then how much value are they going to bring to the world and employer's organisation? How much time are they going to spend after hours to educate themselves on constantly evolving field if they had to be paid to learn basics?
InfoSec is a very creative field, so how are masses going to fit in? If there is a guidebook by which they're going to be taught, they'll be human-bots so wouldn't it be cheaper to replace 90% of their work with automated scripts? Most of them are going to do basic and automatable things anyway, and for the other 10% I can visit your office and spend 1 hour per week to do that work. + I'll do it 10x better without additional pay for quality, so it sounds like a good deal, doesn't it?

I appreciate that there are professionals from other sectors like software developers who're trying to learn InfoSec and to whom those programs can be truly beneficial. Actually I believe we should focus more on helping current workforce because they already have a lot of knowledge and experience which makes them number of times better than factory-made professionals specialized in InfoSec .
Quality over quantity, but maybe that's just me.
It's great that we're making InfoSec a big public thing, but till those big programs start bringing valuable results we need more practical solution.

Succeed by adjusting to the current market. Complaining doesn't change a thing.


I just believe it's that the current workforce is unutilized because of the outdated employment rules business world follows.
The industry talks about huge effort (let's produce millions of security guys) instead of trying to look for simpler, cheaper and quicker solutions. Why? Because actually doing something right now it's out of the comfort zone and it's better to wait 10 years and each time complain how the process takes time. We could do something right away but that would require to take the risk and change the rules that have been setup a few decades ago in no-yet-global world. It's better to drop responsibility on who-knows-actually-who and whine how insecurity of organisations is caused by global problem with staffing. Well, that's a neat excuse, but only for someone who's not familiar with realities of InfoSec recruitment practices.

Something that have chances to be actually beneficial is adjusting to the market instead of sitting there, complaining and waiting for things to sort themselves out. We talk a lot about global problems with InfoSec staffing, want to spend gazillion on education programs which may take effect in 10 years from now, but why aren't we talking as much about quick-win solutions? Why don't we get to basics and see how much can be done there to produce immediate results?
Wouldn't it make sense to focus for a while on messed up expectations in poorly written job descriptions that within a seconds of reading leave me with negative feeling about the job poster? Wouldn't it be more appropriate to call all of these an employment expectations' mismatch?
Good InfoSec professionals want to have multiple options. They want to work remotely, for a good pay, be challenged for fun and to progress their career. Many of them would love to work additional 30hours for you as an addition to their full-time job, but well you don't let them to. At the same time, your full-time security guy may be working 30 hours or even less. I get it that you'd prefer to have someone onsite, whom you can oversee and all that, but it's all wishful thinking because you can't always get what you want. We'd all love to have Mitnick, Dan Kaminsky, Mikko, lcamtuf, Taviso, j00ru and Dave Kennedy on-site work full-time, but we can't!

I've seen already a bunch of smart organisations switching to global, remote model to attract greatest InfoSec professionals. They had reverse engineered the market and have won and you're still waiting for miracle to happen.
I haven't seen a single job offer that would hang for long if it allowed remote and part-time work and your competition is going to figure this out sooner or later. Demand is higher than supplies and there is no doubt about it, so don't be the last one to join the race for great employee, because you'll end up with average.
Don't let your 90's mindset make you hire someone who doesn't really fit the role just because he's onsite. World is evolving, so should you. Blaming the world for problems you create by not adjusting to the market is silly. 

Tweak recruitment practices to attract the greatest


Not the best in your city, but the greatest on the planet. To make it simpler for you I've reverse engineered the current InfoSec market and here are the results.
It's all up to you if you want to apply one or all of these suggestions, but I'm certain that any of them is going to be beneficial for your organisation.
  1. Open yourself to remote workers
    We're getting there as an IT industry in general but it's even more valid for InfoSec sector.
    Number of great InfoSec professionals is smaller than amount of great programmers, so even though their market is in better shape they've decided to allow remote work anyway. Why aren't we doing the same yet?
    There is a plenty of great people out there who are out of your sight. Maybe there is an absolutely great fit in Belarus that would be thankful for a remote job in your US startup.
    If you really want to hire the best of the best, then you need to look outside of your city. Best hackers are spread all around the world, and the only way to have them on your team is to open yourself to remote work. If someone is really great, he has so many options that most likely he won't trouble himself with emigration hassle.
    Yes, I'm sure there are companies that need on-site guy who'll manage things locally and it's fine, but I've seen countless number of positions that have no practical reasons to require it.
  2. Accept part time roles
    How can you tell if you need someone full-time? Do you have real reasons for that or it's because everyone has been doing this for last 40 years so it seems like you should follow?
    I know plenty of InfoSec professionals that have a great full-time job but would love to take additional part-time role to earn additional money or just have fun. Who cares what the reason actually is, they're available and this is what should matter the most to you.
    Today, within one working day I'm able to do what used to take me entire week 5 years ago.
    So if you were to choose today's me working part-time 20h/week or me from 5 years ago, which one would you pick? It's efficiency that matters more than number of hours put into doing something and in creative work 40-hours workweek is long dead anyway.
  3. Reconsider offered compensation
    Do you really think that if someone has qualities you're expecting, he'd work for you instead of financial gig who pays 2x what you do? If you're looking for 10Xer from "Hiring your first security professional" you simply can't offer regular salary and sometimes you'll need to double the average market pay to attract him. Countless number of times I've seen set of requirements under label of $90k Security Analyst which would make a great $200k CISO, and I guess those are victims of stolen copy-pasted job postings.
    If you're really budget limited then remote work and part-time are the only help for you if you want to keep the high level quality of the work.
    If you offer $100k for remote worker in Eastern Europe, you'll attract the greatest hackers willing to work extra hours, while in San Francisco $100k will get you average worker, because it's just about average pay in that area.
  4. Be self-aware of your attractivenessYou need to know your place, because if you're a startup no one ever heard of, it's not advisable to expect Mitnick or taviso to join your team.
    Just because you're looking for the same role doesn't mean it's practical for you to put same requirements as giant corporations or attractive over-funded startups.
    You obviously can require miracles, but bear in mind that if someone has all the qualities required by Facebook, he'd most likely apply to FB, not for low salaried position in an organisation with doubtful position on the market.
    The same applies to boring and highly corporate environments. If you don't have right culture and enough challenges for InfoSec minds, then you'll need to play other cards like lowered requirements or above-market salary. There are jobs that 5 years ago I'd love to do, while nowadays they're too boring to bother even as a part-time thing.
  5. Recognize internal talent
    If your organisation desperately needs security engineers then why won't you come up an internal program to help your software engineers level up their game? Often times an employee who had been in the organisation for a few years has already made tons of great observations that would improve security if he was given authority to fix them.
    Retaining great people is hard but loyalty of a hacker that knows your organisation and systems inside out is invaluable in long-term game.
  6. Make it clear what's the career progression pathIt's important if you want me to for the rest of my life be a guy who closes JIRA tickets after IDS alerts and installs AV on employees workstations.
    We want to grow, we want to excel, we want to do shit that matters. How does taking the role in your organisation set me up for greater career and bring me closer to becoming a CISO?
  7. Are security certifications really that important for you?Good InfoSec professionals don't need certification to land a decent job. If organisation requires me to have a cert then it's their problem because I'm not a match for them. I'll find a job easily in other organisation without such requirements. If you find a great person, evaluate him on individual basis and don't blindly reject great professional because of a few unticked checkboxes on your requirements list.
  8. How my university degree really benefits your business?I've been wondering how Polish university makes me a better hacker? I'm not saying it's not useful for junior positions, it's definitely important to know IT/Network/Software fundamentals, but if your requirements is 8+ years of experience followed by university degree then what's the deal with that? If someone has 8 years of solid experience, don't you believe he has been doing just great?
    I appreciate that for some deep research roles PhD can be beneficial, but it makes me feel sorry for you if you require masters degree for the most regular penetration tester role.
  9. Consult a new role with InfoSec professionalRegular internal HRs rarely know how to create a job description with sane requirements. It's not that I blame them, it's just InfoSec field is so dynamic that it's hard for HR generalist to keep up with pace of our field. I know a handful of awesome recruiters who are killing it and really know what's going in InfoSec world, but it's mostly because they're specialized in InfoSec only + they really care about the work they do, which can't be told about most people in human factories.
    Someone who is in the profession or even better, InfoSec pro who knows your organisation inside out can be a great help while forming a job description.
    If you already have a security person in your organisation and you're having hard time attracting new ones, then it's a solid indicator that something is really wrong with a culture in your organisation. Assessing the skillset in InfoSec is hard so trusted recommendations are priceless and you should really work on that.
  10. Use external recruitment agency to help you outDon't treat them as necessary evil. Just on LinkedIn I'm following a bunch of great InfoSec recruiters who really know the craft. Very recently I've seen one of my connections taking an OSCP course because he wants to know pentesting industry better. This is the spirit you're looking for, and be careful because there are many recruitment agencies that are InfoSec-specialized-wannabe and have no clue about the industry.
    If you have hard times finding good recruitment agency, feel free to hit me up and I'll let you know about the greatest folks I know.
  11. Don't be boring
    Sometimes it takes a minute of reading a role description to make me bored. Sometimes the job posting is so boring that I'd have to be paid 2x what I currently make to consider part-time remote role there.
    Why don't you spend a few minutes more and use your emotional intelligence to write a honest description that can resonate with me? If the only thing in job description is generic name of the position and rich set of requirements, it gives me no clue what I'm going to be doing there and how much ownership am I going to be given.
    Why would I choose your organisation if your description says exactly what 90% of other job postings?

Go review your job postings and being now aware of the options InfoSec pros have, do you still think you're attractive enough? Would you yourself want to work in an environment presented in that job description? Would you go through all that hassle related to obtaining certificates and college degree just to pass a initial resume checks and land in boring job with a low pay that you're offering?
What makes you cool enough to convince me that I should work for you in the loud office instead of a remote startup that pays good money, allows freedom of execution and don't care about my degree?

No matter if you're going to attack a local or global market always observe, reverse engineer and adjust.
Good luck and fix yourself quickly, because your competition is working on this already.

No comments:

Post a Comment