Poor recruitment processes are causing the great security talent drought
Mind you, applicants aren’t helping sometimes either
RSA 2016 It's a refrain at this and past RSA conferences, that companies can't hire enough top-notch talent, but it's addressable if companies hire smartly and applicants learn how to play the game.
"Far too many hackers have expectations that are unrealistic," said Tim O'Brien, director of threat research at Palerra – who has been on both sides of the hirer/hiree equation. "Generally, you've got a choice of a job being interesting, legal, or well paid – and you only get to choose two of those."
That said, the most damaging mistakes in hiring initially come from the companies doing the hiring. One of the biggest mistakes is the application tracking systems (ATSs) used to filter the first layer of job applicants – these are usually not suitable for infosec jobs and dissuade many candidates – and more than a few employers.
"A lot of ATS systems require the input of a social security and driver's license number," said Magen Wu, a security consultant with Rapid7. "If you're a security person and think 'OK, I'll put my social security and driver's license number in there,' then I'm going to think twice about hiring you to protect my data."
But that cuts both ways, she said, and a lot of applicants will simply bow out when confronted with some unwieldy ATS. By far the worst ATS was the USAJOBS site run by Monster for US government positions, the two agreed, with its essay questions and clunky format.
Instead, employers and potential employees should concentrate on networking first as a way to further career goals. From an employer perspective, firms need to recognize that a lot of gifted security personnel have non-standard resumes. For example, contractor work is generally short term, and having lots of short jobs is a warning sign for some HR departments.
Companies also need to broaden their minds a bit, Wu said. Having tattoos and piercings doesn't mean someone's a convict any more, and HR departments need to be smart about the interview process – a lot of hackers are socially awkward and won't do well in group interviews.
On the potential employees' side, hackers need to make realistic demands. Big money jobs are few and far between and if a company can't offer you a big paycheck, consider asking for other benefits, like working from home occasionally, getting skills-boosting trips to conferences, or flex-time arrangements.
O'Brien also warned applicants not to get too smart with potential employers. That means no penetration testing on a company's ATS, and no including malware in a job application email to "test what their security is like," – both of which he has seen tried. Obey Wheaton's Law ("Don't be a dick!"), he suggested.
Companies should also be doing more to hire a diverse team, panelists said. Currently, women only account for around 10 per cent of information security positions, and with minorities, that falls to just 2 per cent, meaning there is a reservoir of untapped talent out there.
"Diverse teams win, it has been proven in studies time and time again," said Devon Bryan, the new chief information security officer for the Federal Reserve. "The folks' driving strategy needs to be diverse to avoid the groupthink mentality – and that's about diversity of thought and personality, not just race and gender."
At the end of the day, however, some people are just unsuited for certain roles, and employers have to accept that. A classic case is the FBI, which has been complaining that it can't hire hacking talent because they don't play by its rules.
"The FBI insists that you become an agent first before going on to its cybersecurity school," O'Brien told The Register. "That's just not going to work for many hackers, either philosophically, or because they have some earlier legal problems, so the FBI has its own rules to blame." ®