Leeza Garber - Can. Trust. Will.: Hiring for the Human Element in the New Age of Cybersecurity

Can. Trust. Will.

Can. Trust. Will.

Hiring for the Human Element in the New Age of Cybersecurity

Leeza Garber and Scott Olson

Can. Trust. Will.:
Hiring for the Human Element in the New Age of Cybersecurity

Copyright Business Expert Press, LLC, 2022.

Can. Trust. Will. is a Registered Trademark of Leeza Garber and Scott Olson

Cover design by Divya Pidaparti

Interior design by Exeter Premedia Services Private Ltd., Chennai, India

All rights reserved. No part of this publication may be reproduced, stored in a retrieval system, or transmitted in any form or by any meanselectronic, mechanical, photocopy, recording, or any other except for brief quotations, not to exceed 400 words, without the prior permission of the publisher.

First published in 2022 by

Business Expert Press, LLC

222 East 46th Street, New York, NY 10017

www.businessexpertpress.com

ISBN-13: 978-1-63742-167-3 (paperback)

ISBN-13: 978-1-63742-168-0 (e-book)

Business Expert Press Business Law and Corporate Risk Management Collection

Collection ISSN: 2333-6722 (print)

Collection ISSN: 2333-6730 (electronic)

First edition: 2022

10 9 8 7 6 5 4 3 2 1

Description

Cyber threats evolve at a staggering pace, and effective cybersecurity operations depend on successful teams. Unfortunately, statistics continue to illustrate that employers are not finding the people they need.

The Can. Trust. Will. system guides the C-Suite, human resources professionals, and talent acquisition to build unbeatable cybersecurity teams through advanced hiring processes and focused onboarding programs. Additionally, this book details how successful cybersecurity ecosystems are best built and sustained, with expert analysis from high-level government officials, Fortune 500 CSOs and CISOs, risk managers, and even a few techies.

Those already in the field (and newbies) will glean invaluable knowledge about how to find their most effective position within a cybersecurity ecosystem. In a tech-driven environment, cybersecurity is fundamentally a human problem: and the first step is to hire for the human element.

Keywords

cybersecurity; human resources; information technology; data breach; hiring; c-suite; onboarding; interview; career; behavioral interview; budget; budget process; security budget; IT; talent acquisition

Contents

Why We Chose to Write This Book

From humble beginnings of the Arpanet and a worm called Creeper, cybersecurity as a field has grown by leaps and bounds. Now, in the year 2022, every private corporation, government entity, public school, private university, mom-and-pop shop, massive financial institution, and local bank branch must consider cybersecurity and the people they hire to carry out cybersecurity directives. The massive growth of the field is staggering, with demand for cybersecurity experts estimated to be growing twelve times faster than the current job market in the United States. In short, every industry is struggling to find and retain employees that address cybersecurity needs. The structured solution offered in this book will guide the C-Suite, internal and external talent acquisition teams, and human resource professionals charged with navigating this challenging arena. Eligible employees come from information technology, engineering, security, privacy, risk, legal, computing, and human resources backgrounds, each offering a different piece of the puzzle. Compounding the complexity of the concept we term cybersecurity is the variety of fulltime, part-time, contract, and As A Service (AAS) employees every employer must consider. What we have found, over and over again, is that cybersecurity is fundamentally a human problemand must be addressed accordingly.

We have been fortunate enough to speak with leaders in this space from a wide range of backgrounds, and have incorporated their valuable insight into our hiring model. From the Director of the National Initiative for Cybersecurity Education at the National Institute of Standards and Technology in the U.S. Department of Commerce; to the Director of Information Security Governance Risk and Compliance for the University of Wisconsin System; to the Vice President and Chief Security Officer of Dominion Energy (a major energy supplier for the U.S. government and countless private entities); to the former Chief Information Officer of the U.S. Air Force and current Senior Vice President of Leidos (the largest IT provider in the federal market); to the Director of Technology Infrastructure and Information Security of a Major League Baseball Team.

Outline

Technology is inherently and firmly rooted in everyday life. Safe interaction with information technology systems is increasingly important. Fortunately, many companies are aware of the risk and corresponding liability which arise from maintaining ever-growing amounts of data, and they emphasize building systems which will stay ahead of cyber threat vectors. Developing and implementing solutions to ongoing cyberattacks and data breaches requires creative, focused, and highly trained employees. The challenge is finding the right people who are capable of creating effective solutions to evolving problems. As a result, the cyber world is struggling to find the human capital it needs.

It was predicted that there would be 3.5 million unfilled cybersecurity jobs globally by 2021, up from one million positions in 2014.

Compounding this problem is the fact that clear descriptions of job roles and responsibilities are substantially lacking. The research shows that professionals in the field of cybersecurity respond better to clearly defined job requirements and descriptions. Vague descriptions are not only a

Defining who you need for certain roles is more challenging for jobs relating to cybersecurity because these positions are situated in a rapidly evolving field involving specialized skills which must be adapted to unique workplace environments. Even though the initial strategy at the outset is often to set the bar high, begin reviewing applicants, and then compromise on one or a few competencies, this compromise is rarely realized. This is because once a good enough candidate is identified, at least one person in the approval pipeline will ask why a candidate who fails to meet the job description is being considered at all. But there are valuable cybersecurity candidateswhether for technical, compliance, risk, legal, or executive rolesthat come from all different backgrounds and can be trained. The real question is: do you know (and understand) what you need?

The single most important part of this process is often overlooked by most hiring professionals, and not only those focused on cybersecurity. To hire effectively, you must know, in specific detail, exactly who and what you need for each specific position. Job competencies, particularly those based on surveys or industry research, are insufficient because they are too general. Relying on credentials or completion of specific training courses, without a deeper dive, is also not enough to differentiate between candidates who will succeed and those who will fail. Defining who you need for certain roles is more challenging for jobs relating to cybersecurity because these positions present a field that involves specialized skills the president of Montreat College (which is a National Center of Academic Excellence in Cyber Defense Education), explains why cybersecurity is a human problem: