Hiring the Wrong Leader Could Sabotage your Cybersecurity Program
By Justin Silbert. Hiring for cybersecurity positions may seem the same as any other profession. Create job description, solicit resumes, interview, and hire the best candidate. But too often, the wrong person is placed into a critical leadership position of securing the organization. The most critical problem is the inability of managers to assess cybersecurity leadership skills, mostly because they are looking for the wrong skillset.
Many people equate IT and Cybersecurity. But the function of IT staff is very different than that of cybersecurity. IT departments support a business by ensuring availability, building capabilities, and delivering solutions that help drive performance. In this role, the goal is stakeholder satisfaction and uptime. Cybersecurity, on the other hand, has a mission to protect and secure the organization and its stakeholders, not satisfy them. This requires a fundamentally different perspective, which may sometimes be at odds with other business units.
So how can we increase our chances of hiring an effective cybersecurity leader? It starts with defining not just the technical skills, but also the non-technical skillset that would thrive in the cybersecurity role.
- Inquisitive Mind. Whether analyzing network packets or evaluating supply-chain partnerships, cybersecurity professionals should view the organization as a target and look for gaps which can be exploited. At the leadership level, this is especially important as it is critical to understand the many different business activities and improve insecure practices in a methodical manner.
- Preparation. The best defense against attacks is anticipating their occurrence, implementing preventative controls, practicing identification, and developing a pre-defined response. Without preparation, cybersecurity just becomes a response function with limited success.
- Competitive Personality. As cybersecurity is typically not a revenue generator, the CISO usually needs to fight for budget and persuade other managers to implement secure practices. Productive debate is healthy in the workplace and will be necessary to progress security initiatives.
Not all IT staff are equipped with the above intangible skills. Additionally, cybersecurity specific knowledge can take significant time to learn:
- Compliance. While compliance should not be treated as the end goal, industry regulations are an important business concern. Knowing how to address compliance standards and utilizing compliance as a building block to a more comprehensive program are key factors to success.
- Risk Assessment. Not to be confused with compliance, risk assessment goes well beyond simply addressing legal requirements. It is critical to view risk as an organizational issue related to business processes and not simply an IT problem. Risk is both internal and external, so a holistic view is necessary to ensure an effective program.
- Domain/Technical Knowledge. While it is not necessary for a cybersecurity leader to know how to reverse engineer malware, it is critical that he/she has applicable experience and can effectively communicate to earn the respect of the team. A candidate can easily confuse an non-technical hiring manager, so, when evaluating staff, it is important to be able to separate the useful experience from the fluff.
Organizations can have the best technology and processes in place, but people are the most important part of the equation. It is not reasonable to assume that because someone is a good developer or system administrator, that he would automatically be a good security professional. If you are working off this premise, then you have already sabotaged your program.
So, be circumspect when evaluating cybersecurity staff. Organizations should consider outsourcing the search to a firm specialized in recruiting cybersecurity leaders. As with any other profession, past performance is the best indicator of future performance. Look for someone who has proven operational experience leading a cybersecurity program, securing the organization and protecting the business.