CISO Diaries
Mags22,
Jan 11
2024
Security incidents are rising, insurance premiums increasing, and the cost per incident is hard to overestimate. Paired with complex customer environments, cloud adoption, and an increase in remote work, protecting your IT infrastructure is more of a challenge than ever before. The result?
We need more cybersecurity professionals.
The talent shortage, coupled with an ever-widening skills gap, is burning out teams and, ultimately, raises our susceptibility to the rapidly evolving risks we face.
This all calls for a new way of hiring.
Cybersecurity talent shortages have plagued the industry for years, and they are only getting worse.
However, there’s a common misconception that there’s a lack of entry-level candidates applying for these open cybersecurity positions.
The real issue here is that these candidates aren’t considered “qualified”.
A demand for more qualified candidates with practical, real-world experience and skills has created this gap. And with many “entry-level” cybersecurity roles calling for 3-5 years of experience, something has to give.
So, how do we close that gap? We need to redefine what “qualified” means and shift our focus on who the ideal candidate is.
By embracing a skill-based hiring culture, we encourage the idea that anyone can become a cybersecurity professional when supplied with the right tools and support.
Whether it’s someone from your IT team, a recent graduate, or someone from an entirely different career background.
Rethinking your cybersecurity recruitment strategy is more than just a good practice. It's a game-changer.
Imagine significantly reducing the time it takes to fill critical roles, providing a smoother and more effective onboarding experience for new hires, and fostering a more engaged and less burdened team.
This is not just about adding new members to your team. It’s about transforming the very fabric of your cybersecurity workforce, elevating your team's performance, and improving security posture.
Qualifications and certifications can only tell you so much about a candidate. To properly assess whether a candidate can do the job, you must look at their skill set.
But how can we measure these skills?
At HTB, we’ve noticed that effective teams map skills requirements to job and organization-related techniques—or system vulnerabilities and misconfigurations that teams will scout for on actual engagements.
Our Professional Labs build skills that are mapped to the MITRE ATT&CK framework, relating critical skills to real job roles and responsibilities. Tracking these skills makes it easier to upskill (or test candidates) for a certain job role.
So, if a candidate uses a platform like HTB, you can immediately see from their profile what areas they are skilled in and where the gaps may be. You can then use customized or pre-built labs to test their skills.
💡Tip: Managers using the HTB Enterprise Platform can easily search courses using MITRE terminology and assign them based on the techniques and tactics relevant to their teams.
This search feature works with specific MITRE tactics or techniques (for example, T1594 or Active Scanning) or with text keywords found in the course material.
Let’s say you’re hiring for an incident response role.
You can use Sherlocks to assess a candidate’s digital forensics and network security skills with a Lab such as Repetitive-D. This is a much more accurate representation of talent than going purely by education and certifications.
We use HTB to evaluate the technical skill level of new hires—and it has been amazing at identifying talent. Internally, we leverage HTB to help support professional development and certifications required in the industry throughout our professional grades. We even plan to train our sales team using HTB!
Paul Craig, Chief Hacking Officer at Vantage Point Security
Skills-based hiring also provides some reassurance that your latest hire is already aligned with evolving threat actor tactics, techniques, and procedures (TTPs). This can be helpful when presenting additional investment or potential hires to the wider businesses, you can show the tangible benefits they’ll bring to the organization.
Hack The Box has been a great platform for us as a recruitment agency to quickly establish the caliber of candidates we represent for ethical hacking positions. The platform provides a credible overview of a professional's skills and ability and a ranking that clients consider when selecting the right hire. An active profile on HTB certainly strengthens a candidate's position in the job market, making them stand out from the crowd and highlighting their commitment to skill development.
Ryan Virani, UK Team Lead, Adeptis
It’s important to manage your expectations and not expect all candidates to have the same skill set. Instead, search for a willingness to continuously upskill and a keen passion for the industry. This will give you an employee who wants to grow with your organization, provided you invest in their learning.
By depending only on recruitment agencies or simply posting your jobs on popular career boards, you often receive applications with similar experience levels and certifications. This limits the potential pool of candidates, leading you to overlook some fantastic talent.
Instead, hiring managers can adopt a much more precise approach to hiring by targeting cybersecurity professionals on the platforms they use.
This saves both time and money, reducing the number of unrelated applications and recruitment fees.
We spoke to Tom Williams, the former Principal Consultant at Context Information Security,
who expanded his pentesting team by finding their profiles on cybersecurity upskilling platforms. He shared how taking a proactive approach to sourcing talent unlocks a unique pool of candidates.
We finally were able to target an audience that exactly matched the type of skills we were seeking. There aren’t any other credible job boards that specialize in penetration testing, Red Team, or just focusing on cybersecurity roles.
Hack The Box offered us the opportunity to post jobs directly to a community of hackers.
We got access to profiles that are non-traditional, this broadens your perspective and opens up a whole new addressable market of skilled candidates.
Filtering by rank provided an indication of capability. It’s how we found Josiah, who was working in a Blue Team role at the time. His profile likely wouldn’t have reached us via a recruiting agency because it did not meet the typical criteria.
Tom Williams, former Principal Consultant at Context Information Security.
To successfully move your organization’s cybersecurity hiring into the modern era, you need to ensure that everyone is on board.
HR, talent teams, and hiring managers should balance the new way of thinking about skills over credentials. This will ensure that everyone’s on the lookout for the right type of candidate and knows where to find them.
For example, if a blue teamer is applying for a red team position, they may have originally been ignored. However, with this new mindset, your team can appreciate how their skills could be transferred and actually benefit your red team.
Here are some ways you can get everyone on the same page and involved with the new way of hiring:
Provide a walkthrough demonstration of the MITRE ATT&CK Framework and what skills to look out for.
Offer a list of websites and platforms to search for cybersecurity talent.
Adopt this skills-based hiring culture across the entire organization, not just cybersecurity teams.
Have some success stories in mind to back up your reasoning for skills-first hiring over credentials.
For HR teams and recruiters, I’d suggest using specialist security job boards and industry forums, rather than general job boards. This can result in lots of wasted time sifting through candidate profiles that are not suitable for the role. Speak to your team to get tips on the best forums and job boards to post on.
Tom Williams, former Principal Consultant at Context Information Security.
Simply hiring junior employees won’t immediately solve the cybersecurity talent shortage. Existing employees also require consistent upskilling to keep pace with the ever-increasing complexity of infosec. And many employees, both junior and senior, actively seek opportunities to develop new skills.
In our Cyber Attack Readiness Report 2023, we surveyed 803 cybersecurity professionals and found that more than 70% of managers view team events like CTFs as a viable way to raise employee engagement.
What’s more, 68% of security team members rated “opportunities to learn skills” as the most successful way of staying engaged work. Whilst 62% of managers rated “opportunities to learn new skills” as the best way to prevent burnout amongst security staff.
With dwindling budgets, extra salary compensation isn’t always an option. Thankfully, cybersecurity managers are finding that investing in their employees—with fun Capture The Flag (CTF) events and offering a curriculum of upskilling—helps reduce burnout and boost retention.
The new era of cybersecurity hiring is a lot more nuanced than simply filling entry-level positions. We need to focus on the entire process and change our perspectives on “qualified” candidates. By broadening our horizons we open ourselves up to more talent and a stronger cybersecurity team as a whole.
Here are some things to keep in mind when hiring for your next cybersecurity role:
Prioritize skills above certifications and job titles.
Search for candidates with passion and out-of-the-box thinking.
Post jobs where candidates are spending time upskilling.
Make job descriptions accessible with a skills focus and flexibility on experience.
Have a strong onboarding process that prioritizes upskilling.
Invest in continuous hands-on learning with new and existing employees.
Why not lead the way by encouraging this new way of hiring cybersecurity teams? You’ll be building a long-lasting team for your organization whilst helping close the industry skills gap.
Hack The Box specializes in distinguished practical and guided cybersecurity training courses aligned with the NIST NICE and MITRE | ATT&CK frameworks, as well as unrivaled hands-on labs designed to help organizations close skills gaps, hire top talent, and protect infrastructure.
Become an HTB Subject Matter Expert
Are you a cybersecurity professional who wants to contribute to articles like this one?
Join the HTB SME program and you’ll benefit from the following:
A huge audience: Our HTB community has over 2.7 million members, giving you a huge platform to share your knowledge with and feature in our editorial content.
Networking opportunities: Meet other HTB SMEs and expand your professional network, meeting people you may never have connected with if it wasn’t for your involvement with HTB.
Recognition: Any insights you provide will be credited to you, including your name, title, and LinkedIn profile. Some content will get additional love on social media too!
Share your experiences: We’re giving a voice to cybersecurity professionals, providing you with a platform to share your knowledge and experiences.
Help others: Your unique insights are incredibly valuable to other cybersecurity professionals, or even individuals just starting their careers.
💡Find out more on our blog: Become an HTB Subject Matter Expert
Dan Magnotta (Mags22), HTB Federal Business Development & Capture Manager, Hack The Box Dan Magnotta is an accomplished professional in cybersecurity and intelligence operations with more than a decade of experience in the military and private sectors. His career began with dedicated service to the U.S Department of Defense, where he played critical roles in the U.S. European Command and U.S. Special Operations Command Europe, contributing significantly to cutting-edge cyber strategies. In addition to his civilian role, he serves as an LCDR in the U.S. Navy Reserve, showcasing his leadership and dedication as an Executive Officer for a Navy Reserve Unit. His expertise in cybersecurity, operational analysis, and strategic planning is extensive. At Hack The Box, he tailors solutions to meet the unique requirements of government agencies and organizations worldwide, leveraging his deep understanding of both military and civilian cybersecurity needs. |
Blue Teaming
Odysseus (c4n0pus), Dec 20, 2024