Who Do You Want on Your Cybersecurity Team?

Key Considerations for Building your Cybersecurity Team

* Follow up to June's article “Cybersecurity Education and Training (the devil's in the detail)”.“Cybersecurity Education and Training (the devil's in the detail)”.

For the past month or two, I'd been thinking about writing a piece to help organisations when they are developing a cybersecurity team and facing the task-  “We need to hire a security person!”  It sounds like an easy fix – right?  Not so, I'm afraid. So what does a “security person” do? I've been working for over 30 years in “security” and the best answer I can come up with is “Learn, Think, and Communicate. Then Do”.  “Not very helpful”, do I hear you say?

Maybe this will help a little more – Rafeeq Rehman, a gentleman that I've been following on social media for many years, produces and regularly updates a mind map called InfoSec Professional Responsibilities (What do Security Professionals really do?) (1) (latest updated May 2021). I use this document regularly as a “shopping list” when I'm reviewing my own professional development plan. It outlines almost all of the tasks that a security professional might do, but the catch is, not all security professionals can do all of these tasks (which is why large corporations employ multi-disciplinary teams covering many skill sets). 

So for small and medium businesses, this is what I think are the key considerations for building their Cybersecurity Team:

• Look at this mind map, and decide “What is really important to me right now?” Is it Risk Management? Is it Business Enablement? Is it Security Architecture? Or is it a combination of many of these? (and if it is, what are the lower level priorities under each high level heading).

The WHY relating to “We need to hire a security person!” will give you the answer to this. For example, if the organisation's objective is to move from on-premises to Cloud based infrastructure (and that's “why you need a security person”), then you might be looking for someone with experience of Risk Management, Security Architecture, Business Enablement (Cloud) with a smattering of IDAM and SecOps. Desirables might include Project Mgmt, Legal & HR (partner contracts & data management). 

• The next step is simple (but where I feel so many organisations stumble). Write a job spec based on what you need, what are the “must haves” and what are the “nice to haves”. (2)

Don't forget: If you don't need some skills long-term (e.g. only for the duration of a project or for a specific task), then it's much easier (and much cheaper in the long-term) to buy-in specialist skills on a fixed term contract. (3)

• Lastly: “I've written the perfect job spec. Why can't I still find a good security person to fill my job?” Have you considered that maybe you haven't provided the right conditions for the right security person to apply. This might be as simple as an appropriate salary, (4) but might be also linked to opportunity for growth and development, or the organisation's approach to inclusion and diversity, or other factors. If you want the best talent, then you need to be attractive to the best talent.   

Footnote: Last evening I read a LinkedIn post by Daniel Cuthbert, Head of Cybersecurity Research at Banco Santander, where he claims ”There isn't a cybersecurity/IT skills shortage. There is a shortage of modern interview skills.” 

Following up on this statement with my very favourite Head of Recruitment today, she informed me that she tends to focus on “cultural fit” along with demonstrated aptitude and ability to learn, over existing technical skills (which can be easily learned). Don't forget, when you're hiring a cybersecurity person, you want them to be able to enjoy their work, reach their full potential, and contribute to the success of your organisation.

1.  Items in red color are new that did not exist last year. Items in blue color are not new, they are just rearranged in a different section of the MindMap.
2.  Must have = Requirements. Nice to have = Desirables. Tip: Don't list something as a requirement unless you 100% need it. You don't want interviewers asking Governance candidates “Can you tell me what a SQL injection is?”
3. Cycubix Ltd consultants have a diverse set of security skills with over 60 years of experience in IT & Security. Please reach out to us if you need to fill any security requirement.
4.  I've seen many examples where CISOs with 10+ years of experience are being offered graduate salaries. Up until May (and the HSE incident, the pay for the Head of the National Cyber Security Centre https://www.ncsc.gov.ie/ was €89k (and they wondered why it wasn't filled?)