TLDR:
- While there is a shortage of cybersecurity professionals, finding qualified candidates for open positions is possible if teams can follow a number of steps designed to help them succeed
- Avoid common mistakes when looking for candidates, such as asking for too much from the candidate in the job description or hiring for tasks that your tools already do
- If you’re looking for a great place to get started on the candidate search, look internally
If you haven’t noticed, there’s a shortage of skilled cloud security professionals on the job market, and employers are scrambling to find the best candidates. Unfortunately, many employers make a number of critical mistakes. These mistakes leave them with open positions. Those open positions result in critical risks remaining unaddressed… and we all know where unaddressed critical risks take us (to the front page of a newspaper). In this blog post, I’m going to outline how your organization can find (and hire) the right cloud security professionals to help your team achieve key security initiatives.
Mistakes to Avoid When Searching for Potential Candidates
Hiring a Whole Team into One Person
The biggest mistake in writing a job description is to write a team job description instead of an individual job description. Sure, your cloud security team ought to be adept at every major cloud platform your company uses (which, honestly, is more of them than you think). It’d be excellent if your whole team understood the ins and outs of compliance regimes like FedRAMP, PCI, and HIPAA/HITRUST. Even better if you had vulnerability experts, malware analysts, threat researchers, project managers, and people familiar with every language your organization wrote code in, from Rust to C# to PHP, and had experience as sysadmins on Linux and Windows systems, as well as familiarity in all the various serverless and container environments.
Whew. That’s a lot. Written that way, it’s obvious that no one person is going to handle all of that – and we haven’t even mentioned management, distributed systems architecture, or communications skills yet. Ideally, you want someone who will check as many boxes as you don’t currently have on your team. In writing a job description that suggests you expect all of these skills (and perhaps at an entry-level salary), you’ll keep plenty of good candidates from applying.
Not Offering Opportunity for Career Advancement
Who better to fill a cloud security engineer role than someone who just spent four years excelling as a cloud security engineer? Put yourself in their shoes. Why would they want to do the same job that they’ve just finished learning and succeeding at? Odds are, they now want a senior cloud security engineer position – or perhaps they want to specialize, and will be looking for a cloud threat researcher or cloud security architect role.
The person you want to hire has a different job title today. If you’re hiring for a cloud security engineer, then the positions that generally lead into it have titles like cloud engineer, security engineer, and cloud security analyst. For each one of those roles, think about how you’d know if a candidate had succeeded in that role, and what additional skills they’d be starting to learn that would show that they could come into your team and grow into a successful cloud security engineer. In other words, compose the job description in a way that makes it clear to candidates they will be progressing in their career, and be reasonable about what skills the candidates should already have coming into the role.
Hiring for Tasks that Your Tools Already Do
You probably already have some security tools that help with your cloud security needs. Two critical mistakes you can make is to hire people who are skilled at manually doing the tasks that your tools do automatically (although they may appreciate not ever doing it again), and to not hire people who are good at being an interface between your tools and the rest of your organization.
Look into what capabilities your vendors already bring you, and whether they provide training on using their tools, through some form of Security Camp. If so, then while it may be ideal for you to hire candidates with experience, you can also promise that you’ll train candidates who show promise. Ask the vendors what they’ve seen as successful candidates for their other customers – they hopefully aren’t in the business of helping you poach from other customers, but they likely can tell you what skill sets have been most effective at other companies.
Scouting Only External Candidates
Once you’ve realized that you’re going to allow people to grow into your cloud security engineer roles, what better place to let them grow but from elsewhere inside your organization? Maybe the SRE team has someone who wants to learn security. Perhaps the enterprise security team has someone who wants to move into cloud. Maybe the cloud security operations team has someone who wants to do more engineering.
Steps to Securing the Right Security Team Members
The hardest part of hiring isn’t finding great candidates – it’s learning not to chase them away with job postings that require far too much experience. If you avoid the common mistakes outlined in this post, you are likely to see higher success in both finding and retaining quality talent.
On another note (added bonus!) I have a few thoughts on the concept of employee retention. Investing in professional development is the strongest retention program a leadership team can implement. Too often, development activities are restricted to the highest performers, making it clear to many people in the organization that they don’t have a future there.
My advice is this: don’t try to hire people (or wait to promote those) who can already do the job you want; they will get bored easily and develop a wandering eye faster than you can imagine. If you don’t have someone in-house to develop, hire someone who is almost ready for the position. Look for that person who is hungry to learn and shows the soft skills needed to work well on a team, communicate effectively, and stay focused.
Let’s sum this up: to hire the right cloud security professionals, you should look to do the following:
- Offer career advancement
- Assess what your security tools already do vs what you need the new hire to do
- Scout internally as well as externally
Start Planning Your Ideal Dream Team
I want to leave you with one more consideration which goes hand in hand with what you should think about as you build out a rockstar cloud security team. It’s no secret that while you can do everything in your power to hire the right cloud security professionals for your organization’s specific needs, you aren’t in control of the mountain of threats and alerts your team will have to manage.
In the recent Cloud Security Alert Fatigue Report, the Orca Security team surveyed 800+ IT security professionals to understand how alert fatigue impacts security teams. I highly recommend that anyone responsible for managing cloud security teams reads this, as there are valuable insights and recommendations for how to keep your team on track and prevent them from becoming overwhelmed. Download your copy of the 2022 Cloud Security Alert Fatigue Report today, or watch this on-demand webinar covering important concepts on this topic.