Skip to main content

Building Security Teams in a Competitive Talent Market: These Are The Droids You’re Looking for

John Visneski is the Head of Security and DPO at The Pokemon Company International. To register for Mr. Visneski’s Cloud Academy webinar, click here

The reasoning behind the popularity of this perspective is clear, if not unique to the cybersecurity field. Organizations in both the private and public sector are embracing technology in ways that are only limited by the imaginations of their workforce. Cloud computing used to be viewed primarily as a more cost-effective way to conduct IT business. However, organizations are increasingly leveraging the cloud to expand and in some cases fundamentally change their business. The knock-on effect of this is that technology wizards of all shapes and sizes are not just in demand; that demand is now exponential.

In this environment, a paradigm shift is necessary if organizations want to recruit and retain cybersecurity talent. There are far too many hiring managers in search of a purple unicorn that lays golden eggs. In reality, the talent pool is much larger than one would expect.

In order to bridge this perceived gap, consider tailoring your approach to the following:
1. Prioritize attitude and aptitude above all else
2. Find candidates with an operational mindset
3. Avoid binary thinkers, embrace problem solvers

You will notice that none of these suggestions mention security. To hijack and add to the old phrase: it’s the talent economy, stupid. Talent can be measured in many ways and at many levels. The key to building your security team is expanding the aperture of your search.

The key to building your security team is expanding the aperture of your search. Click To Tweet

1. Prioritize attitude and aptitude above all else

This won’t be the first article written that references how quickly the technology space is changing, particularly in security. In the same way that organizations are adopting new technology to enable their business or mission, threat actors are leveraging the same technology to prosecute their own agendas. In many cases, these threat actors are much more willing to embrace cutting-edge, innovative technology because the risk of adoption failure is relatively low. A hacker cell in Estonia doesn’t typically report to a CFO on the return on investment for time spent developing or adopting tools to exploit vulnerabilities. For legitimate organizations to keep pace, their security teams need to be willing to adapt and overcome at an incredibly high rate.

This ability to adapt is much easier said than done. It requires talent that has the drive to continue to learn new techniques, tactics, technologies, and integrations. This talent also needs to be ready to throw what they thought they knew out the window should the environment demand it.

To find this talent, try prioritizing attitude and aptitude above the specific technical skill sets you’re looking for. How eager are they to embrace new challenges? What in their background implies that they can adapt to change? Find smart individuals with a positive attitude who will not be discouraged when the problem set changes, and who have the aptitude to continually keep pace with their internal organization and external variables such as changing landscapes and threat actors.

...try prioritizing attitude and aptitude above the specific technical skill sets you’re looking for. How eager are they to embrace new challenges? What in their background implies that they can adapt to change? Click To Tweet

2. Find candidates with an operational mindset

Some of the best security professionals in the world didn’t start their careers in the security space. If you took a poll, you’d find that many come from fields like systems administration, infrastructure, DevOps, and quality assurance, while others come from outside technology fields entirely. I started out as a combat communications officer within the United States Air Force.

The common thread with many of these fields both within and outside the technology space is that they possess an operational mindset. To wit, they understand how the sausage is made. The beauty of these talent pools is that they are often the best at understanding how systems fit together and where the gaps and seams are within said systems. An increasing number of these individuals are eager to embrace automation because they’ve seen how it can be a force multiplier for their business. This mindset is focused on business operations.

One of my best security engineers started out as a test and quality assurance engineer. When he applied for the position, his resume had little to no direct security experience to speak of. He did possess a keen mind for automation, an understanding of how systems fit together, a nose for finding gaps and seams within systems, and ideas on fine-tuning these systems to support business operations. He also happened to be a bit of a security whiz in his free time, but that is hardly a concrete bullet to include on a resume. All he needed was someone to take a shot on him, focus his skillset on operationalizing a security program, and provide him the time and resources required to get up to speed. Within no time, he became an Offensive Security Certified Professional and an invaluable asset not just to my team but to our partners in DevOps. I would put him up against some of the very best security engineers in the industry.

3. Avoid binary thinkers, embrace problem solvers

Most security programs still have a very well-earned reputation as the part of the business that tells people what they can’t do, as opposed to helping enable what they can do. Much of this is derived from the tendency for technology professionals to think in terms of what is a ‘right’ answer and what is a ‘wrong’ answer as opposed to thinking in terms of ‘what helps the business be successful.’ The end result is that most of the business stops inviting the security teams to meetings, leading to a decrease in security posture due to a lack of visibility into business process and operations.

The goal is to avoid the perception of security as the “Dr. No” team. Find candidates who are not concerned with what constitutes a ‘right’ answer, but are more concerned with helping the business navigate the gray space between options. These are soft skills, which makes them much harder to teach than it is to send someone to security training. Concentrating on these skills will also help avoid the sort of technology lock-in that limits your search for cloud expertise. Just because you are an Amazon Web Services (AWS) shop, you shouldn’t limit your search to professionals with AWS-centric experience. There are plenty of engineers and operations analysts with deep knowledge in cloud computing that is derived from Microsoft Azure or Google Cloud Platform who can pivot to AWS with ease.

The goal is to avoid the perception of security as the “Dr. No” team. Find candidates who are not concerned with what constitutes a ‘right’ answer, but are more concerned with helping the business navigate the gray space between… Click To Tweet

The purpose of this post isn’t to say that you shouldn’t hire individuals with deep security experience. They do exist. However, they exist in much smaller numbers than the pool of talent that has many of the attributes that will make them successful members of your security team. These individuals have the ability to solve problems, an operational mindset with an understanding of how systems fit together, and the attitude and aptitude to keep pace with an ever-changing environment. All it takes is for hiring managers to expand the aperture of their search and be willing to invest in their team personally and professionally.

To learn about how to build security teams in a competitive talent market, watch my latest Cloud Academy webinar. In it, I discuss practical strategies to help teams at any level of maturity build out a cloud-focused security practice.

John Visneski

Written by

John Visneski oversees information security for The Pokémon International (TPCi). In this capacity, he and his team are responsible for security of corporate information technology systems and policies, as well as customer facing systems and applications. He is also responsible for the overall company privacy strategy and policy with regard to both customer and employee data. Prior to his work with TPCi, he spent over ten years in the United States Air Force as a cyberspace operations officer. His time in the Air Force culminated in a position as the cybersecurity advisor to the Secretary of the Air Force and Chief of Staff of the Air Force, located at the Pentagon, Washington D.C. He currently resides in Seattle, WA.

Related Posts

Alex Brower
— October 17, 2018

Interview: Q&A with John Visneski

Security is a top priority for organizations of all types, with research firm IDC projecting 10% spending growth to $91 billion dollars in 2018. For leadership, security is important considering the cost, regulation, and reputation at stake when breaches occur. According to a joint ...

Read more
  • Security
Albert Qian
— September 25, 2018

Microsoft Ignites Cloud Industry With Nadella Keynote

On Monday, Microsoft kicked off its Ignite conference, an annual gathering of developers and IT professionals. Over the next week, attendees will learn about upcoming Microsoft innovations in IoT, artificial intelligence, machine learning, and cloud (all while getting some good networki...

Read more
  • Events
  • IoT
  • Machine Learning
  • Security
— August 29, 2018

4 Reasons You Need to Include Business Stakeholders in Cloud Training

Digital transformation is changing how organizations in every industry approach their business strategy, serving as the foundation of their technology initiatives. Chief among this includes cloud adoption, which is not just a path to IT savings, but also increasingly where companies are...

Read more
  • Cloud Adoption
  • Security
Aaron McKeown
— August 1, 2018

Build a Security Culture Within Your Organization

At this year’s AWS Summit Sydney, I was invited to speak about security culture and share a few practical examples of how organizations can build a positive security culture through increased visibility and enablement at all levels. But, what is a positive security culture?At Xero, we...

Read more
  • Security
Albert Qian
— June 19, 2018

Preparing for the Microsoft Azure 70-535 Exam

The credibility of Microsoft Azure continues to grow in the first quarter of 2018 with an increasing number of enterprises migrating their workloads, resulting in a jump for Azure from 10% to 13% in market share. Most organizations will find that simply “lifting and shifting” applicatio...

Read more
  • Azure
  • Compute
  • Database
  • Security
— May 17, 2018

4 Best Practices to Get Your Cloud Deployments GDPR Ready

With GDPR coming into force later this month, security and compliance will be the top-most priority for any cloud deployment that contains personal data of EU citizens.While leading providers have moved to make their platforms and services compliant, ensuring compliance requires more ...

Read more
  • GDPR
  • Security
— May 7, 2018

AWS Summit London 2018: Our Top Picks

Cloud Academy is proud to be a sponsor of AWS Summit London coming up May 9-10 at the ICC, ExCeL, London.Join us in booth S24, Level 1 where our AWS experts will be on hand to answer your questions and walk you through our latest content and newest platform features.Book a meeting w...

Read more
  • AWS Summits
  • GDPR
  • Security
— March 26, 2018

GDPR Compliance: Low Cost, Zero-Friction Action Items

George Gerchow is Chief Security Officer at Sumo Logic and Adjunct Honorary Lecturer at Cloud Academy. View the on-demand recording of our recent webinar, Establishing a Privacy Program: GDPR Compliance & Beyond with Mr. Gerchow and Jen Brown, Data Protection Officer at Sumo Logic....

Read more
  • GDPR
  • Security
— March 9, 2018

New on Cloud Academy, March ’18: Machine Learning on AWS and Azure, Docker in Depth, and more

Introduction to Machine Learning on AWSThis is your quick-start guide for building and deploying with Amazon Machine Learning. By the end of this learning path, you will be able to apply supervised and unsupervised learning, ML algorithms, deep learning, and deep neural networks on AW...

Read more
  • Cloud Migration
  • Docker
  • Machine Learning & AI
  • Security
— March 2, 2018

Three Must-Use Azure Security Services

Keeping your cloud environment safe continues to be the top priority for the enterprise, followed by spending, according to RightScale’s 2018 State of the Cloud report.The safety of your cloud environment—and the data and applications that your business runs on—depends on how well you...

Read more
  • Azure
  • Security
— February 9, 2018

4 Practices that Should Be Driving Your Security Strategy in 2018

Securing your data and applications in the cloud has never been more important.The headlines are a constant reminder of the disruptive (or calamitous) impact on a business in the wake of a breach. Many of 2017’s most high-profile breaches were a reminder of the vulnerabilities that ca...

Read more
  • Security
— February 1, 2018

New Whitepaper: Architecting ‘Security-First’ Into Cloud Strategy

The State of Cloud SecurityCompanies in every industry are eager to leverage the benefits of the cloud and leave data center management and legacy technologies behind.As cost optimization and increased scale drive cloud adoption from the inside, the need to stay competitive to keep ...

Read more
  • Security