Building Security Teams in a Competitive Talent Market: These Are The Droids You’re Looking for

John Visneski is the Head of Security and DPO at The Pokemon Company International. If you missed the webinar we organized in collaboration with John Visneski you can still watch it on demand, simply click here

The reasoning behind the popularity of this perspective is clear, if not unique to the cybersecurity field. Organizations in both the private and public sector are embracing technology in ways that are only limited by the imaginations of their workforce. Cloud computing used to be viewed primarily as a more cost-effective way to conduct IT business. However, organizations are increasingly leveraging the cloud to expand and in some cases fundamentally change their business. The knock-on effect of this is that technology wizards of all shapes and sizes are not just in demand; that demand is now exponential.

In this environment, a paradigm shift is necessary if organizations want to recruit and retain cybersecurity talent. There are far too many hiring managers in search of a purple unicorn that lays golden eggs. In reality, the talent pool is much larger than one would expect.

In order to bridge this perceived gap, consider tailoring your approach to the following:
1. Prioritize attitude and aptitude above all else
2. Find candidates with an operational mindset
3. Avoid binary thinkers, embrace problem solvers

You will notice that none of these suggestions mention security. To hijack and add to the old phrase: it’s the talent economy, stupid. Talent can be measured in many ways and at many levels. The key to building your security team is expanding the aperture of your search.

[bctt tweet=”The key to building your security team is expanding the aperture of your search.” username=”cloudacademy”]

1. Prioritize attitude and aptitude above all else

This won’t be the first article written that references how quickly the technology space is changing, particularly in security. In the same way that organizations are adopting new technology to enable their business or mission, threat actors are leveraging the same technology to prosecute their own agendas. In many cases, these threat actors are much more willing to embrace cutting-edge, innovative technology because the risk of adoption failure is relatively low. A hacker cell in Estonia doesn’t typically report to a CFO on the return on investment for time spent developing or adopting tools to exploit vulnerabilities. For legitimate organizations to keep pace, their security teams need to be willing to adapt and overcome at an incredibly high rate.

This ability to adapt is much easier said than done. It requires talent that has the drive to continue to learn new techniques, tactics, technologies, and integrations. This talent also needs to be ready to throw what they thought they knew out the window should the environment demand it.

To find this talent, try prioritizing attitude and aptitude above the specific technical skill sets you’re looking for. How eager are they to embrace new challenges? What in their background implies that they can adapt to change? Find smart individuals with a positive attitude who will not be discouraged when the problem set changes, and who have the aptitude to continually keep pace with their internal organization and external variables such as changing landscapes and threat actors.

[bctt tweet=”…try prioritizing attitude and aptitude above the specific technical skill sets you’re looking for. How eager are they to embrace new challenges? What in their background implies that they can adapt to change?” username=”cloudacademy”]

2. Find candidates with an operational mindset

Some of the best security professionals in the world didn’t start their careers in the security space. If you took a poll, you’d find that many come from fields like systems administration, infrastructure, DevOps, and quality assurance, while others come from outside technology fields entirely. I started out as a combat communications officer within the United States Air Force.

The common thread with many of these fields both within and outside the technology space is that they possess an operational mindset. To wit, they understand how the sausage is made. The beauty of these talent pools is that they are often the best at understanding how systems fit together and where the gaps and seams are within said systems. An increasing number of these individuals are eager to embrace automation because they’ve seen how it can be a force multiplier for their business. This mindset is focused on business operations.

One of my best security engineers started out as a test and quality assurance engineer. When he applied for the position, his resume had little to no direct security experience to speak of. He did possess a keen mind for automation, an understanding of how systems fit together, a nose for finding gaps and seams within systems, and ideas on fine-tuning these systems to support business operations. He also happened to be a bit of a security whiz in his free time, but that is hardly a concrete bullet to include on a resume. All he needed was someone to take a shot on him, focus his skillset on operationalizing a security program, and provide him the time and resources required to get up to speed. Within no time, he became an Offensive Security Certified Professional and an invaluable asset not just to my team but to our partners in DevOps. I would put him up against some of the very best security engineers in the industry.

3. Avoid binary thinkers, embrace problem solvers

Most security programs still have a very well-earned reputation as the part of the business that tells people what they can’t do, as opposed to helping enable what they can do. Much of this is derived from the tendency for technology professionals to think in terms of what is a ‘right’ answer and what is a ‘wrong’ answer as opposed to thinking in terms of ‘what helps the business be successful.’ The end result is that most of the business stops inviting the security teams to meetings, leading to a decrease in security posture due to a lack of visibility into business process and operations.

The goal is to avoid the perception of security as the “Dr. No” team. Find candidates who are not concerned with what constitutes a ‘right’ answer, but are more concerned with helping the business navigate the gray space between options. These are soft skills, which makes them much harder to teach than it is to send someone to security training. Concentrating on these skills will also help avoid the sort of technology lock-in that limits your search for cloud expertise. Just because you are an Amazon Web Services (AWS) shop, you shouldn’t limit your search to professionals with AWS-centric experience. There are plenty of engineers and operations analysts with deep knowledge in cloud computing that is derived from Microsoft Azure or Google Cloud Platform who can pivot to AWS with ease.

[bctt tweet=”The goal is to avoid the perception of security as the “Dr. No” team. Find candidates who are not concerned with what constitutes a ‘right’ answer, but are more concerned with helping the business navigate the gray space between options. ” username=”cloudacademy”]

The purpose of this post isn’t to say that you shouldn’t hire individuals with deep security experience. They do exist. However, they exist in much smaller numbers than the pool of talent that has many of the attributes that will make them successful members of your security team. These individuals have the ability to solve problems, an operational mindset with an understanding of how systems fit together, and the attitude and aptitude to keep pace with an ever-changing environment. All it takes is for hiring managers to expand the aperture of their search and be willing to invest in their team personally and professionally.

To learn about how to build security teams in a competitive talent market, watch my latest Cloud Academy webinar. In it, I discuss practical strategies to help teams at any level of maturity build out a cloud-focused security practice. You can also check out Cloud Catalog and Cloud Roster, two useful tools to help you close the skills gap within your company.

John Visneski

Written by

John Visneski

John Visneski oversees information security for The Pokémon International (TPCi). In this capacity, he and his team are responsible for security of corporate information technology systems and policies, as well as customer facing systems and applications. He is also responsible for the overall company privacy strategy and policy with regard to both customer and employee data. Prior to his work with TPCi, he spent over ten years in the United States Air Force as a cyberspace operations officer. His time in the Air Force culminated in a position as the cybersecurity advisor to the Secretary of the Air Force and Chief of Staff of the Air Force, located at the Pentagon, Washington D.C. He currently resides in Seattle, WA.


Related Posts

Simran Arora
Simran Arora
— August 21, 2020

Docker Image Security: Get it in Your Sights

For organizations and individuals alike, the adoption of Docker is increasing exponentially with no signs of slowing down. Why is this? Because Docker provides a whole host of features that make it easy to create, deploy, and manage your applications. This useful technology is especiall...

Read more
  • DevOps
  • Docker
  • Security
Wendy Dessler
Wendy Dessler
— July 17, 2020

VPN Encryption: How to Find the Best Solution

Each day there are 2.5 quintillion bytes of data created. People in all corners of the earth use the internet all day, every day. When we browse social media, conduct transactions, and search the web, we're leaving behind a digital footprint.  Encryption helps you protect the data yo...

Read more
  • Encryption
  • IPsec
  • Security
  • VPN
Alisha Reyes
Alisha Reyes
— July 16, 2020

Blog Digest: Which Certifications Should I Get?, The 12 Microsoft Azure Certifications, 6 Ways to Prevent a Data Breach, and More

This month, we were excited to announce that Cloud Academy was recognized in the G2 Summer 2020 reports! These reports highlight the top-rated solutions in the industry, as chosen by the source that matters most: customers. We're grateful to have been nominated as a High Performer in se...

Read more
  • AWS
  • Azure
  • blog digest
  • Certifications
  • Cloud Academy
  • OWASP
  • OWASP Top 10
  • Security
  • VPCs
Bea Potter
Bea Potter
— June 10, 2020

6 Ways to Prevent a Data Breach 

The cloud is a new territory for the digital world. But with all of its benefits, there also come risks and dangers. If your business depends on the cloud to store data, you’re probably facing a number of problems about how to best secure your data. According to studies, as many as 95 p...

Read more
  • data breach
  • Security
Alisha Reyes
Alisha Reyes
— June 2, 2020

Blog Digest: 5 Reasons to Get AWS Certified, OWASP Top 10, Getting Started with VPCs, Top 10 Soft Skills, and More

Thank you for being a valued member of our community! We recently sent out a short survey to understand what type of content you would like us to add to Cloud Academy, and we want to thank everyone who gave us their input. If you would like to complete the survey, it's not too late. It ...

Read more
  • AWS
  • Azure
  • blog digest
  • Certifications
  • Cloud Academy
  • OWASP
  • OWASP Top 10
  • Security
  • VPCs
Vijayakumar Athithan
Vijayakumar Athithan
— May 8, 2020

OWASP Top 10 Vulnerabilities

Over the last few years, more than 10,000 Open Web Application Security Project (OWASP) vulnerabilities have been reported into the Common Vulnerabilities and Exposures (CVE®) database each year. This is a list of common identifiers for publicly known cybersecurity vulnerabilities. Curr...

Read more
  • Machine Learning
  • OWASP
  • OWASP Top 10
  • Security
Alisha Reyes
Alisha Reyes
— April 30, 2020

Blog Digest: AWS Breaking News, Azure DevOps, AWS Study Guide, 8 Ways to Prevent a Ransomware Attack, and More

  New articles by topic AWS Azure Data Science Google Cloud  Cloud Adoption Platform Updates & New Content Security Women in Tech AWS Breaking News: All AWS Certification Exams Now Available Online As an Advanced AWS Technology Partner, C...

Read more
  • AWS
  • Azure
  • blog digest
  • Certifications
  • Cloud Academy
  • programming
  • Security
Daniel William
Daniel William
— April 15, 2020

8 Ways to Protect Your Data From a Ransomware Attack

Ransomware attacks have continued to grow both in scope and audacity over the past several years. This type of malware has become one of the biggest cybersecurity threats for enterprises, and experts predict the situation is only going to get worse. The WannaCry ransomware incident o...

Read more
  • attacks
  • data
  • ransomware
  • Security
Alisha Reyes
Alisha Reyes
— March 17, 2020

Cloud Academy’s Blog Digest: How Do AWS Certifications Increase Your Employability, How to Become a Microsoft Certified Azure Data Engineer, and more

With everything going on right now, it's likely that the only thing you've been reading lately is related to the coronavirus pandemic. It's important to stay informed during these times, but it's also good to jump into something that can take your mind off of the current situation for j...

Read more
  • AWS
  • Azure
  • blog digest
  • Certifications
  • Cloud Academy
  • programming
  • Security
Orion Withrow
Orion Withrow
— December 17, 2019

Azure Security: Best Practices You Need to Know

When it comes to Azure Security best practices, where do you begin? In a lot of ways, Azure is very similar to any other data center. But with that said, Azure can also be very different. Securing Azure can pose many unique challenges. The security of resources hosted in Azure is of the...

Read more
  • Azure
  • azure best practices
  • azure security center
  • Security
Chester Avey
Chester Avey
— November 7, 2019

Cloud Computing Solutions: 7 Trends for the Future

The world of cloud computing is in a state of flux. Not long ago, the cloud was considered an emerging technology, known only to IT specialists. Today it is a part of everyday life – 96% of businesses use the cloud in one form or another, and this number only looks set to grow. Whether ...

Read more
  • Cloud Computing
  • internet of everything
  • multi-cloud
  • Security
  • SEO
Avatar
Stuart Scott
— September 27, 2019

AWS Security Groups: Instance Level Security

Instance security requires that you fully understand AWS security groups, along with patching responsibility, key pairs, and various tenancy options. As a precursor to this post, you should have a thorough understanding of the AWS Shared Responsibility Model before moving onto discussi...

Read more
  • AWS
  • instance security
  • Security
  • security groups