Building Security Teams in a Competitive Talent Market: These Are The Droids You’re Looking for

John Visneski is the Head of Security and DPO at The Pokemon Company International. If you missed the webinar we organized in collaboration with John Visneski you can still watch it on demand, simply click here

The reasoning behind the popularity of this perspective is clear, if not unique to the cybersecurity field. Organizations in both the private and public sector are embracing technology in ways that are only limited by the imaginations of their workforce. Cloud computing used to be viewed primarily as a more cost-effective way to conduct IT business. However, organizations are increasingly leveraging the cloud to expand and in some cases fundamentally change their business. The knock-on effect of this is that technology wizards of all shapes and sizes are not just in demand; that demand is now exponential.

In this environment, a paradigm shift is necessary if organizations want to recruit and retain cybersecurity talent. There are far too many hiring managers in search of a purple unicorn that lays golden eggs. In reality, the talent pool is much larger than one would expect.

In order to bridge this perceived gap, consider tailoring your approach to the following:
1. Prioritize attitude and aptitude above all else
2. Find candidates with an operational mindset
3. Avoid binary thinkers, embrace problem solvers

You will notice that none of these suggestions mention security. To hijack and add to the old phrase: it’s the talent economy, stupid. Talent can be measured in many ways and at many levels. The key to building your security team is expanding the aperture of your search.

The key to building your security team is expanding the aperture of your search. Click To Tweet

1. Prioritize attitude and aptitude above all else

This won’t be the first article written that references how quickly the technology space is changing, particularly in security. In the same way that organizations are adopting new technology to enable their business or mission, threat actors are leveraging the same technology to prosecute their own agendas. In many cases, these threat actors are much more willing to embrace cutting-edge, innovative technology because the risk of adoption failure is relatively low. A hacker cell in Estonia doesn’t typically report to a CFO on the return on investment for time spent developing or adopting tools to exploit vulnerabilities. For legitimate organizations to keep pace, their security teams need to be willing to adapt and overcome at an incredibly high rate.

This ability to adapt is much easier said than done. It requires talent that has the drive to continue to learn new techniques, tactics, technologies, and integrations. This talent also needs to be ready to throw what they thought they knew out the window should the environment demand it.

To find this talent, try prioritizing attitude and aptitude above the specific technical skill sets you’re looking for. How eager are they to embrace new challenges? What in their background implies that they can adapt to change? Find smart individuals with a positive attitude who will not be discouraged when the problem set changes, and who have the aptitude to continually keep pace with their internal organization and external variables such as changing landscapes and threat actors.

...try prioritizing attitude and aptitude above the specific technical skill sets you’re looking for. How eager are they to embrace new challenges? What in their background implies that they can adapt to change? Click To Tweet

2. Find candidates with an operational mindset

Some of the best security professionals in the world didn’t start their careers in the security space. If you took a poll, you’d find that many come from fields like systems administration, infrastructure, DevOps, and quality assurance, while others come from outside technology fields entirely. I started out as a combat communications officer within the United States Air Force.

The common thread with many of these fields both within and outside the technology space is that they possess an operational mindset. To wit, they understand how the sausage is made. The beauty of these talent pools is that they are often the best at understanding how systems fit together and where the gaps and seams are within said systems. An increasing number of these individuals are eager to embrace automation because they’ve seen how it can be a force multiplier for their business. This mindset is focused on business operations.

One of my best security engineers started out as a test and quality assurance engineer. When he applied for the position, his resume had little to no direct security experience to speak of. He did possess a keen mind for automation, an understanding of how systems fit together, a nose for finding gaps and seams within systems, and ideas on fine-tuning these systems to support business operations. He also happened to be a bit of a security whiz in his free time, but that is hardly a concrete bullet to include on a resume. All he needed was someone to take a shot on him, focus his skillset on operationalizing a security program, and provide him the time and resources required to get up to speed. Within no time, he became an Offensive Security Certified Professional and an invaluable asset not just to my team but to our partners in DevOps. I would put him up against some of the very best security engineers in the industry.

3. Avoid binary thinkers, embrace problem solvers

Most security programs still have a very well-earned reputation as the part of the business that tells people what they can’t do, as opposed to helping enable what they can do. Much of this is derived from the tendency for technology professionals to think in terms of what is a ‘right’ answer and what is a ‘wrong’ answer as opposed to thinking in terms of ‘what helps the business be successful.’ The end result is that most of the business stops inviting the security teams to meetings, leading to a decrease in security posture due to a lack of visibility into business process and operations.

The goal is to avoid the perception of security as the “Dr. No” team. Find candidates who are not concerned with what constitutes a ‘right’ answer, but are more concerned with helping the business navigate the gray space between options. These are soft skills, which makes them much harder to teach than it is to send someone to security training. Concentrating on these skills will also help avoid the sort of technology lock-in that limits your search for cloud expertise. Just because you are an Amazon Web Services (AWS) shop, you shouldn’t limit your search to professionals with AWS-centric experience. There are plenty of engineers and operations analysts with deep knowledge in cloud computing that is derived from Microsoft Azure or Google Cloud Platform who can pivot to AWS with ease.

The goal is to avoid the perception of security as the “Dr. No” team. Find candidates who are not concerned with what constitutes a ‘right’ answer, but are more concerned with helping the business navigate the gray space between… Click To Tweet

The purpose of this post isn’t to say that you shouldn’t hire individuals with deep security experience. They do exist. However, they exist in much smaller numbers than the pool of talent that has many of the attributes that will make them successful members of your security team. These individuals have the ability to solve problems, an operational mindset with an understanding of how systems fit together, and the attitude and aptitude to keep pace with an ever-changing environment. All it takes is for hiring managers to expand the aperture of their search and be willing to invest in their team personally and professionally.

To learn about how to build security teams in a competitive talent market, watch my latest Cloud Academy webinar. In it, I discuss practical strategies to help teams at any level of maturity build out a cloud-focused security practice. You can also check out Cloud Catalog and Cloud Roster, two useful tools to help you close the skills gap within your company.

John Visneski

Written by

John Visneski

John Visneski oversees information security for The Pokémon International (TPCi). In this capacity, he and his team are responsible for security of corporate information technology systems and policies, as well as customer facing systems and applications. He is also responsible for the overall company privacy strategy and policy with regard to both customer and employee data. Prior to his work with TPCi, he spent over ten years in the United States Air Force as a cyberspace operations officer. His time in the Air Force culminated in a position as the cybersecurity advisor to the Secretary of the Air Force and Chief of Staff of the Air Force, located at the Pentagon, Washington D.C. He currently resides in Seattle, WA.


Related Posts

Chester Avey
Chester Avey
— November 7, 2019

Cloud Computing Solutions: 7 Trends for the Future

The world of cloud computing is in a state of flux. Not long ago, the cloud was considered an emerging technology, known only to IT specialists. Today it is a part of everyday life – 96% of businesses use the cloud in one form or another, and this number only looks set to grow. Whether ...

Read more
  • Cloud Computing
  • internet of everything
  • multi-cloud
  • Security
  • SEO
Avatar
Stuart Scott
— September 27, 2019

AWS Security Groups: Instance Level Security

Instance security requires that you fully understand AWS security groups, along with patching responsibility, key pairs, and various tenancy options. As a precursor to this post, you should have a thorough understanding of the AWS Shared Responsibility Model before moving onto discussi...

Read more
  • AWS
  • instance security
  • Security
  • security groups
Chester Avey
Chester Avey
— September 10, 2019

7 Key Cybersecurity Threats to Cloud Computing

When businesses consider cloud computing, one of the major advantages often cited is the fact that it can make your business more secure. In fact, in recent years many businesses have chosen to migrate to the cloud specifically for its security benefits. So, it might surprise you to lea...

Read more
  • Cybersecurity
  • Security
Avatar
Adam Hawkins
— August 9, 2019

DevSecOps: How to Secure DevOps Environments

Security has been a friction point when discussing DevOps. This stems from the assumption that DevOps teams move too fast to handle security concerns. This makes sense if Information Security (InfoSec) is separate from the DevOps value stream, or if development velocity exceeds the band...

Read more
  • AWS
  • cloud security
  • DevOps
  • DevSecOps
  • Security
Avatar
Paola Di Pietro
— July 19, 2019

Top 10 Things Cybersecurity Professionals Need to Know

There has been an increase in data breaches over the recent years. With almost 143 million Americans who have had their data compromised in data breaches. These breaches include all sorts of sensitive data, including financial information, election controversies, social security, just t...

Read more
  • Azure
  • cyber security
  • Security
Avatar
Stuart Scott
— July 18, 2019

AWS Fundamentals: Understanding Compute, Storage, Database, Networking & Security

If you are just starting out on your journey toward mastering AWS cloud computing, then your first stop should be to understand the AWS fundamentals. This will enable you to get a solid foundation to then expand your knowledge across the entire AWS service catalog.   It can be both d...

Read more
  • AWS
  • Compute
  • Database
  • fundamentals
  • networking
  • Security
  • Storage
Avatar
Adam Hawkins
— April 16, 2019

The Convergence of DevOps

IT has changed over the past 10 years with the adoption of cloud computing, continuous delivery, and significantly better telemetry tools. These technologies have spawned an entirely new container ecosystem, demonstrated the importance of strong security practices, and have been a catal...

Read more
  • DevOps
  • Security
Avatar
Adam Hawkins
— March 21, 2019

How DevOps Increases System Security

The perception of DevOps and its role in the IT industry has changed over the last five years due to research, adoption, and experimentation. Accelerate: The Science of Lean Software and DevOps by Gene Kim, Jez Humble, and Nicole Forsgren makes data-backed predictions about how DevOps p...

Read more
  • DevOps
  • Security
Avatar
Stuart Scott
— November 29, 2018

New Security & Compliance Service: AWS Security Hub

This morning’s Andy Jassy keynote was followed by the announcement of over 20 new services across a spectrum of AWS categories, including those in Security and Compliance, Database, Machine Learning, and Storage.   One service that jumped out to me was the AWS Security Hub, currently...

Read more
  • AWS
  • re:Invent 2018
  • Security
Alex Brower
Alex Brower
— October 17, 2018

Interview: Q&A with John Visneski

Security is a top priority for organizations of all types, with research firm IDC projecting 10% spending growth to $91 billion dollars in 2018. For leadership, security is important considering the cost, regulation, and reputation at stake when breaches occur. According to a joint ...

Read more
  • Security
Albert Qian
Albert Qian
— September 25, 2018

Microsoft Ignites Cloud Industry With Nadella Keynote

On Monday, Microsoft kicked off its Ignite conference, an annual gathering of developers and IT professionals. Over the next week, attendees will learn about upcoming Microsoft innovations in IoT, artificial intelligence, machine learning, and cloud (all while getting some good networki...

Read more
  • Events
  • IoT
  • Machine Learning
  • Security
Avatar
Cloud Academy Team
— August 29, 2018

4 Reasons You Need to Include Business Stakeholders in Cloud Training

Digital transformation is changing how organizations in every industry approach their business strategy, serving as the foundation of their technology initiatives. Chief among this includes cloud adoption, which is not just a path to IT savings, but also increasingly where companies are...

Read more
  • Cloud Adoption
  • Security