You’re Not Hiring People, You’re Trying to Solve a Problem

5 years ago, when I was still smarting from being laid off [fired, cough], I found myself back in the job market looking for …something.

After 12+ years in the same organisation, I had worked my way up from ‘Firewall Administrator’ to ‘Director of Delivery’ for EMEA and APAC. Through poor planning and various character flaws I was at a complete loss where to even start looking for an equivalent position. My safety-net was non-existent as making connections has never been what I would call a strong suit.

So I did what everyone else does; I called some recruiters. And I got what a lot of other people got by doing so; nowhere and frustrated.

But as much as I have criticised recruiters; Cybersecurity Recruiters, The Gauntlet Is Thrown!, they are doing an almost impossible job. I have even tried to help; How to be a GREAT Cybersecurity Recruiter, but this still leaves them addressing only the symptoms. The root cause of all our woes is, of course, the hiring organisations themselves.

My frustration with the hiring process came to a head after a few very short months, when I touched upon an idea that made perfect sense at the time. In No More Job Titles, Just Function Based Roles, I opined that the biggest issue is the job titles themselves, and how they pigeon-hole individuals into an inappropriate job function.

But that’s not really the core problem either, the problem is that organisations have absolutely no idea what they need, and therefore ask all the wrong questions.

Here’s yet another one of my patented crap analogies:

I have a headache. I have no idea why, but I know someone who might; the doctor. I go to the doctor who asks me all the right questions, questions I had no idea were important, and ones I would never have come up with myself. The doctor knows enough about my issue that s/he refers me to someone whom they know will definitely be able to help; an appropriate specialist. I go to the specialist who solves my problem, then tells me exactly what to do from that point forward to avoid headaches in the future.

The solution could be as simple as taking a couple of pills, or as intensive as hiring a full-time nurse.

Would you, in my place, have hired a full-time nurse the second you had a headache? Doubtful. So why would a non-cybersecurity expert [the organisation], hire another non-cybersecurity expert [a recruiter] to hire someone else who is now twice removed from understanding the original problem?

I can’t talk to other industries, but recruiting for cybersecurity is fundamentally flawed. From my perspective, and perhaps counterintuitively, the only solution is to stop focusing on individuals. You cannot claim a ‘cybersecurity skills-gap‘ because that means there are not enough trained people, when the problem is that organisations just don’t know how to get rid of their ‘headache’.

Instead, what if:

…organisations advertised their problem through [for the sake of this blog] a service called ‘Cybersecurity Recruiters 2.0’ (CR2.0). A service focused ONLY on the individual skills of its members, not the actual members themselves. So no more telling the recruiter that you need a “PCI project manager for 6 months” [for example], you now just tell them you need to “be PCI compliant in 6 months” and let the CR2.0 members work out how best to achieve the desired result. i.e. ‘I have a headache’, not ‘I need a nurse’.

The CR2.0 members with PCI expertise would meet directly with the client and 1) tell them what’s required, 2) design the project from the perspective of what skills are required to deliver it, and 3) deliver the project.

Maybe the gig lasts only 3 months, or maybe it goes on for 2 years. Maybe 1 person can deliver it all, maybe it takes a dozen people each at different times. What the client does NOT end up with is a full-time employee who can’t do anything else.

Wait, this sounds familiar? Oh yeah, this is what cybersecurity CONSULTING companies do!

Now I’m not suggesting that recruiting companies suddenly throw their hats in the ring to become cybersecurity consulting vendors. There will ALWAYS be the need for full-time employees in this industry. But who is best placed to select the RIGHT employee for you than an organisation who just delivered a significant engagement?

Done correctly, EVERY significant engagement in security (e.g. compliance with a regulation, or certification against a standard) will involve the following:

  1. Senior leadership engagement – to put security into the only context that matters – the business’s goals;
  2. Examination of risk management processes, including security drivers – e.g compliance, regulatory or contractual obligations;
  3. Examination of control and process gaps – the stuff that needs fixing;
  4. Fill the gaps – with the judicious use of people, process and technology in THAT order; and
  5. Operationalise all of the above – teach the organisation how to do this stuff themselves

With CR2.0 there can now be a step 6. – Draft the FUNCTIONAL job description (FJD) necessary to fill the client’s residual skills gap. If this FJD requires only a quarterly engagement of a security strategist in the Governance meetings, so be it, but if it requires a FTE, a CR2.0 members can step into the role knowing FULL WELL they are a good fit.

So again, how is this different from consulting companies? This phrase [or equivalent] that is in every engagement contract I have ever seen: “The Employee covenants that he/she will not, either directly or indirectly, during the term of this Agreement and for a period of [1] year after its termination, employ or attempt to employ anyone employed by the Company or its affiliated companies, or utilise their services otherwise than through the Company.

As a CR2.0 member you are free to do whatever the hell you please; go from contract to contract, or take the full-time gig. There would be no promise of work, you would be an independent contractor, and how this would all be monetised I have no idea. All I know is that the ‘due diligence’ currently performed in the search for cybersecurity expertise is half-arsed, and no one wins. Only two things matter; the expert gets paid and the client gets their problem solved, everything else is meaningless detail.

[If you liked this article, please share! Want more like it, subscribe!]

2 thoughts on “You’re Not Hiring People, You’re Trying to Solve a Problem

  1. Funny.
    What you describes mirrors my own experiences. Up till 5 years ago, I was working for a large multi-national. Had been there for 17 years work up from being a Unix sysadmin to a ‘global security architect’ working for the CISO (after our company had split in two).

    But our company got bought by a bigger multi-national. And after they wanted to reduce costs by just getting rid of people (reduction in force), was let go.

    And I struggled to find a new position. I still struggle to this day, tho I now work as a security consultant, sometimes doing what you describe. But its hard to get companies to fully understand this and utilize us to the extent they should (part of why I want to leave and work elsewhere).

    Yes, the whole recruitment process is broken. Not buying fully into the “skills gap” narrative. While I think there are a lack of some people with certain skills in certain areas, don’t think its as wide spread. More that too many companies don’t know what they really need, so they are being unrealistic. I recently lost the change at getting a job I believe because one of the people interviewing me has the unrealistic idea that a security manager needs to be a pentester (which I’m not and was clear about). A couple of months later that company is STILL trying to fill that security manager role.

  2. Interesting article David. The recruitment model is broken in the places that you indicate partly because companies with budget and recruiters operate on a contingency basis. “no placement, no fee” and as a result there are relatively high fees for a placement.

    This means that
    a) there is a low barrier to entry to set up as a recruiter
    b) there are lots of recruiters chasing the high fees
    c) the quality of recruitment services is highly variable
    d) it’s hard for a specialist to stand out against the crowd particularly if the crowd shout louder, ping any cv forward in hope and reduce their fees
    e) any specialist no matter how good does not have access to the full pool of potential candidates

    There ought to be people (and there probably are) with sufficient InfoSec skills that could help a client to develop a job spec / list of job functions for a reasonable fee. If they then go on to source the candidate perhaps they could then get the rest of the placement fee.

If you think I'm wrong, please tell me why!

This site uses Akismet to reduce spam. Learn how your comment data is processed.