5 years ago, when I was still smarting from being laid off [fired, cough], I found myself back in the job market looking for …something.
After 12+ years in the same organisation, I had worked my way up from ‘Firewall Administrator’ to ‘Director of Delivery’ for EMEA and APAC. Through poor planning and various character flaws I was at a complete loss where to even start looking for an equivalent position. My safety-net was non-existent as making connections has never been what I would call a strong suit.
So I did what everyone else does; I called some recruiters. And I got what a lot of other people got by doing so; nowhere and frustrated.
But as much as I have criticised recruiters; Cybersecurity Recruiters, The Gauntlet Is Thrown!, they are doing an almost impossible job. I have even tried to help; How to be a GREAT Cybersecurity Recruiter, but this still leaves them addressing only the symptoms. The root cause of all our woes is, of course, the hiring organisations themselves.
My frustration with the hiring process came to a head after a few very short months, when I touched upon an idea that made perfect sense at the time. In No More Job Titles, Just Function Based Roles, I opined that the biggest issue is the job titles themselves, and how they pigeon-hole individuals into an inappropriate job function.
But that’s not really the core problem either, the problem is that organisations have absolutely no idea what they need, and therefore ask all the wrong questions.
Here’s yet another one of my patented crap analogies:
I have a headache. I have no idea why, but I know someone who might; the doctor. I go to the doctor who asks me all the right questions, questions I had no idea were important, and ones I would never have come up with myself. The doctor knows enough about my issue that s/he refers me to someone whom they know will definitely be able to help; an appropriate specialist. I go to the specialist who solves my problem, then tells me exactly what to do from that point forward to avoid headaches in the future.
The solution could be as simple as taking a couple of pills, or as intensive as hiring a full-time nurse.
Would you, in my place, have hired a full-time nurse the second you had a headache? Doubtful. So why would a non-cybersecurity expert [the organisation], hire another non-cybersecurity expert [a recruiter] to hire someone else who is now twice removed from understanding the original problem?
I can’t talk to other industries, but recruiting for cybersecurity is fundamentally flawed. From my perspective, and perhaps counterintuitively, the only solution is to stop focusing on individuals. You cannot claim a ‘cybersecurity skills-gap‘ because that means there are not enough trained people, when the problem is that organisations just don’t know how to get rid of their ‘headache’.
Instead, what if:
…organisations advertised their problem through [for the sake of this blog] a service called ‘Cybersecurity Recruiters 2.0’ (CR2.0). A service focused ONLY on the individual skills of its members, not the actual members themselves. So no more telling the recruiter that you need a “PCI project manager for 6 months” [for example], you now just tell them you need to “be PCI compliant in 6 months” and let the CR2.0 members work out how best to achieve the desired result. i.e. ‘I have a headache’, not ‘I need a nurse’.
The CR2.0 members with PCI expertise would meet directly with the client and 1) tell them what’s required, 2) design the project from the perspective of what skills are required to deliver it, and 3) deliver the project.
Maybe the gig lasts only 3 months, or maybe it goes on for 2 years. Maybe 1 person can deliver it all, maybe it takes a dozen people each at different times. What the client does NOT end up with is a full-time employee who can’t do anything else.
Wait, this sounds familiar? Oh yeah, this is what cybersecurity CONSULTING companies do!
Now I’m not suggesting that recruiting companies suddenly throw their hats in the ring to become cybersecurity consulting vendors. There will ALWAYS be the need for full-time employees in this industry. But who is best placed to select the RIGHT employee for you than an organisation who just delivered a significant engagement?
Done correctly, EVERY significant engagement in security (e.g. compliance with a regulation, or certification against a standard) will involve the following:
- Senior leadership engagement – to put security into the only context that matters – the business’s goals;
- Examination of risk management processes, including security drivers – e.g compliance, regulatory or contractual obligations;
- Examination of control and process gaps – the stuff that needs fixing;
- Fill the gaps – with the judicious use of people, process and technology in THAT order; and
- Operationalise all of the above – teach the organisation how to do this stuff themselves
With CR2.0 there can now be a step 6. – Draft the FUNCTIONAL job description (FJD) necessary to fill the client’s residual skills gap. If this FJD requires only a quarterly engagement of a security strategist in the Governance meetings, so be it, but if it requires a FTE, a CR2.0 members can step into the role knowing FULL WELL they are a good fit.
So again, how is this different from consulting companies? This phrase [or equivalent] that is in every engagement contract I have ever seen: “The Employee covenants that he/she will not, either directly or indirectly, during the term of this Agreement and for a period of  year after its termination, employ or attempt to employ anyone employed by the Company or its affiliated companies, or utilise their services otherwise than through the Company.“
As a CR2.0 member you are free to do whatever the hell you please; go from contract to contract, or take the full-time gig. There would be no promise of work, you would be an independent contractor, and how this would all be monetised I have no idea. All I know is that the ‘due diligence’ currently performed in the search for cybersecurity expertise is half-arsed, and no one wins. Only two things matter; the expert gets paid and the client gets their problem solved, everything else is meaningless detail.
[If you liked this article, please share! Want more like it, subscribe!]