A CISO recently made a stunning revelation on a subreddit thread, stating that only about 5% of young cybersecurity applicants meet the narrow combination of requirements to be worth hiring. There were a lot of counter-comments from other security leaders saying that the CISO was being unfair in his hiring process, to which the CISO replied that this is the reality of the security industry and illustrates what cybersecurity applicants are up against.
Still, the CISO's view was one that was not shared by all in the cybersecurity field, many of whom have pointed out that there is value in hiring candidates from different backgrounds and with different experiences, as such applicants bring new perspectives which often help improve cybersecurity overall.
In a recent episode of CISO Series podcast, the importance of having a talented and competent recruiting team in the organization that can recognize less qualified candidates very quickly has been underscored. That is because a competent recruiting team is able to recognize who should be passed along and who should be filtered out if a candidate does not even come close to meeting the requirements.
"One of the things I tell my team often is, when you think about hiring and recruiting and sourcing if you follow the same playbook and you go to the same places, and you look for the same things, you’re going to get the same results," said Mike Hanley, Chief Security Officer, and SVP of Engineering of GitHub who was a guest in that particular episode of the podcast.
"We’ve seen the rapid and accelerated and unceremonious arrival of zero trust as a necessity rather than a gradual change, and you just fundamentally need to have people who are thinking about things differently and have different sets of experiences if you want your team to be able to adapt to the challenges that are emerging day in and day out inside the company," Hanley elaborated.
Thus for Hanley, leaders should take into account the distribution of seniority of talent. For instance, only hiring senior engineers that have 15 years of experience with cryptography will only result in a very small pool of people to choose from, not to mention a lack of diversity in hiring which is frowned upon today.
On the other hand, taking into consideration those who are still early in their careers but have demonstrated a propensity to pick up new skills and capabilities or having demonstrated a willingness and eagerness to learn and be trained provides an opportunity to develop more talent.
Ultimately, Hanley looks at behavior as one of the most important things he looks for in a candidate, especially if a candidate is still in the early stages of the career that the company is looking to develop. Candidates should demonstrate that they are open to receiving feedback and engaging in growth-minded conversations, as well as an enthusiasm to learn new skills or ideas. “If you can’t see that…that’s a fast-screening thing for me," Hanley said.