FBI Director James Comey was talking to his daughter recently about the Bureau’s struggle to recruit talented cybersecurity professionals amidst a talent shortage when she summed up his problem: He’s the Man.
“Which I thought was a compliment,” Comey said in an appearance at ASIS 2016 in Orlando, Florida. But then his daughter added, “You’re the Man; who would want to work for the Man? The Man is boring. The Man is crusty. The Man is white and male. Who’d want to work for the Man?”
To be an FBI cyber agent, candidates have to have integrity, be physically fit, and have a cyber specialty. They also have to want to work for the government, which can make the candidate pool extremely small to choose from because some candidates might not find that attractive.
Comey’s daughter might be on to something, not only when it comes to the FBI but when it comes to corporate cybersecurity recruitment as a whole. What if there are individuals who are out there with the skills organizations need, but they don’t know how to attract them? Or they are not candidates that fit the typical corporate mold?
Take Bugcrowd, a crowdsourced security testing company with a community of researchers that finds and reports vulnerabilities for rewards—commonly known as a bug bounty program. CEO and cofounder Casey Ellis launched the community via his Twitter account in 2012. Four years later, more than 45,000 researchers have signed up to be part of the community.
Seventy-five percent of researchers who responded to a Bugcrowd survey said they were between 18 and 29, and 19 percent of researchers were ages 30 to 44. Most striking, however, was the finding that 88 percent had completed at least one year of college, 55 percent of them had graduated with a bachelor’s or postgraduate degree, and all respondents had at least a high school diploma.
Furthermore, just 15 percent of these respondents said they participated in bug bounty programs full-time; meaning 85 percent of researchers participate in bug bounty programs as a hobby or as a part-time job.
“What we’ve seen is a lot of the best, most prolific folk, and best-paid folk that we have on the platform don’t come from a security career background,” Ellis says. Instead, they are often from an engineering, development, or systems administrator background.
“These are folks that don’t work in security, but, lo and behold, they’ve been sitting up until 3 a.m. every night, chatting with their hacker buddies,” he adds. “The cool thing about especially the bug bounty model is that there’s zero barrier to entry. It’s truly meritocratic. If you can come in and prove the fact that you can do this, as evidenced by the fact that you’ve found something that’s valuable, great.”
And for some researchers, this process has led to being hired for positions off of the bug bounty platform. “They work their way up the ranks, they’ll get spotted as unique talent, and actually get a job out of it,” Ellis explains.
“You can teach someone to hack. You can teach someone how to think with that kind of criminal entrepreneurship type of bent, but I think the more efficient path for the industry at large is to identify the people that are already there,” he adds.
Bugcrowd has done this through word of mouth and actively promoting researchers' work on social media. But how can hiring managers at other companies recruit nontraditional talent?
First, they might have to take a hard look in the mirror and ask themselves if they are blind to talent that already exists. Winn Schwartau, president and founder of The Security Awareness Company, has written extensively on this topic in his series Hiring the Unhireable: A Rationale Imperative for Protecting Networks & Nations.
“We don’t have a lack of talent. What we have is a provincial mindset, entrenched over decades, in a flawed Cold War binary philosophy,” Schwartau writes. “Many of the current hiring systems all too often enforce an arbitrary, capricious, and discriminatory set of criteria, which is fundamentally designed to eliminate true, valuable human talent—consciously choosing instead to often default to the center of the Bellcurve; that 68 percent we refer to as ‘normal.’”
Hiring managers from the United States, the United Kingdom, the European Union, and elsewhere often bemoan that they need tens of thousands of security employees, but can’t find them, he adds.
But “what they can’t find are good security people who fit into their hard-crusted mold of what corporate and government structures have become,” Schwartau explains. “There is actually a lot of truly great talent out there. But we may not see it in the traditional ways.”
To better identify this nontraditional talent, hiring managers need to adjust their mindset and expectations about hiring, says Timothy O’Brien, senior manager of security operations at Gigamon, a network visibility and traffic monitoring technology vendor.
“We are creating this category as hiring managers of talent that we will never hire, yet we’re talking about there’s nobody to hire. In some ways, we’re creating our own problem,” O’Brien explained in his session “Hackers Hiring Hackers” at the 2016 (ISC)² Security Congress, copresented with Magen Wu, senior consultant at software company Rapid7.
Hiring managers often get in their own way when they list a position with a job description that’s all over the place, such as an entry level position that asks for a Certified Information Systems Security Professional (CISSP) certification and five years of experience.
“Folks have talked to me and said they are trying to break into information security and they basically apply for everything because they can’t figure out what we, as hiring managers, even want or need,” O’Brien adds.
This means that it is especially critical for hiring managers to break down what they want versus what they need, and to take a hard look at what skills an individual will need to possess to be successful in that role in the organization.
“Be clear about what that job will entail, as much as you know, because security changes,” he explains.
O’Brien also recommends that hiring managers consider whether certifications and college degrees are important, or if they are an HR requirement that’s potentially limiting the pool of candidates managers could draw from.
“There’s plenty of folks that I’ve met that have been great hackers, great security professionals, but don’t have a degree because they got so bored out of their mind they could not sit through the degree programs, or they didn’t have the financial capabilities to go get a degree,” he says. “So let’s find those folks with that talent, help nurture them, and help them get that degree.”
If, however, having certifications or degrees is important for filling the position, O’Brien says hiring managers should make sure to vet candidates to make sure they did not just memorize information to pass a test—that they learned and retained the information the certification implies they knew at one time.
One way of doing this, O’Brien says, is by asking a candidate during phone interviews about how their personal home computer network is set up and what they would like to improve upon in the next six months.
“I’ve gotten everything from, ‘Well I just have my Cox cable modem and it goes into my computer,’” which is usually the end of the interview, O’Brien says, “to ‘I’ve got this VPN (virtual private network) and a couple of computers…’ and that leads into a series of questions that I have, like ‘On that network, when you open a browser and type in www.google.com, and like magic Google comes up, how does that work?’”
The key is to use explanatory questions in interviews to get a feel for whether a candidate can articulate to someone who’s technical, but also to someone who’s from a business background, about information security and how systems work.
O’Brien also recommends getting involved with the recruiting team and human resources to make sure they understand what you as a hiring manager are looking for. And this doesn’t always mean meeting with these individuals in a conference room.
For instance, O’Brien says he’s worked with organizations to create computer emergency readiness teams (CERTs) and specifically places a recruiter or a technical person from human resources on the team “so they get more involved and they know what we need, and what roles we’re trying to fill.”
And when it comes to finding nontraditional talent, Wu says that hiring managers should look to conferences, local meet-ups, and online portals. This is because Wu, like others in the industry, encourages job seekers to use these venues to attract the notice of recruiters.
“Get involved with the community—we have such a large community with what we do,” she adds. “Start going to conferences, local meet-ups, giving presentations, writing blog posts, and that’ll get your name out there more. That’ll make you look more interesting to hiring managers.”
While the debate continues to rage as to whether the talent shortage is real and, if so, how bad it is, hiring managers need to reassess their recruiting process to ensure that they are not overlooking qualified candidates who fail to meet their traditional criteria.
“I strongly feel that there’s a lot of talent out there, and we’re actually not accessing that talent pool right now,” Ellis says. “The challenge is to find something, put something together that actually draws them out. And takes them from where they are right now into something that’s more valuable to them and the industry itself.”
And the FBI is taking note, Comey said, assessing the way it recruits talent and how it uses cyber agents to better mitigate and investigate cyber threats.
“We’re not at bean bags and cut-off shorts yet; we do not let people smoke weed,” he explained. “But we’re trying really, really hard to be cooler than we ever were to not only attract great talent, but so when they come to us, they find it an exciting, iterative, agile place to work.”