I don't think it's quite as hard as most people make it out to be.
I keep hearing from colleagues and articles that there is great difficulty in hiring a technical security people to work on application security, network security, or devsecops.
If you want to staff and run an incredible security team, it is completely possible to do if you make a few adjustments to your hiring and recruiting process.
I've certainly been there. Tasked with quickly building a decent sized security team from the ground up in locations that weren't the most desirable, I had to be creative in thinking about how to sell the roles and evaluate talent - and I built an amazing team in just a few months.
Think carefully about your job description
I see a lot of job descriptions out there that shoot for the moon. This isn't necessarily a bad thing, but ask yourself if you truly need everything on there on day one, or if some of that might be trainable relatively quickly.
I was looking over a colleagues job description recently (when they had almost zero applicants), and here are a few of the things they were looking for:
- At least 6 years in a technical security role
- 2 years developing software
- Secure software practices in Java, C++ and several other languages
- Pen testing experience
- Cloud architecture and cloud security experience
- Strong business acumen and a leadership personality.
Sounds like a pretty great person doesn't it? Realistically though, no one else on this persons team had even half of these skills, and the hiring manger had trouble articulating to me why each of these things was a strict requirement.
My recommendation: ruthlessly cut requirements down to a bare minimum. Include only what is required to solve the problems you are facing right now. If you find the right candidate, then everything is trainable later anyway when there is truly a need.
Be a remote first team
If you aren't trying to hire the best people no matter where they live, you will have a sub-optimal team (unless you happen to work in one of the major tech hubs and offer above market salary and benefits of course).
I always hire from a remote first mindset. In this industry, location rarely matters and most security professionals expect autonomy and work from home arrangements anyway.
If the whole team is co-located and working well together, it may be challenging to consider moving towards remote first work. The first full time remote employee will definitely have some unique communication challenges from both a team and management perspective.
However, making the move is likely much simpler than you imagine. I recommend creating a remote first culture within your local team as a great starting point - make it known that you don't expect them in the office on any given day, and try to get everyone to work remote.
This has the added benefits of increasing your retention among your current team, boosting productivity in general, and quickly showing you which people on your team are under-performing (since you now have to evaluate based on output instead of based on time in chair).
Look to strong candidates in adjacent roles
The best security professionals often get started not in security, but in sysadmin, programming, or network administration.
If you look around internally, chances are you will find plenty of individuals that are already handling security for you in one of these areas, but simply lack the title.
With a bit of focused training, they can quickly ramp up and produce massive value to a dedicated security program. They bring great technical skills, existing relationships with teams you need support from, and the excitement of a new field.
This is best when it comes internally, but don't write off external candidates too quickly either. Some of the best hires I have made had no formal security background, but had been personally interested on their own.
Try to throw out keyword filters
When I pass a job description to HR, I try to be careful about keywords included. If I put a few years of Java on the description, it's possible a recruiter will throw away the top C++ professional in the country before I see their resume. I don't want that.
Instead, if I need programming expertise, I ask for programming expertise - language agnostic. Any programmer worth their salt can get productive in a new language in a matter of months, sometimes in days.
If you think about investing in your people over the long run and building amazing teams, I think you'll have better success.
Update your interview process
If you are still using trivia interviews - stop. Trivia includes anything that can be googled in 5 minutes or that you might learn in a college course but are unlikely to actually use in a given month on the job.
I have used behavioral questions and white boarding questions. I personally find the best method to be looking at a recent project someone has completed (last 6 months - 1 year) and going through it with them thoroughly.
I try to evaluate them based on how well can they explain what they were trying to accomplish, their choices & trade-offs, challenges & solutions, what they learned and would do differently next time, etc.
Second to that is working through an existing problem that I am facing. For this to be successful, you have to check your own ego at the door and make sure you don't have preconceived notions of the right solution, or you might miss something interesting.
If there are specific skills you want to test, like analyzing a pcap file or pen-testing windows, send candidates a challenge they can complete ahead of time, and then talk through it with them during the interview.
I find that the right mindset when interviewing is to have the goal of learning as many new and interesting things from the person I am interviewing as possible. If I learn a lot - that's a great sign!
What about HR?
Some of these practices may run into HR blockades. Remote first work, less restrictive job descriptions, and hiring into highly paid positions from adjacent fields are often anathema to HR professionals.
But as a hiring manager it is your job to create the strongest performing teams. Sometimes that means working to change how HR thinks about these roles, and getting buy in from your leadership.
I promise you, it's completely worth it.