Cybersecurity’s ongoing battle with a “skills shortage” has seen the sector lose its way regarding talent hiring and retention, says Christian Toon, CISO at London-based law firm Pinsent Masons. In an industry crying out for diversity and innovation, this year’s number one UK CSO 30 Awards winner says he takes inspiration from the Marvel Comics universe to challenge traditional HR approaches and more effectively recruit and keep security talent.
“We have what some describe as a war on talent, because you feel like you are fighting against the next organization for the greater good. I think we’ve kind of lost our way a little bit, both from a delegate or prospective employee perspective, but also from an employer’s perspective,” Toon says, speaking at the UK CSO 30 2022 Awards & Conference. The candidates are out there, he adds, but you have to change the traditional practices for hiring because if you always do what you always did, you’ll always get what you’ve always had.
Don’t hire you, hire the Avengers
Toon makes a point of trying not to hire and build a team that only looks and sounds like him. “That’s not bringing our best solution forward,” he says. Instead, he looks to the Marvel Avengers—a team of fictional superheroes brought together from vastly different walks of life to help fight evil and save the world.
No, he doesn’t hope that Spider-Man will web the latest cyber attacker or that the Black Panther will supercharge his patch management processes, but he does look to build the same diversity of skills and abilities into his own security team. “If you look across the Avengers, everyone is very different. They’ve all got a very different skill or capability that they bring to the fight. That’s how the security team should be.”
You won’t find Captain Marvel sitting on LinkedIn
However, you won’t typically find Captain Marvel sitting on LinkedIn waiting to hit easy apply for her next vacancy, Toon says. “You need to be very different in that approach because the media hype around the cybersecurity skills shortage has prompted a proliferation of recruitment businesses and people trying to place those individuals, which means your trust can often be misplaced as a hiring manager in today’s marketplace.”
It’s therefore about reviewing and adapting where and how you target your recruitment activities, Toon adds. “Working with trusted, forward-thinking partners is the first step, but a close second is getting into the community groups that are championing underrepresented groups. Hiring teams don’t realize there are hundreds out there, and you’re only a Google search away. You’ve also got to think outside of cybersecurity, there are so many sectors to consider where people will be looking to retrain.”
For example, if you’re looking for someone with good communication skills in technology, you’re not necessarily going to find a good candidate in a technology environment since everyone else looking in the same pool. You might find them in other industries such as hospitality or retail, he argues. “It’s about looking at different opportunities to hire. Recently, we found employee advocacy is a big step forward because I think outreach from team members really does go a long way to targeting the next generation of our team.”
Superheroes don’t all wear suits
It’s also important to think about your company culture and what it offers both new and existing security talent, Toon says. “In some ways, what employers are or have been offering is probably not what new [security] people want.” Long gone now are the days of uniform policies that made security people feel awkward when they had to wear a suit as if they were heading to court just to sit in front of their laptop all day.
Where, when, and how people want to work is big in the decision process—9-to-5 is mostly dead now in a lot of industries. Data and cyber breaches alike traverse borders and time zones, so what works for the employee needs to support the business. Dress codes, working time, flexible hours, lifestyle discounts, and well-being and healthcare are all decisive factors in employer selection. “We then also have the whole ‘remote/hybrid’ offering. Some people want 100% remote, some employers want 100% office presence,” Toon says. “You need to know that you’ve got to find your balance, but also recognize the world has changed. Five days a week to do something on a computer I can do at home? No chance. Businesses need to be clear on the ‘why’—why are we coming into the office?”
These changes can be difficult if the organization is steeped in history or has always done things a certain way, Toon admits, and if you start making changes for one, you’ve got to make changes for others. “So, there’s a knock-on impact to consider.”
Copyright © 2022 IDG Communications, Inc.