As published in the May/June 2020 edition  of InfoSecurity Professional Magazine.

BY JASON McDOWELL, CISSP

Companies from all industries are looking for qualified cybersecurity professionals to fill the skills gap in their current workforce. Demand is high, and many companies are willing to pay top dollar to those who possess the skills they need. With this high-demand, high-paying environment, what could go wrong? Plenty.

With the exception of companies that specialize in information security, accurate valuation of the cybersecurity role in many companies is still very challenging, and many managers lack even a basic understanding of what cybersecurity professionals do within the organization. Add in the urgency to meet industry-specified cybersecurity requirements, and things can quickly lead to corporate desperation and poor decision making.

Here are five fundamental considerations for every hiring manager to build their cybersecurity teams.

1. Look beyond words to past actions

This should go without saying; however, some industries have been led to believe obtaining specific certifications qualifies the candidate to perform at full capacity for senior information security roles. If the candidate has the experience to back up his or her previous roles, then requesting some detailed descriptions of past projects will likely be met with excitement and pride, rather than abstraction and half-baked answers.

2. Post thorough job descriptions that make filtering easier

With soft and vague job descriptions comes soft and vague candidates. Taking the time necessary to create comprehensive job announcements will pay off in the end—and will increase the likelihood of attracting legitimate candidates with the right skills and the right amount of experience.

3. Remember the importance of character

The cybersecurity role is a position of trust and, as such, the character of the candidate is of utmost importance. Character is not subjective, but rather an objective quality that can be assessed during an interview. A key and fundamental trait of good character is honesty, which can be initially assessed through consistency. Looking for inconsistencies in a candidate’s background should not be seen as rude, but rather prudent, considering the importance of the cybersecurity role. Also, don’t forget basic vetting of a candidate’s references.

4. Watch your wallet

The cybersecurity field is ever-growing, and compensation is continuing to create an understandable draw to the industry. Take notice of what a candidate’s primary initial concern is. Red flags include the candidate calling out a specific salary target before the meat of the interview even begins, or unusual focus on what the company can do for the candidate, not the other way around.

5. Know what’s needed, not just who’s needed, to do the job well

The landscape businesses operate in today demands a basic understanding of information security, and the lack thereof opens the door not only to traditional logic-based attacks, but to human-based exploits by unscrupulous characters looking for fast cash. Ensuring a basic level of information security knowledge for those hiring officials screening cybersecurity candidates is critical for proper vetting.

Cybersecurity is experiencing immense growth, and that means more opportunities for those willing to devote themselves to the field through education, training and job experience. A small amount of due diligence goes a long way in properly vetting new hires. The five considerations above are a great start.

JASON MCDOWELL, CISSP, is a past contributor.