She helps people break into cybersecurity: an interview with ‘super-recruiter’ Renee Small
The cybersecurity skills shortage is growing exponentially, and companies need another 3+ million trained workers to fill the gaps. Renee Brown Small, who has been recruiting technology professionals since 2001, comes to the rescue.
During the interview, I called Renee Small, the founder and CEO of Cyber Human Capital, a ‘fixer’, and she liked it. Companies hire her so that she would bring cybersecurity talent to them.
“These are the rock stars of security, and so you have to hire them like rock stars,” Renee once said.
According to various surveys and reports, around three in four cybersecurity leaders face a talent shortage and find it hard to hire skilled people. According to the non-profit certifications organization (ISC)², this year, for the first time ever, we saw the cybersecurity workforce gap decrease - from 4 million to 3.1 million. Infosecurity reports that not all of this is good news, and the closing gap can partly be explained by job losses as COVID-19 hits security budgets.
All in all, demand for cybersecurity professionals is constantly growing, and companies are struggling to find the right people to fill the positions.
Renee Small has been recruiting technology professionals for almost twenty years. She is consulting companies to improve their cybersecurity hiring process. Renee wrote the book Magnetic Hiring and shared some secrets on how to find the right person for the job. Also, she has been running the Breaking Into Cybersecurity podcast.
The skill shortage is growing exponentially, and it makes sense, reckons Renee Small. Due to the COVID-19 pandemic, people, including kids, are online most of the time, and cybercriminals have "this big open field that they didn’t have before.”
“We have more devices, and all of the connected devices mean more and more vulnerabilities. So it makes sense that we need more talent to help with this. If you have an explosion of a population and more people having babies, so you need more OB-GYNs, you need more daycare centers, you need more schools. So it’s the same thing when it comes to cybersecurity,” she told CyberNews.
You are looking for cybersecurity talent. So I have a general question for you - what do you consider to be a talent? Is it a person who already has certain skills, or can it be someone who doesn’t and can be trained on the job?
There are two different types of talent. There’s early career talent - people who are new to the industry and can be trained into their new roles. And then there’s obviously seasoned talent - folks that likely have 5 years or so of experience in the industry.
I look into this from a perspective within cybersecurity departments. I also know that there are cybersecurity companies that look for talents like a marketing person, a writer, or an editor - people who are coming from different industries and doing the same for cybersecurity.
In my space, it’s focused on actual cybersecurity departments that are composed mostly of people with technical expertise, risk management, and policy expertise as well.
Is the industry willing to hire inexperienced talent?
The people who leaders like to hire the most have the experience. It’s a little bit of a catch-22 because you have entry people who are very interested in the field, who have gone to college or grad school, and some are self-learned, so they are teaching themselves. They may not necessarily have the depth of experience yet and need to be trained. It’s taking them a much longer time to break into the industry.
I have a podcast ‘Breaking Into Cybersecurity’, and the reason why we started the podcast is that we had so many people who were coming with this very limited amount of experience into the industry, and it was very hard for them to break in.
It seems not to have changed that much. There was a recent WSJ article talking about job descriptions asking for entry-level people with all these years of experience. It’s been a big challenge with folks trying to break into the industry without having the experience. I understand that everything is fast-paced and moving quickly, and companies need people who can hit the ground running. But we’re going to have this bigger gap. It’s going to get bigger if we don’t figure out a way to close it by bringing in people who want to get in but are having a difficult time doing so.
So there’s a problem from the employers’ side - they create barriers for people to get it? At the same time, there's a skills shortage in the industry?
That’s a real struggle. I understand when it’s a small organization, which is stretched for talents, money. But when it comes to some of the larger organizations... They’ve been getting better at it, really bringing as many entry-level people as possible to be able to groom and grow and create pipelines of talents to come in. It is really important. Also, bringing in people at different stages of security.
I tend to relate to the medical industry because my mom is a retired nurse. Everyone isn’t a brain surgeon. You have these specialty fields that take 10-15 years of experience to open a skull and do work. But you also have certified nursing assistants, pharmacists, physician assistants, I mean, all of these people that make up this team that helps this patient get better.
It’s the same way in cybersecurity. We need pathways, we need people who can come at the very ground level, then people who might need one or two certifications and a college degree, and then the grad level. We should have multiple layers of pathways for people coming into the industry and not just one way in or one way up.
You also once said that some of the cybersecurity experts are rock stars, and you should hire them like rock stars. It seems that some of the biggest rock stars have founded their own companies, and so they are not even for hire anymore. Is that a problem?
I don’t think that’s a problem. It’s fantastic when you have folks who can start their own companies. It just brings another level of diversity. They are coming with their perspective, drilling down to their expertise, and hopefully helping those big companies that may not have this tool or solution for their challenge. I don’t think that there are enough of those folks out there to really make a difference when it comes to needing talents as a whole.
During the MIT Cyber Secure conference, someone said that cybercriminals are actually the smartest people in the cybersecurity industry, and because they get paid much more than they would if hired legally, they don’t want to stop their wrongdoings. Do you think the rock stars of cybersecurity get paid enough?
Recently, I was having a conversation with someone in the industry, and I told him that, if I were running an organization, I would be getting people who may have a criminal background and think the way that cybercriminals think. If I want to figure out how to secure my home, I want to talk to people who are breaking into homes all the time. If I want to figure out how to secure my car, I want to know who the carjackers are and how they think.
A lot of cybersecurity is psychological. When can I catch Renee at a right time, or when is she likely to click on this email? I think what ends up happening when you are looking at all of these ways that cybercriminals are working, and the type of money they are getting by being criminals, and I think the vast majority of us are good people, we want to do the honest thing. There’s a small percentage of people who have criminal minds and want to go down that road. I think that the vast majority of people, even if given the opportunity, probably wouldn’t want to go down the criminal road.
However, there are interesting aspects of the compensation component. There are challenges when it comes to large organizations and looking at how much cybersecurity professionals get paid in comparison to other IT professionals or other professionals.
We recently discussed the salary bands when the company would say that somebody with experience from 3-5 years fits into the band of, let's say, $80-90ks but somebody in cybersecurity could easily earn $150k. So, some of the nuances of the expertise and the skill is a space where companies should really look at their salary components, and how much they value these types of employees. I have heard from leaders that the budgets typically, depending on the organizations, can be very tight, but, I think, it boils down to how much an organization values their security staff. If they believe you are keeping-the-lights-on kind of staff, they are not going to come up with that level of money. But, if they know that this is the core part of their business, then, hopefully, they do.
Is the skill shortage driving the salaries up?
If you are a security architect, and you know how to secure AWS cloud or the cloud in general, you are going to command a higher salary than someone with a different type of skill. That very specific skill set is very important, and it drives which roles pay more. Risk management, the policy, most of those roles don’t pay as much as a security architect, engineers, incident response leaders, and those types of roles. They command higher pay. They just do.
Do you think there are certain stereotypes, for example, around women, that impacts the skill shortage?
My personal experience was very different. My dad was a college professor, computer science professor, and girls did what boys did, and everybody learned the same things. But I’ve read some studies. From what I’ve read, the girls are not being encouraged as much to get into the field, and they believe this is what boys do.
A couple of different things that can help is exposure overall. Showing women other women who are working in the field, and they are not in hoodies, and not in dark rooms, and showing young people what security looks like. That’s how you begin to get more women in the field.
From your public bios, you seem like a fixer who comes to an organization and helps it find the necessary cybersecurity specialists. Can you describe your work?
I absolutely love what I do. I think this work is fascinating, and companies typically reach out to me when they have a position that it’s difficult to fill. A lot of times that has been cybersecurity positions open for many months, sometimes a year, and they had a very hard time attracting talent or closing talent that they do want to bring in, but they have a hard time filling those roles. I wrote a book “Magnetic Hiring” to share with leaders what they can do to attract these people into the industry. A lot of it comes with just understanding what people are looking for, understanding the human aspect.
At the end of the day, people work for other people. This profession is niche, is specific, but at the end of the day, I’m working for another human. Just being able to match what the leader is looking for, and the person from a technical and non-technical standpoint, find out what a person is looking for, and making the right matches.