A Wharton expert examines cybersecurity hiring best practices

View large image

A guide to the c-suite, human resource professionals, and talent acquisition, the book “Can. Trust. Will: Hiring for the Human Element in the New Age of Cybersecurity” is a practical guide to build unbeatable cybersecurity teams through advanced hiring processes and focused on-boarding programs.

Written by Leeza Garber, a cybersecurity and privacy lawyer and consultant at the Wharton School, and Scott Olson, a former FBI agent who created the Bureau’s Leadership Development Program, the book includes interviews with Fortune 500 chief security officers, chief information security officers, and high-ranking government officials, among others, and details how successful cybersecurity ecosystems are best built and sustained.

Garber, who teaches the Internet Law, Privacy, and Cybersecurity course at Wharton, says her interest in privacy issues was shaped in part by her experiences at the University of Pennsylvania Carey Law School.

“While many people and events shaped my career, my privacy law course at Penn Law was certainly influential,” she says. “Anita Allen [the Henry R. Silverman Professor of Law and Professor of Philosophy]—who rightfully calls herself ‘Grandmother of Privacy’—provided a brilliant introduction to privacy philosophy and legislation, and I remain grateful to her for that. The course was influential in that it helped me realize I could help shape the narrative of an evolving area of the law—privacy law, and cybersecurity law, for that matter—are not only powerfully important, but cutting edge as well.”

The following excerpt is adapted from “Can. Trust. Will: Hiring for the Human Element in the New Age of Cybersecurity” and reprinted with permission.

Many organizations talk about their company culture, and the idea of fitting into that culture. But on the flip side, it is vital to value differences in perspective, unique approaches to problem-solving, and diversity in general. This is especially true in the field of cybersecurity, because the stakes are so high. Without diverse mindsets and thought processes, you don’t have a team; you have several people with one opinion. The reason high-functioning teams perform at a different level is because the process of working with different approaches produces a better result.

Without differences of opinion and differences in thinking, your cybersecurity performance will suffer. When you start with the structure of, “What do I need?”—What are the technical things, and what are the behaviors—the stuff that’s not important will fall away. Mainly, “Do I feel one hundred percent comfortable with this person?” If you have finally found the unicorn that meets the things you need, nothing else will matter, because you’re going to be so happy that you found the person that you actually need.

Teamwork can coexist with cultural differences. In fact, it can thrive with diversity. Yet it is so difficult for people to hire someone when that person is someone that they just do not like, someone that’s different.

The fundamental key to using behavioral characteristics to differentiate between candidates is to understand that behaviors are specific to the job and to the individual, and that the purpose of the hiring process is to connect them. Behavioral characteristics are not general—there is no generic set of behaviors which correlates generally to success or failure. While it’s true that there are a variety of publicly available behavior profiles available without much searching, be aware that using them can lead to bad hiring decisions, and in some cases, litigation.

The properly prepared and executed behavioral interview is crucial to getting this right. And it starts with asking: Who do you actually need? Begin by working through the particular job role and categorizing the behaviors of previous employees. (Remember, even if it’s a “new job” for your company, someone may already be doing—or outsourcing—the work. That’s probably why you’re hiring, and it means you have behaviors to analyze.) As you work through this analysis, break down past behaviors into those which lead to success in the role and those which lead to failure.

In cybersecurity, there are many roles that may require seemingly negative behaviors. For example, however you label the job that is tasked with handling internal employees who have mistakenly clicked on a phishing email: that employee must be able to act in a disciplinary function frequently. You can’t do that if you’re a “nice guy.”

You have to have a certain amount of drive, a certain aggressive nature to you, tempered with restraint and diplomacy. And you have to be unconcerned if the person you are speaking with is a mid-level accountant or the Chairman of the Board. This role could also likely include the requirement to tell senior employees—from the best sales person, to the managing partner, to the CIO—that they simply must participate in the new dual-factor authentication program (and, unfortunately, it typically is the more senior employees that refuse). To be able to say, “Listen, I know you’re in charge,” but still—“We have to have a talk,” while remaining forceful and respectful. You are telling them something that you know they don’t want to hear, but you are going into that conversation saying, “Look, I know you bring a lot of money into this firm but as much as you’re bringing money into this company, I am making sure that money doesn’t leak out the bottom of the ship.” It takes a unique personality to come in and say, “This is important. I get that you don’t think that this is important, but it really is—and here’s why.” And that you won’t let it go any more than the managing partner or CIO is going to let anything go that they think is important, because you are both a part of the team.

Taken from “Can. Trust. Will: Hiring for the Human Element in the New Age of Cybersecurity” by Leeza Garber and Scott Olson. Copyright © 2022, and reprinted with permission by the publisher, Business Expert Press.