Nikos Fountas talks about cybersecurity in the HR Tech Arena. He focuses on the need for employee experience and up-skilling employees to improve performance.
1. Tell us about yourself and your expertise
My name is Nikos Fountas, I was one of the original employees here at Hack The Box, and am now proud to be the Head of Business Operations. One of the most important functions and tasks of business operations in Hack The Box, is to locate and hire talent from everywhere in the world, in order to build a team that can compete in the vastly competitive market we operate in. This is something that I can honestly say we have done to a great extent. In 2 years of operations, we have cultivated a strong, diverse and multicultural team, consisting of 107 people working hard to keep HTB on top. Prior to that, I have been involved in sales, operations and strategy roles, in which I was building, coaching and leading my own team. Even though I had several responsibilities in this time, I always found myself interacting heavily with recruiters and talent acquisition executives. Sourcing and finding the right people, for the right position, is one of the hardest, and most important, steps in building an effective team.
For the past 10 years I continue to hear the same things said about recruitment within the industry. It has always been the same story of how difficult it can be to find the right talent.
2. What is the issue with cybersecurity recruitment?
A combination of the pandemic, cloud-based working, and the rise of sophisticated cybercrime groups has caused cybersecurity to become a key focus for businesses.
In fact, PwC’s latest annual global CEO survey saw ‘cybersecurity’ jump from fourth to second in this year’s ranking of business growth threats. Second only to the pandemic.
Despite the awareness of cybercrime, and the concern from businesses about the impact of security weaknesses, recruitment in the sector is failing to address the issue as the skills shortage continues. There are currently over three million vacancies in the industry, despite an increase in awareness, further training opportunities for professionals and a growing number of universities focusing on cybersecurity and offering esteemed programs that proactively address the market’s needs.
There is another issue for the industry, in that some companies are still unsure if a cybersecurity team is required. With the vast majority of businesses using computer systems to store data, intellectual property, and crucial business information, and attacks on businesses increasing in frequency and the level of severity, the answer to whether a business needs a security member or team is almost always “yes”.
3. Does the recruitment system for the industry need to change?
In the past, recruitment professionals for cybersecurity roles have used certifications as guides to land candidates with the relevant experience and skills, regardless of the certification body or the type of exams. This has been the way of the industry for a number of years – but like most areas of business, this needs to move with the times. Cybersecurity is an industry that requires agile and fast-paced decisions, and this includes the recruitment process.
Formal cybersecurity qualifications are only good insofar as they are substantiated by real skills and abilities. Far too often, we see certifications that people are acquiring within a week, with no hands-on experience acquired. In reality, we know that this is an industry where skills rule – and ability, experience, and real-world skills cannot always be quantified using unproven certifications. Many companies have learned this lesson the hard way by employing a candidate that is not suited to the role.
Linked to this, is an over-reliance on certifications, particularly for entry-level jobs. Looking around at job postings for cybersecurity roles, many hiring managers are requesting that candidates hold a CISSP (Certified Information Systems Security Professional) – a certification that requires years of industry experience in order to qualify and obtain the license. For executive management roles, such as CISO positions, this certification would validate relevant experience. But for entry level roles, such a qualification should not be required, and therefore leaves a vacant role unfilled due to lack of suitable applications.
4. What can recruitment teams do to begin to solve this problem?
The industry needs to start adapting to the current times and making use of more modern methods to quantify skills, attributes and experience of candidates.
It’s clear that having insufficient security staff makes organizations more susceptible to cyber exploitation, and more harm is done because incidents cannot be mitigated effectively. And this is where dedicated, cyber training zones come in. These are purpose-built platforms where IT and security professionals can develop their skills in a hands-on, gamified manner- based on the most up-to-date cybersecurity challenges. These training zones are more agile to adapt to the latest security threats, such as cloud security, ransomware threats, or crypto. and are often updated on a weekly or monthly basis to reflect the new challenges impacting the industry all the time.
By recognizing these training zones as legitimate proof of professional ability, recruitment teams can benefit from hiring professionals with hands-on experience of the latest security threats, and how to tackle them.
This is particularly relevant to businesses that require penetration-testing ability from candidates – a skill that requires practical, and not theoretical, knowledge.
Taking this a step further, for businesses with specific needs or those that require very detailed recruitment processes – the hiring managers can engage with training zones/ platforms to use the systems for candidate evaluation. What better way to be sure that a candidate has the relevant, modern security skills needed to protect your organization, than to use purpose-built skills platforms to test knowledge and application.
As well as using these training platforms to provide evidence of a candidate’s recent training, recruitment teams should make use of the community forums to locate the best talent for a vacancy. Generic forums or recruitment platforms are not working anymore, as cybersecurity is getting more and more serious, so it makes sense for HR and recruitment teams to advertise their vacancies within communities of dedicated cybersecurity professionals.
5. How can improving recruitment in this sector benefit businesses?
To put it simply, if a business waits for an attack to happen before building a cybersecurity team – it’s obviously too little, too late!
Companies must work on security hardening, designing strong security policies, and building a strong security culture as soon as possible. That crucial work necessitates hiring the right people, at the first time of asking. As long as a job role remains unfilled, a business is vulnerable to attacks.
By changing how these professionals are recruited into businesses, the effectiveness of the new hires will help to drive a more proactive and successful cybersecurity department.
For more such Updates Log on to www.hrtechcube.com
Nikos Fountas Director of Operations, Hack The Box
Nikos Fountas, and the Hack The Box team, are on a mission to help grow cybersecurity skills by improving the adversarial capabilities of both professionals and organizations all over the world. They do so by bringing together a dynamic hacking community, to take cybersecurity skills to the next level through captivating, gamified, hands-on training experiences. Nikos is Director of Operations at Hack The Box, where he leads on business operations, people and talent management, customer support and strategic projects. Nikos’ passions include innovation, operational excellence, customer satisfaction and frictionless processes. He has gained serious experience in international sales, account management, and strategy during his 15-year career in IT and cybersecurity.