FILLING THE GIANT VOID IN THE CYBERSECURITY TALENT POOL
I was the only HR person
Speaking (or even attending) CyberSecurity Asia, so I was thankful for them inviting me. My technical skills are limited to a bit of Python, Bash and I can use NMAP, Maltego and Metasploit. I’ve worked as a talent consultant to Cloud, Security, and Crypto security vendors. I picked up my fashion skills in the advertising industry which was actually just like being in Mad Men.
As my slot was 12:30pm to 1:10pm I kept the talk crisp and light hearted.
However - This is a serious topic and I took it seriously. During my talk, I shared a few new ways of acquiring specialist security talent, and the speakers and panelists at this event also discovered that their personal data was compromised by me last Sunday morning with a few simple recruiting hacks.
Many of the attendees arrived that morning in a GrabCar, Taxi, or Bike. Some took advantage of our social carpooling offering GrabHitch. For those visiting from outside South East Asia, they may not know Grab. We are South East Asia’s leading ride hailing platform, solving transport challenges to make freedom a reality through commuting solutions for drivers and passengers as well as providing a proprietary mobile payment platform, GrabPay. I joined Grab in 2016. I was drawn to their industry leadership, desire to to make a positive social impact, and their inspiring management team, Anthony Tan and Hooi Ling Tan.
“We’re about 500,000 security professionals short of the needed jobs, There’s just not enough security professionals to go around.”
Kurt Hagerman - Armor
Even worse news
That the bad guys are having no issues hiring. Cybercrime is estimated by HBR to be a 445 billion dollar business. That’s almost as much as two other dubious, dark industries - advertising (500bn) and staffing (450bn) Talent shortages may be severe in the Security space, but take comfort in the fact that you aren’t alone. There aren’t enough Data Scientists, there aren’t enough AR/VR Engineers, there aren’t enough Digital Talents, so you can learn from others who are trying to solve the same problem. In this presentation, I’ll share some insights into our approach at Grab and some personal approaches too, the hacking stuff isn’t endorsed by my employer, so let’s keep this between us.
To give you some insight into how we changed our approach to hiring at Grab, I’ll set the scene. When I first joined, we were heavily reliant on recruiting firms to introduce hard-to-find talent, and our overall approach was very tactical. The first changes I made were structural, and harnessed lessons I’d learned in the advertising industry.
It’s easy to hire with a short-term mindset.
In fact, many people reduce it to this simple transaction: Send out a job advert, screen applicants, and make a decision. I call this the HR Firewall. As a result, many marketers and recruiters have changed tack. They’re reaping the rewards of an inbound strategy -- one that focuses on building relationships over making a quick buck. And forward-thinking recruiters are using this framework to build relationships with candidates well before the application. At a time when getting the very best people through the door is becoming harder and harder, engaging the candidates that don’t apply might be the best way to win the hiring game.
I know what you are probably thinking. An inbound marketing strategy is about creating content that helps you get found, and it’s a long term play. It won’t solve your immediate recruiting challenges. To address the need to provide JIT talent, you need a capable sourcing team to focus on pipelining for specific departments. Sourcers have a very similar mode of operation to social engineers. A quote I like from a social-engineer-org post puts it best “Sourcers and Social Engineers are exactly the same just with different intent and goals.”
If you have a big enough team, focus your recruiters by asking them to specialise in a functional area. This deepens knowledge and increases partnership with the business. Rotate them across functions to stimulate personal growth. Your Sourcers can focus on the first funnel (passive-lead-conversion-candidate) and your Talent Acquisition team can consult with the business on org design, rewards and then close candidates who are already engaged by them. Above all make sure the requirements are well-defined.
Robots did our homework
Even if you get the requirements nicely defined...don’t you agree that there are some terrible job descriptions in front of the HR Firewall? The tech now exists to quantitatively predict with a high degree of accuracy whether a document or email you are writing will get you the result you want. In February, we refactored all our job ads using the AI tool Textio (disclaimer: Free Trial) and completely re-wrote our job advertising copy. The results are clearly visible in the pic below, as we drove a major uptick in quality of our job ad responses.
In addition to reducing the % of agency hires from more than 30% to 3%, AI-robot-optimized approach to content saw our inbound (applicant hiring) nearly double.
In tech, we all love tools. And I’m sure you would agree, this post wouldn’t be complete without a tools section. I’m now going to show you some of the tools I used to obtain personal contact information for most of the panelists and speakers at the event.
Technology & tools are not a silver bullet for recruiting
Even if we wish that they were. Your sourcing team need to be equipped with the right weaponry in order to deliver results. We use INFOSEC tool Maltego for secondary research, Dux Soup and Data Miner for web scraping, Beamery for CRM and passive candidate campaigns & landing pages and SEO and HireTual for locating hard to find engineers. Lastly, we use a disgusting app called “Stalkface” (sorry guys) which can find stories commented, groups, places visited, pictures liked and commented on FB for people we aren’t friends with.
I bet you are getting more curious about how we put the tools to use. Honestly, finding security talent isn’t difficult if you know how to search. Using a combination of techniques including X-ray, social engineering tools like stalkface, and automated email discovery tools like ContactOut you can discover a lot about a complete stranger in seconds. At this point, I exposed the details I'd scraped and captured the weekend before the event via a QR code so they could validate. Remember, these are security professionals who are supposedly harder to track. Apparently.
As you can imagine, some of the speakers and panelists were quite surprised just how much information was available about them by using a couple of (mostly free) Chrome Browser Extensions.
At this point, I've got to give a big hurrah and thank-you to Dan Tentler @Viss on Twitter, of the Phobos Group, who was surprised to hear from me via his personal mobile number with an invite to have breakfast, and even more surprised that a HR person would know how to use OSINT tool, Maltego.
Oh and by the way, you should definitely move to Asia, Dan. You totally nailed the ratio of selfies to food pics to overall pics to fit in just perfectly here.
In this final section, we’re going to cover off two other possibilities. One is a tried and tested method which can make you a magnet for high-performing security talent. The other is about reframing your definition of what great talent looks like.
So you don’t need to use a bunch of Tools and Hacks to find talent. If you set things up right, bug-hunts and competitions are a great lure for talented security pro’s and amateur white hat hackers. This is something the security industry does really well already. It’s harder for smaller firms to offer large incentives though, which brings me to….
Virtual Reality /Augmented Reality developers are currently harder to find than a seasoned CISSP. I’m pretty sure if I wore a VR headset and held a sign up saying “looking for work” in Chinatown in Singapore, I’d be hired in under an hour. Hackathons are a fantastic, fun way to identify talent. In the VR industry, with current investments topping 2.3 billion in 2016 and only 16% of game developers working on VR/AR, I see another major shortage coming. All the ecosystem players are getting in on the act, at this event last month, we saw mentors and prizes fielded by Ubisoft, Unity, HTC, AMD and more. Of course they weren’t there just out of generosity. They were there to recruit. If you want to know how to hire security talent, perhaps a hackthon is it?
I’ve seen this “talent shortage” thing before. At my last employer, GroupM, we had to find and recruit 3500 people in 2016 in Asia, 69% of which needed a “digital and data” skill-set.
Hacking is a mindset, not a skill-set
Only by thinking differently about our needs through a different lens, were we able to meet this goal. You simply have to be realistic and compromise. As an example, Skiptracers are experts at finding people. They usually work for debt collectors or bail-bonds companies who are trying to track down individuals who owe money.
Just remember, it’s better to try (something new) and totally fail when it comes to hiring, than try nothing at all. I’m hopeful that security professionals in need of more talent can approach this problem with a hacker mindset, and beat the villains!
Thanks to everyone I met and interacted with, especially the Blockchain gang.