More Articles
Information Technology

How to Identify, Acquire, and Retain Top Cybersecurity Talent

Andrew Nuxoll

Andrew Nuxoll

Sr. Director of Infrastructure, Operations, and Cybersecurity at UNICEF USA

Andrew Nuxoll, Sr. Director of Infrastructure, Operations, and Cybersecurity at UNICEF USA

Regardless of your industry, acquiring and retaining top-tier talent can be challenging. But with the surge in interest in cybersecurity, finding the right fit for your team can seem a monumental task.  

Andrew Nuxoll, Senior Director of Infrastructure Operations and Cybersecurity at UNICEF USA, discusses this challenge with Quartz Network Executive Correspondent, Britt Erler, and explores how to identify, attract, acquire, and retain top cybersecurity talent by following these guidelines:  

  • Setting realistic expectations—and realistic requirements 
  • Overcoming the experience paradox 
  • Identifying essential characteristics of a top candidate 
  • Implementing the right retention tools 
  • Paving a path to individual and team success 

Quartz Network: Would you please provide some context about your background and your current role? 

Andrew Nuxoll: Well, I’m happy to say I’m supporting the children of the world and UNICEF USA’s mission to support them and ensure they have the things they need to have successful lives. My role encompasses infrastructure operations and cybersecurity. I’ve had a role in some part of that for the past 25 years. I’ve obtained my CISSP, CCSP, CISM, CGIT, CDPSE, and so on. I’m very passionate about cybersecurity and IT in general. I’m happy to be able to use my talents to support the mission of UNICEF. 

Quartz Network: Something we’ve been hearing a lot within the industry is that there’s a shortage of top cybersecurity talent. Do you agree with this? If so, why do you believe that’s the case? 

Andrew Nuxoll: It’s kind of a trick question. If you ask a hiring manager or recruiter, their answer would probably be yes. It can definitely be hard to find good cybersecurity talent, but the unfortunate thing is that the perceived skills gap that does exist is mostly self-imposed. People with skill and talent in cybersecurity frequently aren’t even considered for security roles. I think we’re nearing a paradigm shift when it comes to hiring cybersecurity talent.  

One common problem I see that isn’t unique to cybersecurity, but it’s prevalent, is what I’ll call the experience paradox. I still see job postings or notifications on LinkedIn asking for 10 years of experience in a product that’s only been released for three years. Obviously, especially for senior-level roles, an organization is going to want to hire experienced individuals. Even the most senior of resources isn’t going to have 15 years of experience in Azure Cloud Security or even 10 years with Kubernetes because neither of those products have been around for that long. It also extends to junior-level resources. Are there really too few resources capable of functioning in a security role? Or are the expectations for those types of roles unrealistic?  

I’ve seen entry-level job postings that prefer a particular certification that coincidentally can’t even be obtained without five years of time in a security role. How is anyone ever going to get certified? They have two options. One, catch on with a company that recognizes their talent and gives them the opportunity to grow in a cybersecurity role to gain the experience that the certification requires. Two, they can lie on their application and hope that somebody vouches for them.  

The reality is, if a hiring manager begins the recruitment process without clear and realistic expectations, they probably aren’t going to have great success finding candidates. You really have to understand the requirements of the role you’re filling. If you do want a junior resource, don’t expect to be leafing through resumes full of certifications or pages of candidates that have security in their job title and so on. 

Quartz Network: So, it’s not that there’s a lack of cybersecurity talent, it’s really making sure that the job postings you’re putting up have the correct requirements for that role. Also, being open minded to bringing on cybersecurity professionals and giving them the opportunity to grow and learn within the role you’re hiring for. 

Andrew Nuxoll: I think a more reasonable approach is really to dig in and evaluate an applicant’s skill. It isn’t always a quick process, but it’s important to identify what they know. You have to determine where they’ve been exposed to cybersecurity in the past. Just as importantly, are they passionate about it? If so, how can they contribute when they join your organization while simultaneously being trained to take on more responsibility?  

I mentioned earlier the paradigm shift that I think is taking place. I think we’re on the verge of having to treat cybersecurity almost more like a skilled trade than we do other typical roles. Without that type of change, we’re never going to be able to get the resources and they’re not going to get the experience they need from an apprenticeship perspective to grow into an advanced cybersecurity role. 

Quartz Network: In your experience, what do you believe are the top requirements for a cybersecurity role? 

Andrew Nuxoll: Well, the requirements are obviously going to be role specific. An architect is going to have different requirements than a pen tester. Similarly, a senior-level role should demand more experience than a junior-level role. When I think about the most successful cybersecurity practitioners, I know across many different roles that I’ve led, worked with, or encountered in general, there are definitely some common characteristics that pop up.  

The first of those is going to be an individual who’s passionate about cybersecurity. It isn’t just a job, it’s a subject they really enjoy. There’s a colleague of mine, for example, that I respect and talk with frequently and was venting about how many hours of continuing education was required to maintain their certifications. But ironically, when they went to log everything, they realized they had more than doubled the amount needed just from webinars they attended, education they participated in, presentations they gave, or conferences they attended. This person has clearly immersed themselves in cybersecurity. The passion that drives them to learn is really what’s helping to make them successful.  

The second characteristic, I would say, is someone that’s committed to research. If you can find someone that really loves researching problems and issues, they’re probably going to be more successful than someone that that doesn’t. I don’t mean they have to be the type of person that is writing white papers for fun or something to that extreme. It’s more about identifying someone who’s relentless when they’re driving to understand a topic or they’re always keeping research in mind when it comes to solving a problem. They’re also the type of person that taps into their professional network for help. If they see an article about a data breach, they’re not just going to read the headline and regurgitate that in their next conversation. They’re going to try to digest it, learn from it, how does it apply to their role and what can they do to protect themselves in the future?  

The third thing is something I’ve seen more often recently—a candidate that has mentors they lean on, and really likes to engage someone to help them grow in their career. From a professional standpoint, having a mentor or coach you can rely on for advice is a great thing. It helps you really learn business practices, in addition to technical topics, and can give you an outside perspective that you might not have gained otherwise. So, someone that has mentors or really looks to rely on leadership to grow is a type of person that is probably going to be successful in the long term. 

Quartz Network: Is it realistic for someone with IT experience to transition into a security role? 

Andrew Nuxoll: Absolutely. I think we can all agree that basic IT experience is fundamental to be able to perform in a cybersecurity role. As time goes by, more and more companies are beginning to focus on improving their security posture, and in many cases, doing it in the absence of a formal security team, at least to start out with. That doesn’t mean the people doing the work aren’t really security professionals, it just means they don’t have that title yet. On the contrary, they’re the ones building a new security program, which is great experience foundationally. Whether they end up standing up an endpoint protection system or configuring a network or firewall for security, or even working on client security at the endpoint level or end user level, they’re all gaining critical experience that they can use along the way. That’s your pipeline for junior-level security talent. It should be happening organically.  

Interestingly enough, I think the lack of abundant security resources directly correlates to slow adoption of cybersecurity practices. If you have an organization that is lagging behind in developing a cybersecurity program, they’re not going to have the pipeline of talent to really support it—they’re going to have to look outside. What I see now is, industry wide, organizations are beginning to place that focus on cybersecurity. There really are more junior-level resources available than there were before, but in many cases, they just haven’t grown into those formal positions yet. 

Another part of the experience paradox that I mentioned earlier is a candidate who has worked in IT developing security practices or installing tools—are they really a junior level resource? Quite frankly, they’re probably not going to want to be called that when they move out of their current role. They’re an administrator, engineer, or technician, so they have much more experience than they’re given credit for. Something as simple as a title means a lot to some people, although I don’t think it should. 

Quartz Network: In your experience, how do you build a strong cybersecurity team? Where do you start? 

Andrew Nuxoll: I’m a firm believer in promoting from within whenever possible. Sometimes, it’s too easy to get stuck on specific technical requirements of position and forget about the other experience and intangibles that can provide significant contributions to a team. There’s always a ramp-up period for new hires, and it’s hard to accomplish much of anything or really add value in the first three months of a new role.  

The technical part of the role is obviously important, but so is understanding the business and its mission, building relationships, and getting familiar with the core processes and technologies that go along with a new role. So, regardless of whether you can hire from within or not, there are a number of other ways to build a strong team and strengthen the existing team. Obviously, providing training or other educational opportunities to employees is key.  

There aren’t many industries that change or evolve as quickly as cybersecurity. There’s something new every day. The threat landscape is constantly changing and evolving, and new vulnerabilities surface daily. If you aren’t enabling your team with opportunities to learn about the challenges they are facing, you’re really limiting their potential. This extends to promoting engagement and user groups, community engagement, attending webinars and conferences, and just finding ways to get people education relevant to their roles.  

Also, encouraging team members to learn about other parts of the business they’re supporting is really beneficial. It helps to understand the technologies partners are using, their goals, challenges they face, and so on. This type of knowledge often helps to identify and address concerns that might be leading to poor security practice or other inefficiencies. 

Quartz Network: Once you get a strong team on board, what are some ways for retaining them? 

Andrew Nuxoll: A big part of it is providing your teams the tools they need to do their job. I’m sure everyone’s familiar with the saying, “A chain is only as strong as its weakest link.” You can have great people, but if they don’t have the tools they need to be effective, you’re going to face difficulties. If you think about something for alert, like alert management, for example. I consulted with a company a while back regarding improving their cybersecurity program. Not long after that engagement, they implemented a Security Information Management (SIM) solution. I spoke with the woman that ran the program afterward and she was shocked at the amount of data they were collecting. They literally had millions of alerts being processed each month. I’m not talking about a massive company; it was a rather moderate sized company by most standards.  

Fortunately, they had some good fundamental security practices in place. They were taking a proactive approach rather than being reactive. But they made a comment and I paraphrase, “I have no idea how we were effectively securing this environment prior to putting this tool in. How in the world could a team of five people really manage without this?” At a minimum, if the team is really scanning all the alerts that are coming in, they’d have no time to do anything else. The team must have cycles to be proactive, in addition to performing the reactive work that they have on a daily basis.  

I would say that you want to make sure that you’re providing the education and tools that are necessary for your team to be impactful and really perform their job. There’s really not a simple answer to this question. It’s hard to retain cybersecurity talent because it’s just in demand. It’s a supply and demand issue. Demand exceeds supplies, and that leads to complications. So, if you’re not giving your resources the tools and empowering them to perform their job, it’s easy to lose them. A recruiter I work with a lot admitted that many expletives are strewn about when a new placement request comes in for a cybersecurity professional.  

There are other keys to retaining talent that are mostly common sense. Career pathing and providing the right opportunities to continue to grow in a position are important to cybersecurity professionals, like they are anyone else. Setting clear goals and remaining engaged to track progress goes a long way with people. One thing that’s often overlooked is the importance of just remaining engaged with individuals and teams as a whole. Trying to find a way to get together, especially in a remote workforce, and facing the difficulties that we are right now, is something that really helps keep people interested and feeling important.  

I think all too often, InfoSec resources end up feeling isolated to begin with. When you complicate that with a pandemic, it obviously gets even worse. I’ve noticed that many organizations I’ve worked with have high turnover in InfoSec. The same ones that were hesitant to invest in a cybersecurity program are definitely impacted more than those that are not. As I mentioned earlier, with the security landscape changing so rapidly, you’re going to have this type of issue in the field. Talent likes to work with good cutting-edge tools, they like to have the education to do it, and they like to feel supported along the way. If you can accomplish all those things, you’ll probably do a good job of keeping your talent. 

Quartz Network: With COVID hitting, this new virtual environment, and now the threats that most companies are seeing with their entire workforce going remote, that cybersecurity has really become even more of an interest to a lot of new professionals coming into the workforce. Is that the case or am I wrong in assuming that? 

Andrew Nuxoll: I definitely think the more you see cybersecurity in the news, whether it be in a positive light or in response to a breach or anything along those lines, it all contributes to increased interest. So, I would agree. There’s more interest now, and that’s peaking with the remote workforce and all the complicated tools and requirements that go along with supporting those groups. 

Quartz Network: Any final piece of advice that you have for leaders in a similar role as yourself? Not necessarily even in the cybersecurity sector, but leaders whose roles have expanded, they’re managing new teams. What pieces of advice do you have for them? 

Andrew Nuxoll: I think that you just need to be reasonable about your expectations with new resources and understand that people skills and a person’s ability to learn and their overall work ethic are going to play a significant role in their success as a cybersecurity professional just as they would any other role. Like I mentioned earlier, don’t get hung up on needing specific niche expertise in given areas. Understand what the researcher considering has to offer and how they fit in. Are they a good culture fit? What can they do to gain experience while they’re in their ramp-up period, and so on? That will really help you to identify and retain good candidates. 

For more industry best practices and insights from leading IT executives like Andrew, join Quartz Network.