You are listening to Kbkast, the cybersecurity podcast for all executives cutting through the jargon and height to understand the landscape where risk and technology meet. Now, here's your host carissa. Breen.
Joining me today is Rosie Anderson, director of Client services from Honeypot Digital. And today we're discussing cyber security security recruitment industry specific to the United Kingdom market where you're based. Rosie, so welcome. I know it's late for you, so I really appreciate you staying up late and chatting to me today. I'm really excited to have you on the show simply because I've actually never spoken about recruitment stuff to this level before. So welcome.
Rosie Anderson (01:03)
Thank you so much for having me on. To be honest, I work quite late anyway, so this time really works for me. My little children are in bed, so it can't distract me too much.
Oh, good. Okay then I guess I don't feel as bad for keeping up late. So, Rosie, I want to start with your opinion on the controversial topic of do we have enough cyber talent? Now, I have seen people argue, get into quite serious heated debates, that there are many a four and a gangster. But what's your view?
Rosie Anderson (01:32)
So we don't have a shortage of people who want to enter the industry. And for anyone who is looking to sort of get their first cybersecurity job, they really have got to do a lot of things to showcase their knowledge and use the power of networks to get that first job. So I agree, we don't have a shortage of people who want to get in, but we do have a major shortage of skilled security consultants. What I think happens though, is a lot of businesses think about the immediate term, so I have a new system that I need to fix or I've got a problem that he's solving without taking that more strategic view about how to build those teams. So, for example, you can bring in an expert, for example, Identity Access Management. You might be implementing a new system, but you should also look to have somebody already in the business or a junior to shadow that experienced person or crosstrain someone, like I say, from a different business area. Areas like identity, access management, DevOps Cloud. They are massively talented. We get really heavy contract markets. Typically, contractors can work and earn anywhere between five to seven, £800 a day in those markets.
Rosie Anderson (02:43)
So you're really going to struggle to find somebody on a permanent basis. What happens is Company X decides to implement a new system and Company Wide wants to do the same time. But rather than let somebody sort of finish that project. Everybody's stealing each other's talent, which means the rates in certain markets really are going through the roof, because if everybody's doing similar projects, it's money that we're throwing at these problems. Rather than thinking naturally, rather than have a team of ten rock stars, why don't I have two rock stars and build and create that other team whilst investing in those people? And build your own talent pool or build your own sort of skilled team of professionals. So I do think, yes, we do have talent shortage, but things like sock are perfect areas where people can enter the business with not a lot of experience, and the sock market really does train and invest in people, but businesses realise if they don't keep developing their staff, your competitor is going to steal them. So if you're not offering people promotion opportunities or using that as an entry point to your business, you're going to keep losing staff to professionals and having that sort of skill strength.
Yeah, that's so interesting. I think that you absolutely on the money there. So I've got a question for you. Why do you think people out there are like, oh, we don't have enough people? Where do you think that comes from?
Rosie Anderson (04:08)
We don't have enough people. We don't have enough people in certain areas, but it's like an expectation gap. I don't think it's a skill shortage, I think it's an expectation shortage. There are so many skilled people in our businesses in different areas that want to get in, like, many a time as a recruiter, I speak to people who are like software engineers who really want to get into cyber, but they're not getting those promotion opportunities within their business. So they're looking externally. I think we're not looking necessarily in the right places. You need to be able to invest, you do need to build that talent pool, but you also need to be focusing on why does somebody going to come and work for you over Google or Amazon or Facebook? What's your unique employee of value proposition? Why should that person come and work for you? And actually, if you're not training and developing and people can't see that in current employees, you're not necessarily looking at what's going to make you or what's going to make somebody happy as a person working permanently within your company.
So don't you think that every industry I don't want to use the word complains, but I'm just going to say it anyway, that there's not enough staff. So, for example, we don't have enough nurses, no doctors, we don't have enough aged care work, especially down here in Australia, because we obviously are a smaller population compared to where you are in the United Kingdom or the United States. So doesn't everyone sort of have this problem if you really were to zoom out?
Rosie Anderson (05:37)
I think they do, but I think what happens is, particularly health care and nurses here in the UK, we've made a few little errors, some might say in attracting or being able to attract people from overseas nowadays. But I think cyber security, security, what happens is there's always new threats, there's always new things to wipe out businesses. So we're always focusing on the latest threat. Do we need somebody else as an expert to protect this? And what's happening is where maybe 510 years ago, the industry, the cyber industry still isn't it's not established, it's not a professionalised industry as much as things like It or science or healthcare. So what's happening is more and more businesses are realising that there is cyber security threat. It's affecting everybody from an SME to your global multiglobal businesses. So everybody's now thinking, actually, now we need our own teams or we need to outsource our security to consultancies. So there's always new consultancies coming up, but there's always new threats. So what was app SEC is now known as Devsek Ops. What was red teaming and blue teaming? We've now got purple teaming because there's always these new areas of skills that are in demand, so we're always going to need new people.
Rosie Anderson (07:00)
But what I think is so important, particularly for newbies that are entering this industry, there's so much more than just sock and pen tests. If you're trying to get into the industry, there's so many different areas to specialise in. And I speak to people every day who have had such amazing career paths and they've worked in so many different areas of security. So it's not like you have to be a junior nurse to be a senior nurse, to be a staff nurse. There's so many different ways in from it, from industry, from different industries. Like, I know people who've been vets, who are now working in cybersecurity because they've been through different retrainings. So it really is an industry for everyone, but at the same time, everybody needs people. So if we look at it as well, there's not enough experienced pen testers, okay, grow your own, then develop people. Get somebody to come in as a contractor and help you develop your current staff, your current systems administrators, and train them so that they are a little bit more security aware than they were before. There's more than one way of skinning the problem, and I think it's recruitment has been typically, okay, we need to buy the best or we need somebody to fix it now.
Rosie Anderson (08:14)
And I think the businesses that are looking at this as a long term problem, okay, yes, we need this immediate problem solving now with experts, but actually, what's the problem going to look like in two years time and five years time? Okay, so let's develop people. Let's look at things like boot camps and let's have internal training programmes, let's get all of our business aware of security and being part of that security cyber warriors within our business.
Yeah, great point and great observation. As well. So you mentioned before, training and development. What sort of training and development? So if you're employers that are listening, what should they be looking at for their staff? Are you talking about more technical training, agency leadership training, all of the above? Or can you give me some examples?
Rosie Anderson (09:02)
So, full disclosure, I do work as or I do volunteer as sort of head of industry mentoring for Capstock, which is a boot camp that retrains people from all sorts of industries in 16 weeks. So there are plenty of boot camps out there that can retrain people for you that you can then hire from. But there's things like professional training, there's certifications that you can send people on, there's even just letting your current employees go out and be part of the BSI's communities, attend the local conferences. If you can have everybody in your business be more cyber aware, whether that's through cyber security'security awareness training, social engineering training, then if every person in your business has a little more cyber security savviness or knowledge, then everybody is going to be safer across the business. But, yes, there are boot camps, there's certifications. You don't just have to do certifications, though. Like I said, getting people to be part of that cyber community and just thinking about, okay, not just clicking on a link, is that person meant to be in the building? What's happened? That's new. Okay, I've logged onto this system, it doesn't look right.
Rosie Anderson (10:13)
So who do I report that to? It's just having that full awareness. But for technical people, yes, you should be investing in your people. You should be speaking to your current employees and saying, okay, you're in the It team. Are you interested in cyber? What areas if we were to allow you to spend 20% of the week working with the cyber Security security team, what areas would you be most interested in? Would it be offensive, defensive? Would it be social engineering? I definitely think there is a place for certifications, but it's not just about certifications. You can have your own business kind of training programme that explains to everybody within the business the information security team or the cyber security's team. They aren't these scary people that are there just to say no, particularly developers within the team. If they're creating software, they should be working hand in hand with cyber security security team. And the cyber team shouldn't just be those people that tell them they've done stuff wrong. It should be a hand in hand partnership. And I think there really is a role for everybody, not just technical people. If there are some great project managers or people in the customer services team that you've always got in the business, I think people who know everybody in the business and get on with everybody, they're your perfect security ambassadors or cyber ambassadors within the business.
Rosie Anderson (11:37)
So if you're giving these people training opportunities to work in different departments, opportunities to stretch. Even if it's not going to be a full time role for somebody, you're doing more and more things to really embed those people within your business and make sure you retain that staff.
I think that's very well and eloquently put. So one of the things that you spoke with Little Rosie is grow your own. Do you think that people perhaps or employees are apprehensive about growing their own? Like, why haven't people maybe traditionally done this? Or they just so short on staff, they just need to hire someone, they'll just pay whatever dollars for it.
Rosie Anderson (12:16)
I think there's two typical trains of thought. There is, we don't have time, which I get that. So you can put that on your new hires, put that on your new experienced people, right? We have an opportunity that we're going to hire you for. We're going to pay you £800 a day, whatever, as a contractor. But at the same time, we want you to help us develop X person within the business or this team as part of the contract that you're coming in to do. We want you to upskill and have a training manual for new people who come on board so that they can easily pick up that job. So you can do that, but we don't have time. But then there's also we don't have the skills to train. So, again, you could bring in security trainers to upskill your current staff. I actually think it's more cost effective to grow your own than actually bringing in, like I say, X amount of rock stars. But then there's also, well, if we train, somebody else is going to steal them. And I always think the right way to look at employment is you don't own anybody, you rent them.
Rosie Anderson (13:24)
The time that somebody is within your business is a two way contract. You're getting their expertise and they're getting a regular paycheck, skills and development. And I think what's happening is everybody all we ever get asked for, and it's so frustrating, is I want that two years experience. So actually what you want is you want to rob someone else's, training someone else's, people that have been trained rather than spending that time. And what you'll find is somebody who's been trained at competitor X or competitor Y, then have been trained their way of working, which might not necessarily work for you, but at the same time you're going to pay more than if you upskill somebody. Bring somebody in an entry level and you will buy that loyalty with them. They will feel like they are part of the business. As long as they've been treated well, you will have that loyalty because it's quite hard to get somebody to move who's got two years experience, who's been invested and developed in from a current employer. I always sort of go back and say, why is somebody going to come and work for you? What are you offering them?
Rosie Anderson (14:28)
That's better than what they're getting now, where they've already been trained and developed. Unless somebody is really unhappy in their current environment, then they're not going to move for a very good reason. And you're still going to be paying more than if you train somebody.
Yeah, 100% totally hear what you're saying. Which I guess leads me to my next question is around talent attraction. So having rose on tap and a few bean bag chairs doesn't seem to be cutting it nowadays. So how can companies approach talent attraction?
Rosie Anderson (14:57)
Okay, so it definitely doesn't cut it nowadays because a good proportion of people don't want to be in the office anyway. Experienced cyber professionals aren't looking for new jobs, they're not sat there on a job roar. So they will find out about interesting projects and environments from their peers at conferences and different cyber communities that they're part of. So if that's where your talent is, that's where you need to be or your recruitment partners need to be for you. So if hiring cyber talent is in your future for the next twelve to 18 months, you need to be with that talent hanging out so you can put a well crafted job advert out on socials. Now a job advert is very different to a job description. All of the things about what the challenge is that needs to be solved, fibre professionals love solving problems. So that's what your job advert should talk about. This is the problem that we need to be solved. You've got free scope to solve this problem for us if they have. We are a great place to work because of XYZ. Our current employees love working for us because of XYZ and at the same time we're going to allow you to develop, grow a team, all of these things rather than I want five years experience of this, ten years experience of this.
Rosie Anderson (16:20)
That's not attraction. If you think of recruitment a bit like dating, you go on to your tinder. Profile is all about why you're a great person, a great partner and it should be exactly the same with job adverts. The thing about communities is a lot of people find out about job opportunities on LinkedIn and it tends to be their peers are sharing it. So for example, your current employees should be part of your talent attraction. So you should be pushing them as much as possible to go out and speak at conferences, share their knowledge. All the exciting things that you're doing, all the exciting projects that you're working on, you should be sharing that with the community because as part of that passively attracting people and you're also showcasing, look at the great employees that we have that work here, especially if you have diverse teams. Women typically will want to work with other women or will at least want to see that things like menopause care, maternity pay, all these sort of things are part of your benefits because it shows that you're taking it seriously. For me, if I was to, I regularly say that I'm massively unemployable now because I work part time, I work for myself, but I work, I say part time, I'm working now, but I work school hours so I can always pick up my children.
Rosie Anderson (17:42)
So things on your job adverts that showcase that flexible working isn't a problem, even if it's something that you've never done before. Want to work in the office, want to work at home. We are more than happy to have a grown up conversation about making hours work for you, making work work for you, all these sorts of things. It doesn't mean that you're bound by a contract. Somebody says I only want to work 5 hours a week. It doesn't mean that you've then got to accept that. But all these sort of phrasings that show that think of all the different benefits and why people want to work for you. If all of these things are in those job adverts, you've got a much wider talent pool that you're attracting from things like remote first in the UK, typically DevOps markets, cloud markets. These people don't want to come to the office unless they really have to. Now they will come to the office for team workshops and things like that, but they don't want to be in every Tuesday, Wednesday, Thursday, because the boss tells them to. What worked before the pandemic doesn't necessarily work now.
Rosie Anderson (18:42)
So you really do have to rip up that whole recruitment process and start again. Talent attraction doesn't stop, actually. Somebody's applied for the role three, four staging to do processes over a six week period. That isn't going to cut it. The person is going to be gone unless it's a direct to level position. You've got to be really quick, you've got to be really slick, technical tests, things like that, to weed people out. You've got to get the buy in first from the candidate. You need to spend some time on the phone with them, even just 15 20 minutes before you get them to do any form of tests. Particularly things like DevOps. I've been recruiting quite a few DevOps roles. At the minute. They're not interested in doing anything that's too hard a process, that's just putting them off because they're so in demand. They're getting four, five, six calls a day about new opportunities. So if you really want to hire somebody, you've got to be very slick from that recruitment process. Reviewing the CV, getting them every interview and then offering them and an offer, a verbal offer doesn't cut it. They want to see paperwork within 24 hours.
Rosie Anderson (19:45)
Because just because you've offered somebody doesn't mean that all the other interviews they've been aren't offering at the same time. And even after they verbally accept until they start, you should still be right, we're going for beers. As a team, or particularly the permanent role here's what we're doing as a company. Do you want to jump on a team's call just checking in with them every week because it's so frustrating. Particularly if somebody's got a notice period to lose somebody a week before they start and then you're straight back at that twelve week process again.
Very insightful, tangible insights for people who are listening as well from an employer perspective. Okay, so there's one thing that's really, really interesting that stood out for me. I mean, all the things that you say are interesting, but the job adverts, I really want to get into that now. I haven't applied for a job. I've been working for myself for five years and before that I had a job. So it's probably 2016 is the last time I didn't even think I applied for a job. I think I got headhunted. Anyway, one of the things that's interesting about job adverts is they all seem to say fast paced environment. Now what is with that? I feel like a lot of these job adverts now, maybe I'm out of the game because I haven't seen a recent one because I haven't applied for a job recently. But they seem a little bit parse.
Rosie Anderson (21:00)
Yeah, they are always a dynamic fast paced environment or this exciting opportunity and you read it and you're like exciting. Really?
Yeah, it's just the same stuff.
Rosie Anderson (21:12)
Yeah, it does a lot. I think we really have got to ripple what worked before because it's not working now. What people really want to see in a job advert is what makes it different. And it goes back to we get told this as CVS as well. Everybody knows what a sock analyst job looks like or a sock manager job. It's typically the same every time, the same for lack of consultancy. Typically the responsibilities will be the same every time. But what makes it different when you're writing job efforts should be this is the size of the team, this is the growth plans, this is why the role has come about and this is why we want somebody new to come in. Because you should have already looked at internal applicants before you go out to advertise. But it's really making those things. And like I say, why you're a great place to work. Why is this role interesting? Why should somebody want to do this role? And I got asked this question recently at a conference with what if it's a really boring role, like it's just business as usual or it's really legacy technologies you should never catfish, you should be very honest about the environment.
Rosie Anderson (22:21)
So if it is a challenge because you really need to change some of the culture in the environment, you're coming in and starting again and building something from scratch. Or if it's legacy technologies with really difficult technical problems, if we look at things like industrial control systems, they are very challenging problems to secure. There will be somebody out there that problem, that what to you seems boring or hard. That's the tag of work that they want. So by being truly honest about what the challenge is and what the role is without all the fluff, shall we call it, you will attract the right person. But like I said, you can't lie. You can't say that something's shiny and new in Greenfield and when they get in, it's like working with old window systems and it's not shiny and new. There's no budget to do anything new because people won't stay either. So yes, it should be a job advert, but it should also be very true about the environment.
Yeah, great point there as well. Yeah, of course people shouldn't be luring people in artificially at any stretch, but I think these are just good reminders from yourself. Maybe people aren't aware that these are the things that they're doing. So I'm curious to know from you, Rosie, what type of market are we in? Because you've just listed off a whole range of things. When I started my career, it was very different. I didn't get any of these perks. Okay? Now I'm not super in terms of on perks and everything like that, but one of the things that I'm curious to know is it seems like a candidate market seems like all these things we've got to do. What are your thoughts?
Rosie Anderson (24:10)
It definitely is a candidate market right now, but I don't know what's around the corner. So I always think the UK follows behind the US and we do hear of Redundancies. I'm seeing a lot of talent acquisition teams are being made redundant, so recruitment teams are being made redundant, so it's candidate heavy now and I don't think we will ever particularly experience talent. I don't think they will ever find it hard to find the right opportunity. But I think in the next six to twelve months, I don't know what's happening. You can probably see we have even problems with government and getting Prime Ministers to stay in the job for more than four or five weeks at the minute.
I saw that this morning when I got up.
Rosie Anderson (24:58)
Oh, yeah, it it's wild. Right now is what a time to be alive. But, yeah, it's it is definitely candidate driven. And there's plenty of new people coming into the market. There's still plenty of hiring going on. A lot of businesses will try and hire themselves. But what I think happens then is if you haven't got a trained eye looking for what good looks like, particularly for entry level talent, you might get bombarded with 100, 150 applications, and then you've got to go through all those applications. If somebody's got to be doing that. So where businesses are getting rid of talent acquisition teams, what they should probably they shouldn't cut back too quickly, maybe, because recruitment will come around again and then how are they going to recruit experienced people? Are they going to put that on the hiring managers who are busy anyway. Your cyber managers typically have a job to do. Recruitment isn't a full time job for them. So, yeah, it's definitely candidate led at the minute. But like I say, who knows what's around the corner. It is pretty crazy times right now to be alive. I mean, I've worked in recruitment for 20 years.
Rosie Anderson (26:05)
I've seen recessions before. Typically when we do go into recession or businesses tend to not want to hire on a permanent basis, we see more contracts anyway and DevOps identity access management, cloud cyber security management. Typically they are, they can be very contract heavy anyway. So I think we'll see more of that. But then I do worry, what does that mean for the more junior end? Where are going to be the opportunities to retrain and rescale and enter the market? Because what will happen is if we don't keep that pipeline of new talent, what does that mean in 1218 months time when we haven't got any more experienced talent and we've not got those people who are now 1218 months, two years experience? Because if we're not constantly building that pipeline of people into the industry, we're going to have a cliff edge in the future.
Yeah, I want to focus on junior roles now. Now, I've seen people online pretty outraged at some of the job specs that are out there. Some people ask for a minimum of ten years of experience or they ask for these crazy levels of certifications and just it's wild, as you know.
Rosie Anderson (27:15)
So talk to me a little bit.
More about this because I think this also then lends itself to the job ads. So you need to be looking at the job specs where that needs to make sense from a job ad perspective. But then I think when it gets to the actual specs of it, there seems to be a dislodgement there.
Rosie Anderson (27:31)
Yeah, we regularly see job adverts that come to us like a date stamp, and it's four or five years old. And I think the problem is people try and everybody's lazy. If you've got something created, you think, oh, that's fine, I'll just regurgitate that. But actually you need your recruitment partners to be able to push back and say, okay, you want ten years experience. If I get somebody from your competitor who's just done exactly the same project that you've done, but they've only got seven years experience, they're telling me you don't want to see them. And typically the answer is, yes, we want to see them. The junior thing for ten years, I think I've seen this a lot on LinkedIn, and what happens is when you post a job advert on LinkedIn, sometimes LinkedIn has its own algorithm, which makes it say junior or entry level when it's not. So sometimes that's a genuine LinkedIn algorithm mistake. But yes, ten years experience. But what does ten years mean? You could. Be ten years at a really small company that never had any security issues and it only actually had two PCs connected to the internet.
Rosie Anderson (28:39)
Or you could have five years experience at a blue chip and a managed XYZ project. So it's breen able to quantify that. And this is back at what worked before isn't necessarily working now. It shouldn't necessarily be about the skills and quantifying the years of experience of this tool or this tool or this tool. Because we know with scene tools, if you've worked with one scene tool, they're all very similar. The same with identity access management tools, cyber, Arc, Sellpoint, they can be quite interchangeable. So it shouldn't be on that, it should more be, this is my problem that I'm looking to solve and what I'm looking for you as a potential employee to come and solve this. You will have done it before or you'll have ideas about how to do this for me. And it actually if we approach recruitment like that, there'd be lots of different ideas that would be coming through in that recruitment process that you probably haven't thought about before, because diversity of thought is what's so important. We want people who can come in, who can challenge those ways of thinking. But you'd have such a wider talent pool and people would be interested in that job.
Rosie Anderson (29:49)
So if they see a job advert that looks you know yourself when you're looking at anything as an advert, if you see something that looks a bit quirky, a bit different, you're going to be more interested in that rather than the same standard old advert. Things like video job adverts if you can get your hiring manager or the person who's got the problem doing a little video and posting that out on LinkedIn as to why they're a great place to work. You've already built up a bit of rapport with people, potential employees, because they feel like they know who they're going to be working for. They feel like they know how they talk. People like to see other people, people buy from people, rather than a two dimensional spec. We're a big corporate, we're a bank with this, with that. It's not actually about the company, it's about the team and the problem. And I think that's where job specs and job adverts should be focusing. But what typically does happen is we pull up a job spec and the person who just left the role and we put that out again. So we're adding bias into that recruitment process because we're looking for a carbon copy of X probably isn't out there and X who's just left your business, has probably left for 1015 grand more money.
Rosie Anderson (31:03)
So when we're then putting that same salary banding on that old job spec, no wonder we're getting it wrong and going, we can't find the people. You can't find the people because you're doing the wrong things. Absolutely.
So I think that okay, there's a couple of things that I'm really curious to know. So going back to the ten year minimum, ten years, do you think that's just laziness like he's a job advert Rosie or the Senate to you? It's ten years old anyway. So do you think people are just lazy, they're naive, they have no time, they don't care? What is it? Because to me it does seem quite antiquated in the approach to really think, oh, I want a junior person who's got ten years of experience. They're probably going to only have two. So it just doesn't make sense to me.
Rosie Anderson (31:47)
Logically, I wouldn't say everyone's lazy, there's got to be like phishing all potential new clients. But I think we go for the easy option without thinking about it. Like when you get when you get in your car to drive your car, you don't think about it, you just get in and drive and you get to where you want to be. But that process isn't necessarily working anymore. I think we need innovators to solve these problems, these hiring problems. We need people who can look at it with fresh eyes and say, you know, start asking for ten years of experience. Could you say that's, Aegis? If you really wanted to, you probably could. You could say, okay, you want a junior with ten years of experience, so you don't want to graduate. So you want somebody who's 30 to 35, potentially. So if you really looked into that ten years experience, what are you asking for? You could get yourself into a problem with that for a start. It does really annoy me, the years thing, because like I say, ten years at Company X, small company, nothing's really changed compared to five years in a big blue chip with lots of different projects under your belt.
Rosie Anderson (32:54)
That five years experience to me would probably be worth more than the ten years in a very steady job with nothing changing and it needs to be challenged. But companies are spending less on using their own recruitment teams, or particularly using agencies. We are seeing that and we are seeing companies that will just go out and do what worked before because they're not necessarily thinking about it. If you've got a HR team or talent acquisition team, that doesn't just do cyber, that might work in customer service or sales, for example, but it probably isn't going to work in cyber recruitment because it is very different.
Yeah. And most definitely we're not saying that people lazy, it's more so just a default position that people seem to be in. Maybe they're not aware of it. But one of the other things, when I was hired, cyber security. Security. I had no experience, but I was hired for talent and capability. I was actually quite young, but I had probably a lot more experience because I didn't go to university or anything like that, but I was hired more for my aptitude. So one of the things that I've noticed when you're looking at like when you have a big firm, they will just sort of scam through to look at the typical stuff. On paper, I probably don't look great back then. I probably didn't look great. And so then I would think that maybe potentially I was overturned for jobs. So how do you then delineate between, okay, we've got this example myself, Theresa Breen, she didn't go to uni, she doesn't have this stock standard stuff, but she's really great in person. How do people break through that noise? Because I think there's a lot of underdogs out there that are exceptional and may even be better than these people that have got the stock standard sort of approach, the unis and all these other things.
How does that work from an employment perspective? And do you think that perhaps managers don't really understand how to attract these high calibre talent that don't have your standard way of credentials, for example, on paper?
Rosie Anderson (34:53)
So I hate it when I see degrees on top specs. I do encourage my customers to say degree or equivalent experience because just because somebody's got a degree doesn't necessarily guarantee them a job. Graduates can steal if they are just doing the stock things. When trying to get their first roles, they can struggle. So by stock things. I will say if you're applying for a job and you haven't got a degree, but you've been working on your own passion projects, maybe you're an aspiring Pen tester and you're regularly doing capture the flags. You're regularly on hack the box, learning in your own time. You've got your own home lab. These are the sorts of things that you need to be putting on your CV but also sharing on LinkedIn. So every time you're doing some self study, even if it's not necessarily a recognised certification, but every time you're pony in the box and hate the box, or maybe run blue team labs and you're doing defensive challenges, you'll get like a shiny badge from these training providers. And you should be sharing that on LinkedIn with a bit of a write up about what you've actually done.
Rosie Anderson (35:59)
So if it's for example, you've honed a box and it's an offensive challenge, you should be able to do a write up like you would as a Pen tester. Those sorts of reports that talks about how to remediate those challenges, how to remediate what you've just done, what the actual vulnerability was, the severity risk, the risk analysis, the risk grading, and that executive summary that you would give to a board member who's not necessarily that interested in the technical, but just needs to understand what's the importance of this and why should I fix it? And actually, if you're hiring for Pen testers, if you go out into different communities, if you go out to a B size, every time there's a B size, there's normally a CTF if you're looking at who are the top scorers on the CTF, typically they aren't always your established pen testers. Sometimes you can spot some great talent in that leaderboard. There are people that are systems admins that want to get into pen tests or don't even necessarily think they could get into pen testing, but they're doing this as a passion project. And if you can add into your recruitment process, particularly for those junior level talents, actually, let's scrub up the recruitment process.
Rosie Anderson (37:10)
Let's not just get people to apply, let's have a technical assessment that we can use. So there's a company called Capture the Talent that have technical assessments that you can use as a recruitment process. We don't want to see your CV, we just want to see, can you do this technical assessment as a fun type exercise. And they're the ways to sort of break in, particularly if it's a passion and you're trying to get in, these are the types of things you can do to stand out. And as a recruiter, as a hire, these are the sorts of things that you can add into that process. So, for example, I was talking to somebody the other day at a conference and they're wanting to hire apprentices in a risk environment, so to come in as sort of risk and compliance roles. And I asked him, when you post this job advert, you're going to get about 100 applicants. Have you figured out how you're going to assess that talent? And you saw his face kind of go, oh, would it really be that many? Yeah, it will. But also if you're looking at CVS of apprentices, what are you looking for?
Rosie Anderson (38:11)
What are you going to judge? Is a good CV that's quite hard to do at that level? What you'd be better off doing would be saying this is the challenge that we have. We are a business in X sector. So what's important towards is the NIST framework or the Mitre Attack framework. What we want you to do, as well as apply with a CV telling us what you're looking for, salary, all these sorts of things. I also want you to write me your understanding of this framework or write me an example of what a good risk policy needs to contain. So by doing that assessment, you might have somebody who's worked in a supermarket but in their own time as doing like the Gerard Hugo GRC Master Cyber Analyst but hasn't yet completed it. So can't put that certification on their TV. Or you could find somebody who is. Maybe they are a stay at home parent, but they actually really understand risk because that's something in their church environment or school environment that they volunteered to look at when everybody was in lockdown and helped all the parents that weren't necessarily technical savvy secure their home networks when their kids are suddenly joining teams calls.
Rosie Anderson (39:36)
So if you're just looking at a CV when you're trying to assess that talent, it's really difficult at that junior level. We need to look at and again, really innovate and be creative with how we're doing that. You will like you say you'll miss out on real raw diamonds. That could be amazing in your business.
So Rosie, what about retaining talent? This is another one. I've heard people say we can get talent in the door, but then they're out the door, especially women a lot. I've read recent reports, especially here in Australia, a lot of women just are not staying in the industry, they're leaving completely. So I'm curious to hear, once we get them in the door, how do we sort of keep our staff engaged in wanting to work for these organisations?
Rosie Anderson (40:18)
So, regular communication for me, you can't over communicate with your staff. Managers should know every three months, are they happy, are they not happy? What would they like to do next? They know it's not always possible to move people up and and constantly be promoting people. What I regularly see is I will know company X has just decided to do it back to the office mandate. And I'll know because about 15 people will come into my inbox or respond to my LinkedIn messages that suddenly now, yes, they are interested in speaking to me. Because what typically happens is bosses will think everything's okay. They'll think, okay, they're not telling me there's a problem, so there isn't a problem which isn't right. What was important post pandemic isn't necessarily what's important to people now. Regular stretch projects. So encouraging people to your staff to spend time in different teams or go out into the community, maybe giving them things like 20% time for personal passion projects that will help them at work, letting them mentor people or reverse mentoring, I really like as well. So mentoring shouldn't necessarily always be a manager. Mentoring a junior person, you can have informal mentor relationship and when people are coming into the business, like new starters, you can have like buddy systems.
Rosie Anderson (41:46)
So when you spot those future managers who aren't as selling managers already, giving them the opportunity to reach out to new employees, make them feel part of the company okay, it's not necessarily a manager or role, but it's getting them to think about, well, actually yes, I would like to manage in the future. I've never really thought about that before. Things like employee resource groups. So if you don't have an internal ex veteran programme or ex veteran group within the business, or women Leaders Group or future women Leaders Group or even LGBTQ groups within the business, get people to volunteer if that's something they're really passionate about, well, I think that's excellent.
And I think that this is really important because I guess I've heard a lot of people say to me like how do I tame the staff? Or I'm struggling to. So I think there's a really excellent tangible point for people to take away today. So, Rosie, I'd like to maybe understand from you just quickly, on what advice could you impart to employers or that are hiring, or for job seekers, perhaps, if you had to have any sort of closing comments or final thoughts?
Rosie Anderson (42:57)
So, for anyone hiring, please, please rip up those old preponderance processes and just start again fresh. Start with a blank piece of paper. Speak to your current teams, speak to the people currently within your business. Get them involved in that recruitment process. Because like we just talked about with retention, get them thinking about why they want to work, why they enjoy working for your company. And if they can't answer that, that is definitely a red flag. And then for candidates or job seekers of all levels, you will find jobs through your network. And I probably shouldn't say this as a recruiter, but 90% of opportunities you will find within your community network. So go out into those communities, go to your B sides, go to the different conferences. If you can get involved in mentoring junior people into the industry, these are things that you should definitely be doing. Everybody started somewhere, and you'll get so much enjoyment and make so many new acquaintances through mentoring and helping others. There's plenty of communities that are crying out for people to mentor, give advice, or do talks and things, share that knowledge. And by doing that, we're building your network.
Rosie Anderson (44:08)
So if you're looking for work, definitely go out and look at who you already know in places that you'd like to work for, because you could easily, particularly in this market, find better opportunities if you're not happy where you are.
I think that's glowing advice, rosie, I think you've been absolutely exceptional. You've really provided quite deep insights on your knowledge over the 20 years. I can definitely tell that. So I think it's been invaluable to our audience who perhaps are employers looking to recruit and retain talent, or if you're a job seeker, perhaps they should try to approach you if they are in the United Kingdom market. So, Rosie, thanks again for your time, and thanks for sharing your wisdom with the audience today.
Rosie Anderson (44:49)
Thank you so much for having me on, it's been great.
Thanks for tuning in. We hope that you found today's episode useful and you took away a few key points. Don't forget to subscribe to our podcast to get our latest episodes. This podcast is brought to you by Mercsec, the specialists in security search and recruitment solutions. Visit mercksec.com to connect today. If you'd like to find out how KBI can help grow your cyber business, then please head over to KBI Digital. This podcast was brought to you by KB NBI Media, the voice of cyber.