Pinsent Masons CISO Christian Toon discusses the need to challenge hiring practices to attract and keep cybersecurity talent. Credit: Pinsent Masons Cybersecurity’s ongoing battle with a “skills shortage” has seen the sector lose its way regarding talent hiring and retention, says Christian Toon, CISO at London-based law firm Pinsent Masons. In an industry crying out for diversity and innovation, this year’s number one UK CSO 30 Awards winner says he takes inspiration from the Marvel Comics universe to challenge traditional HR approaches and more effectively recruit and keep security talent.“We have what some describe as a war on talent, because you feel like you are fighting against the next organization for the greater good. I think we’ve kind of lost our way a little bit, both from a delegate or prospective employee perspective, but also from an employer’s perspective,” Toon says, speaking at the UK CSO 30 2022 Awards & Conference. The candidates are out there, he adds, but you have to change the traditional practices for hiring because if you always do what you always did, you’ll always get what you’ve always had.Don’t hire you, hire the AvengersToon makes a point of trying not to hire and build a team that only looks and sounds like him. “That’s not bringing our best solution forward,” he says. Instead, he looks to the Marvel Avengers—a team of fictional superheroes brought together from vastly different walks of life to help fight evil and save the world. No, he doesn’t hope that Spider-Man will web the latest cyber attacker or that the Black Panther will supercharge his patch management processes, but he does look to build the same diversity of skills and abilities into his own security team. “If you look across the Avengers, everyone is very different. They’ve all got a very different skill or capability that they bring to the fight. That’s how the security team should be.” You won’t find Captain Marvel sitting on LinkedInHowever, you won’t typically find Captain Marvel sitting on LinkedIn waiting to hit easy apply for her next vacancy, Toon says. “You need to be very different in that approach because the media hype around the cybersecurity skills shortage has prompted a proliferation of recruitment businesses and people trying to place those individuals, which means your trust can often be misplaced as a hiring manager in today’s marketplace.”It’s therefore about reviewing and adapting where and how you target your recruitment activities, Toon adds. “Working with trusted, forward-thinking partners is the first step, but a close second is getting into the community groups that are championing underrepresented groups. Hiring teams don’t realize there are hundreds out there, and you’re only a Google search away. You’ve also got to think outside of cybersecurity, there are so many sectors to consider where people will be looking to retrain.” For example, if you’re looking for someone with good communication skills in technology, you’re not necessarily going to find a good candidate in a technology environment since everyone else looking in the same pool. You might find them in other industries such as hospitality or retail, he argues. “It’s about looking at different opportunities to hire. Recently, we found employee advocacy is a big step forward because I think outreach from team members really does go a long way to targeting the next generation of our team.”Superheroes don’t all wear suitsIt’s also important to think about your company culture and what it offers both new and existing security talent, Toon says. “In some ways, what employers are or have been offering is probably not what new [security] people want.” Long gone now are the days of uniform policies that made security people feel awkward when they had to wear a suit as if they were heading to court just to sit in front of their laptop all day.Where, when, and how people want to work is big in the decision process—9-to-5 is mostly dead now in a lot of industries. Data and cyber breaches alike traverse borders and time zones, so what works for the employee needs to support the business. Dress codes, working time, flexible hours, lifestyle discounts, and well-being and healthcare are all decisive factors in employer selection. “We then also have the whole ‘remote/hybrid’ offering. Some people want 100% remote, some employers want 100% office presence,” Toon says. “You need to know that you’ve got to find your balance, but also recognize the world has changed. Five days a week to do something on a computer I can do at home? No chance. Businesses need to be clear on the ‘why’—why are we coming into the office?” These changes can be difficult if the organization is steeped in history or has always done things a certain way, Toon admits, and if you start making changes for one, you’ve got to make changes for others. “So, there’s a knock-on impact to consider.” Related content feature Cyber resilience: A business imperative CISOs must get right With ransomware at an all-time high, companies need to understand that being cyber resilient means going beyond compliance to considering all aspects of a business, from operational continuity to software supply chain security. By Andrada Fiscutean May 16, 2024 12 mins Regulation Incident Response Supply Chain news US AI experts targeted in cyberespionage campaign using SugarGh0st RAT Threat actors use phishing techniques to obtain non-public information about generative artificial intelligence. By Lucian Constantin May 16, 2024 4 mins Phishing Data and Information Security news Cycode rolls out ASPM connector marketplace, analysts see it as bare minimum Application security posture management tools need to integrate with other security tools to do their job. By Evan Schuman May 16, 2024 4 mins Application Security news BreachForums seized by law enforcement, admin Baphomet arrested Official telegram channels operated by BreachForums members confirm law enforcement seizures and arrest. By Shweta Sharma May 16, 2024 4 mins Data Breach Cybercrime PODCASTS VIDEOS RESOURCES EVENTS SUBSCRIBE TO OUR NEWSLETTER From our editors straight to your inbox Get started by entering your email address below. Please enter a valid email address Subscribe