There is a better way

Hello friends,

Last week was a big one.

1) We launched our new website , including the most comprehensive curated cybersecurity job board on the internet, and the start of our contracting platform

2) We published our Q3 talent market report

3) I spoke on a panel at Denver Startup week with my good friend Manish Kapoor about the joys and trials of being an early stage startup founder

Most weeks we have a focused reflection on a specific topic for hiring managers or job seekers on building a cybersecurity career. This week is going to be a bit different.?

With the launch of our platform, I’m excited to share more details about what Crux is up to- the problems we see in the cybersecurity jobs market, and how we are helping to solve them.?

If you are pressed for time, here’s the TL;DR.

• There is much to do on the people side of security. We support CISOs to help develop their organizational models, employee career paths, and overall people strategy.
• We help companies find incredible cybersecurity talent; both contract and full time
• We rigorously and directly assess skills with a scientific approach to predicting fit. This is one of many ways we work very differently than traditional recruiters.
• We are building a marketplace to bring depth to the market- for both jobs and candidates

For those in Colorado, I’ll be speaking on the topic of AI and its impact on work (specific to cybersecurity) at the upcoming Cloud Security Alliance of Colorado conference . This year’s fall summit is fully dedicated to AI and the roster of speakers is amazing. It’s at the Cable Center on Weds, Oct 25.

Cheers,

Brad

There is a better way

In 2016, Aledmys Diaz, a shortstop with the St. Louis Cardinals, became the first player ever in MLB to achieve a .500 batting average through the first 50 at bats. Nobody has done that for a full season. The highest season batting average ever recorded was .440, and that was back in 1894.?

There are some areas of the world where doing something well half the time is an incredibly good result.?

And then there’s hiring.?

I haven’t seen great data on the rate of ‘bad hires’ (or conversely, bad decisions to go work for a given employer), but experience tells me it’s something close to 50%. Where, as hiring manager, the person you thought you were bringing on doesn’t end up performing like you thought they would. Or, as a candidate, the role/ company you are going into doesn’t end up being like you thought.?

And while there isn’t great data on this frequency, there’s a ton of research on the cost of these mistakes. The range is wide- somewhere between 30% to 15x a person’s salary (depending on who did the study and the seniority of the role). But even at the low end of these estimates, you multiply 30% x 50% x your payroll and the answer is THIS IS A BIG PROBLEM.?

In cybersecurity, take that hiring batting average and put it up against a market where there’s not enough supply to meet demand. That only exacerbates the issue. And thus we have a field where 25% churn is just the norm.

Crux is built on the belief that it is possible to predict success. We’ll never know everything upfront, and 100% success isn’t attainable, but we can do way better than 50%. And with that you get happier employees and a more robust security program.

Let’s talk about how we get there.

The issues

What are the indicators of a dysfunctional labor market in cybersecurity?

• Talent shortage of 25%. One out of every 4 roles is always open.????
• Average time to hire is 4-6 months
• Employee turnover is ~25%
• Job openings are growing at 2x the pace of new entrants coming into the field
• Entry level jobs get hundreds of applications; jobs that require significant experience get very few
• Security teams are doing most of the sourcing and recruiting on their own, taking time from running the program

What are the underlying issues?

• Job descriptions are poorly written; there are several common traps1) Kitchen sink requirements that are rarely resident in the same human, and certainly not at the compensation levels budgeted2) Managers don’t really have a clear understanding of what they really need3) Years of experience are used as a proxy for skills (poor predictor)
• Interview/ hiring processes are poor1) Not thought through/ well designed- everybody just shows up and asks whatever’s on their minds2) Skills are not tested directly3) Biases creep in4) Cultural fit is not critically evaluated
• Sourcing pools are shallow1) Talent acquisition teams are reactive & do not proactively source candidates2) Most hires come from the team’s network
• Post-hire: Employers don’t have the training programs to build skills, so they focus on ‘buying’ the skills

And there’s a ton of dysfunction with the way recruiters tend to work in the market as well

• Little attention paid at top of funnel- spamming candidates that aren’t at all a fit for the role they are hiring for
• Hundreds of small recruiting shops means low probability that any one you reach out to will have a job that is a fit for you at the moment
• The market is entirely ‘job requisition out’ rather than candidate centric

So what can be done about it?

Crux was founded on several core beliefs:

• Success and fit are predictable with the right questions and process
• Skills can and should be quantified
• You will find a better fit if you expand the pool / market
• Cultural fit, soft skills, curiosity, and intellect matter as much as knowledge and experience
• Better fit between company/ role/ employee will lead to stronger teams and better retention
• If you can be helpful to candidates, you will be able to get to know some incredible people
• Technology can help enable scale

Thus, our business has several pillars:

• Supporting CISOs (particularly new ones) on the people side of their strategy (e.g. building career paths, building strong job descriptions, compensation benchmarking, organizational design)
• Full time recruiting
• Contractor/ contract-to-hire recruiting
• Executive/ CISO recruiting
• Recruiting for technology/ security board of directors members
• Coaching and advising candidates on their career paths

In doing this work we do many things differently. We:

• Work hand in glove with clients to understand the very specific needs and desired outcomes of the hire, and translate that into a clear view on required skills and competencies
• Offer executive-recruiting level service for staff level roles, including comprehensive candidate profiles, interview guides, weekly updates, training resources, custom cultural profiles, etc
• Directly assess critical thinking skills, personality, motivators, and cultural fit with a series of assessments that are open for all- and create an opportunity for candidates to stand out
• Specifically assess technical competencies with hands on experiential labs
• Have practitioners assess all candidates before referring to clients
• Support candidates on a proactive basis to get to know them and build long-term relationships
• Offer incredibly generous referrals to deepen the pool of talent that we reach
• Are building a marketplace to automate the transactional elements of the process, while retaining a strong human touch throughout. This will expand reach and drive down costs
• Offer a success guarantee that extends out to 3 years- the longest in the industry

We operate in a market that is FULL of vendors. Many of whom make claims that stretch the truth. It means there’s a ton of noise and a ‘show me’ expectation from security leaders (rightly so).

There are a lot of fly by night operators in security, and in recruiting generally.

That’s no way to build a business.?

So, we:

1) Give first. If we can be genuinely helpful to both candidates and hiring managers, we will build relationships of trust, which will generate opportunity

2) Keep an incredibly high bar for quality. What matters most is not the deal; it’s the success of a placement and the long term relationship. Every interaction matters and is a reflection of our brand. We offer the longest success guarantee in the industry for a reason.

?If this approach makes sense to you, a couple favors to ask:

• Go to Crux and register on our site. It will allow us to offer you targeted full time and contract work, as well as the ability to earn passive income from referrals
• Help us spread the message! Share posts, let us know of folks in your network that we might be able to help, etc

Thanks so much for being a part of this journey. I appreciate each and every one of you.

Tools, resources, and useful things from the internet

??CISA launched a series of ‘micro-challenges’ to help people explore career paths in cybersecurity. It’s gamified, hands on, and meant to show what the job is like. Pretty cool.

??Our friends at NightDragon have released a well-researched report on cybersecurity experience in the board room. Not surprising, but 88% of companies lack specialized cyber experience at the board level.

??In some ways, Dall-e 2 kicked off the generative AI madness last year. Well, guess what? Dall-e 3 is out (Open AI)

↗?Wondering where AI is going? Vince Kellen has a great post this week with 20 predictions on how the market is going to evolve.

News

??Holy Splunk! Cisco makes one of largest acquisitions in the history of cybersecurity- $28B, all cash. Rumors were also circulating that they made a run at SentinelOne, but the company denies that. (Reuters)

???Reuters has written a super interesting piece on the threat actor that has been targeting casino operators, and is believed to be behind the recent chaos at MGM. The interesting part: they are really, really young.

??So far this year, cyber claims are up ~12%. The culprit? You guessed it, ransomware (Coalition)

??Another trend? Criminal actors going after higher education . Based on friends I know in that field, it’s rife with poor security hygiene so this is not surprising. Also, you can ask anyone at U Michigan. (Comparitech)

???We are starting to see companies filing 8-Ks to the SEC to report cyber incidents . Clorox is one of the test cases of the new regulation (The Register)

??Signal is building post-quantum cryptography in as standard so that anything stolen in the near future won’t be able to be cracked once quantum computing is more widespread. Their release includes a nice explainer on cryptography and post quantum protocols. Kudos. (Signal)

Jobs

This week we are featuring pen testing jobs. You will find these and many more at the new Crux job board .

??Meta . Offensive security engineer. Remote. $143K+

??Amazon . Penetration testing engineer. Remote. $136K+

??ZoomInfo . Senior web and cloud penetration tester. Bethesda, MD. $120K+

??TNS . Pen test vulnerability analyst. Remote. $108K+

??Oracle . Principal Penetration Tester. Remote. $109K+

??CME Group . Cyber Security Engineer III- Red team. Chicago, IL.

So many more !

Events

One of the (awesome) features of our new website is a comprehensive list of upcoming conferences . It’s one of the largest collections of cybersecurity conferences available. Check it out!

A few of the exciting ones in store over the next month:

??Grrcon . Grand Rapids. September 28-29.

??RH ISAC Cyber Intelligence Summit . Dallas. October 2-4.

??BSides KC . Kansas City. October 6-7.

??NetDiligence . Beverly Hills. Oct 16-18.

??Industrial Control Systems Cybersecurity Conference (ICS) . Atlanta. October 23-26.

Thinking about your next move? Join our network

Looking for support with your hiring needs? Book a consultation.

Crux is building the talent platform for cybersecurity. Check us out.