Tips for CISOs: Why a focus on 'Goldilocks' candidates may undermine your cyber security strategy

A woman staring at a computer screen with the screen reflected in her glassess
(Image credit: Getty Images)

Digital security has become the number one priority for businesses as the threat landscape has expanded, but to address this in a meaningful way, you need the right skills.

Increasingly, CISOs are taking more of an active role in the strategic development of their companies, and insufficient staff has become the top concern of CISOs in the tenth annual Information Security Maturity Report, published by ClubCISO in collaboration with Telstra Purple.

However, the solution isn’t as simple as listing as many job adverts as possible. As the need for new skills has grown, so has the need for more modern approaches that target talent from a diverse range of backgrounds.

When asked about the value of diversity, most CISOs (78%) said they believed it is beneficial to bring different perspectives into the business, while improving culture (54%) and fostering greater innovation (48%) were the next most common reasons, according to the ClubCISO report.

“Diversity and inclusion are not buzzwords in our recruitment process; they're a strategic imperative,” explains Simon Crocker, director of systems engineering, WEUR at Palo Alto Networks, speaking to ITPro.

“Diverse teams bring fresh perspectives and sharply innovative solutions, enriching our ability to anticipate and mitigate threats. Ensuring a diverse talent pool involves working closely with HR to eliminate biases, promoting inclusivity, and expanding our reach to non-traditional platforms and communities."

It’s important to remember that, in the current climate, a focus on finding the perfect candidate may actually be hindering your recruitment effort.

"I think that it's the same for a CISO or any other hiring manager – we need to show that we provide environments where individuals can grow, learn, and succeed without compromising who they are,” argues Heather Hinton, CISO of PagerDuty.

“As hiring managers, no matter the area, we must stop looking for the 'Goldilocks' candidate. Nobody is perfect, including us as hiring managers. But finding people with a solid foundation of basic skills, coupled with curiosity and passion, means we can coach and nurture people to be those perfect candidates.”

Rockstars and problem solvers – the issue with cyber recruitment

CISOs will have seen first-hand the various ways their company’s operations have transformed since the pandemic, and how the cyber security threat landscape has evolved to exploit these new approaches.

As the digital threats their businesses face have diversified, the recruitment criteria CISOs currently use have also changed. People from diverse backgrounds are now a common sight, even with traditional recruitment routes that usually require a technical foundation.

KnowBe4's CISO, Brian Jack, looks for rounded individuals with more than just technical skills when recruiting for his team: "For me, I look at the ability to communicate effectively both technical and non-technical ideas. Most importantly, I determine in the interview process if the candidate can learn; 'figure it out' and troubleshoot and solve problems.

“Questions like ‘In your current or previous role, was there someone you would turn to for help solving tricky problems?’ You want the candidate to be the person people went to rather than the person who needed assistance all the time. You will do well if you can learn, and problem solve.”

ITPro also asked Sohail Iqbal, CISO at Veracode, how he approaches recruitment and the important aspect of training and education:


A Cisco’s guide to log management for cybersecurity

(Image credit: Graylog)

Collect, aggregate, and effectively correlate security data.


"Cyber security leaders will often focus on hiring the ’rockstars’ and bringing in the brightest young talent with a view to the future. Whilst this continues to be important, it’s also clear that we need more mentors to help nurture those less experienced hires we’re making and ensure they see a clear path to development within the company.

"CISOs should adopt a hiring policy that focuses on bringing in an equal balance of potential and experience – that way; they ensure that they have the right environment for people to stay and grow at their company,” adds Iqbal.

Expanding their teams means CISOs are actively assessing their personnel with a view to reskilling or upskilling. Also, CISOs have a broader view of recruitment and the criteria they use to measure potential recruits against.

Defining diverse recruitment

McKinsey not only talks about talent management, but also talent experience. Companies have been enhancing their CX (Customer Experience) for several years and applying that knowledge to EX (Employee Experience) as they can see the value of creating clear career paths.

“Human capital leaders are investing in several areas from making diversity, equity and inclusion (DEI) a centerpiece of their strategy (78% of respondents) to deploying technologies aimed at improving engagement (72%),” found the Randstad talent report.

ClubCISO Advisory Board Member, Kevin Fielder, commented: “In security teams, it’s encouraging to see diversity being viewed as an opportunity, and something that needs to be pursued actively to meet the challenges we face going forward. [There is] real ingenuity from CISOs who are now looking at diversity from a range of vectors including cultural, racial, educational and professionally diverse backgrounds.”

These strategies include making a genuine push to recruit candidates from non-traditional backgrounds, such as those who have re-skilled from non-technical fields.

“I love programs such as (Immersive Labs) Cyber Millions, NCSC’s CyberFirst, and local programs such as "Girls Who Code" and CyberChicas,” explains Hinton. “There are so many organizations out there trying to help fill these talent gaps.”

“Don’t look for something that meets your “perfect candidate” standards – you’ll be left feeling like you have to 'settle',” she adds. “Instead, focus on the key attitudes and skills you must have and then identify those skills that people can acquire with mentoring, exposure, coaching, and time. Accept that one of the best ways to build a high-functioning team is to build it from the ground up and come to terms with the fact that it will take time.”

Upskilling and retention must be part of a CISO’s strategy

It is no good pushing for a mass recruitment drive if your working environment is too toxic to retain your existing talent. A good recruitment strategy will include steps for creating a company culture that encourages a healthy work-life balance, and an environment that’s conducive to growth.

“To attract, but also retain skilled cyber professionals, it is essential to build a positive culture within the company and your team specifically,” explains Andrew Rose, Resident CISO (EMEA) at Proofpoint. “Cyber security has the tendency to be a high-pressured industry, so you need to ensure your staff enjoy working at your organization and specifically feel that you are on their side and supportive, especially when stakes are high.”

There has been a clear trend across many business sectors to resolve their skills shortages by looking inward for the people they need, and cyber security is no different. In fact, according to recent research from Marlin Hawk, 38% of current CISOs were hired internally; not surprising given the advantage that knowing your company’s systems inside out can provide.

David Howell

David Howell is a freelance writer, journalist, broadcaster and content creator helping enterprises communicate.

Focussing on business and technology, he has a particular interest in how enterprises are using technology to connect with their customers using AI, VR and mobile innovation.

His work over the past 30 years has appeared in the national press and a diverse range of business and technology publications. You can follow David on LinkedIn.