Hiring Cybersecurity teams Technological & Behavioral Skills a Must

Businesses of all size face increasing cybersecurity threats, particularly from ransomware attacks, as the pandemic continues to affect how cybercriminals hack into the workplace.

“Malicious actors have taken advantage of the rapid transition to work-from-home and hybrid environments by targeting private corporations and government entities of all sizes,” cybersecurity experts Leeza Garber and Scott Olson told Advisors Magazine. “Everyone is a target.”

Garber, a legal analyst, consultant, and keynote speaker, is also an on-air analyst for Fox News and Fox Business News. Olson, a former FBI assistant special agent in charge of intelligence and counterintelligence, is founder and CEO of HR consulting firm GlenHaven International, LLC. Garber and Olson have teamed up to write a new book, Can. Trust. Will. Hiring for the Human Element in the New Age of Cybersecurity, which offers guidance on hiring and building effective cybersecurity teams.

“We’ve seen the largest growth in the use of ransomware and double extortion ransomware, which not only holds a system hostage until a ransom is paid, but also breaches the data and holds it for blackmail purposes,” Garber and Olson said. “By the end of 2021, it was estimated that nearly seventy percent of all cryptocurrency transactions were for illegal activities.

”Keeping pace with the increasing number of cyber threats requires knowing your organization’s vulnerability points, they continued. Many companies of all sizes employ internal or external IT personnel, but those defensive measures often do not provide enough protection.

“During the pandemic, organizations ramped up cyber-hygiene best practices, implemented ongoing employee education (including mock phishing exercises), and hired for privacy and cybersecurity positions,” they said. “Still, it’s a game of cat-and-mouse. Hackers have more efficient and effective ways to target and successfully breach systems. Also, the lines between employees’ professional and personal lives are even more blurred as work-from-home becomes permanent. People are working longer hours and are more likely to accidentally click on the well-crafted spear phishing email, and executives want to bypass security mechanisms that they find tedious.”

Ransomware in particular grew at a rapid pace in 2021. Ransomware threats typically use the same mechanism as cyberattacks: a phishing communication (email, text, social media, etc.). Everyone in an organization needs to be on guard against those penetration methods. While Benjamin Franklin was not talking about cybersecurity, they said, his advice still applies: “An ounce of prevention is worth a pound of cure.”

Garber and Olson added, “It’s not a question of if you’ll be breached, but when. Once you accept you are always a target, cybersecurity transitions from being just another budget line item to a value-add. Being proactive means protecting your clients, maintaining business continuity, and demonstrating compliance to regulators: a triple threat that saves money, time, and relationships in the long run.”

Unfortunately, there is no one-size-fits-all solution to ransomware attacks. Every organization’s situation is different, based on such factors as:

• How quickly and how far did the ransomware spread?
• Are backups available and readily deployable?
• Is a team ready to assist in disaster recovery?
• What type of ransomware hit your organization?

Although federal agencies suggest that companies never pay the ransom nor negotiate with cybercriminals, Garber and Olson said, many companies feel they have no choice but to make the payoff. Sometimes organizations do not have backups or their systems cannot be restored quickly enough. They may not want to report the incident to authorities under the present mixture of state and federal laws. Disclosing a breach can bring negative publication and a potentially devastating loss of consumer trust and business. In addition, double extortion ransomware – which steals data for blackmail purposes as well as encrypting the company’s data – has become more commonplace.

”Put simply, if you attempt to figure out a response after a ransomware attack hits, you’re just too late,” they continued. “The basics are easy: have accessible backups; keep remote backups; form a relationship with the lawyer/PR specialist/digital forensics team/FBI local office you would need to call; and write a detailed plan -- even if that means understanding how you could pay up in cryptocurrency, if it is your best option in a bad situation.

Garber and Olson agreed that these “basics” can be time-consuming and expensive, depending on the breadth of your systems. Also, drafted plans are meaningless without testing, so companies should perform frequent tabletop exercises. They should also consistently update response plans to any kind of cyberattack in timely and meaningful ways.

Hiring for Cybersecurity Success

The key to addressing all of the issues around cybersecurity is building and inspiring a high-performance team to handle the challenge. While cybersecurity is often perceived as a technological issue, Garber and Olson characterize it more as a human problem. Beyond technical knowledge about battling social engineering scams and other human-based penetration techniques, they said, cybersecurity professionals require a variety of behavioral traits to succeed.

“What we’ve consistently found in our research is that the hardest systems to penetrate are those which are constantly patrolled and examined by diverse teams who look for abnormalities and changes, and who strive to stay ahead of the curve. No matter how sophisticated AI {Artificial Intelligence} and machine learning is, it cannot replace human creativity. Gray matter matters.”

In response to the increased post-pandemic threats, Garber and Olson said, they have expanded their practices to make assisting companies with the cybersecurity hiring process their principal focus. The approach includes identifying success criteria for each cybersecurity role to be filled, and then successively narrowing down the applicant pool to identify the best candidates for each position.

“There’s an article out every week about the lack of cybersecurity talent to hire, or the unfortunate ratio of cybersecurity job openings to candidates,” they said. “We approach hiring differently and offer a new and highly effective process for private companies and government entities looking to fill the gaps in their security teams.”


Their method begins with employers first evaluating the needs for each specific job or role. The first question is: What are our legal and compliance requirements? Secondly, who can and will accomplish those tasks? Answering those questions means identifying, in specific detail, the objectives of the role while articulating the behaviors that correlate to success.

“While we argue this is true of all hiring, it’s particularly crucial to have a process in cybersecurity (and privacy, for that matter),” Garber and Olson said. “The rules are constantly changing, and the threat vectors are constantly adapting.”

Sorting resumes into piles of “interview” and “reject” by methods such as AI or manual review by an intern ensures poor hiring decisions, they said.

“As we write in our book, developing and implementing solutions to ongoing cyberattacks and data breaches requires creative, focused, and highly-trained employees. The challenge is finding the right people who are capable of creating effective solutions to evolving problems.”

That book, Can. Trust. Will., details best practices for such topics as identifying cybersecurity hiring needs; how to handle resumes; and what a behavioral interview should address. They outline mistakes they see employers repeatedly make that lead to the downfall of cybersecurity teams.

“One of the key tips is that before you start trying to hire, reconcile what leads to success and what leads to failure in each job role in your company,” they said. “This will allow you to begin to write a serious description of what you actually need. Cybersecurity candidates may come from academic backgrounds; had experiences learning to hack from their basements; or by working their way up in various roles in a company that show them what vulnerabilities exist and how they are missed. Candidate pools should also showcase diverse talent.

“Diversity, in all respects, is an operational necessity,” they said. “A team that agrees easily is missing important threats. High-performing teams – whether made up of full-time employees, vendors, or a mixture – are composed of differing perspectives, approaches, and experience.

The hiring model outlined by Garber and Olson focuses on processing pools of candidates. The approach begins with the easiest differentiators (such as determining whether an individual has the required technical skill set) and progresses to the most difficult (the behavioral interview). During this process, the candidate pool becomes smaller until, in the final phase, an individual can be chosen from the refined group. The initial easy steps are less expensive, while difficult ones require time, expertise, and money.

The three steps in the process (which is also useful for non-cybersecurity candidates as well) are:

• CAN: This is a binary question: either candidates have the technical skills to perform the required tasks, or they do not. Addressing skills first allows the hiring manager to quickly and inexpensively differentiate between those who have the capabilities and those who are aspirational.

• TRUST: This aspect can be addressed by determining whether someone is honest. The question of trust becomes more complex for high-access roles, with components involving integrity, high-pressure decision making, and choosing between one’s personal agenda and the enterprise’s interests.

• WILL: The final step takes the most time and resources to evaluate. “There’s always a gap between what a person can do and what they will do, particularly when under pressure,” Garber and Olson said. “It’s crucial to understand what a candidate will do before offering them a position. The key is understanding you can articulate what you need a person to do – the behavioral characteristics – required to be successful in the specific role in your company. It is also crucial to also understand you can differentiate candidates: it is possible to know what a specific candidate will actually do in specific situations. That’s why we spend so much time on the behavioral interview.”


However, hiring does not end with a job offer, Garber and Olson noted. Hiring ends when your new staff members are fully integrated into your teams. High-performance teams function on the interactions between members, making an effective onboarding process particularly important. The co-authors devote an entire chapter to onboarding because there are many different methods to integrate people into a team.

“The key is remembering that the purpose of onboarding is to build relationships,” they added. “Every time a new person joins a team, the team dynamic shifts. Everyone adjusts and interacts in slightly different ways. Onboarding must facilitate these interactions so adjustments can be made quickly and with minimal disruption.”

Addressing Small Business Vulnerabilities

Small businesses are particularly vulnerable to cyber threats, so they need the Can-Trust-Will process even more than large enterprises to address security needs, the co-authors said.

“Many small businesses avoid setting up processes because they think they can’t afford the expense,” Garber and Olson said. “The reality is: small businesses can’t afford to waste money with bad hiring decisions. Small businesses will build smaller candidate pools and run through the Can-Trust-Will process more quickly than larger companies, but the savings and efficiencies are produced regardless of scale. The key is to begin by specifying what success looks like and what failure looks like for each job role to be filled.”

Whether your business is a small financial advisor or a larger firm, they suggest answering the following questions:

• What laws apply to your firm?
• What obligations do you have to your clients?
• What are your obligations to employees?
• What cyber risks do you face?

“For larger organizations, this means opening up continuous and constructive lines of communication – across legal, finance, information technology, human resources, administration, operations – to acknowledge and appreciate where the gaps are,” Garber and Olson said. “For smaller businesses, the only way to ensure your bases are covered is to begin with a thorough data mapping exercise, and then audit it frequently.” (Data mapping identifies what data you possess, and tracking racing where it comes from, how it is collected, and where it is stored.)

They also noted it is important to stay up-to-date on how your industry is responding to cybersecurity. For example, the U.S. Department of Labor recently announced its first-even cybersecurity guidance. The guidance for firms regulated by ERISA (such as fiduciaries and plan sponsors) aims to protect both retirement benefits and personal information.

There are numerous vendors offering SaaS (software as a service) cybersecurity solutions for businesses of any size. Features include cloud-based storage, threat detection, and compliance with specific state laws such as the California Consumer Privacy Act (CCPA).

“Like all vendors, they require a meaningful vetting process,” Garber and Olson added. “This may translate to more than just requesting a security certificate, but auditing that certificate as well. This process is due diligence that can mean the difference in staying online and up-and-running – as the recent slew of distributed denial of service (DDOS) attacks demonstrates.”

Garber and Olson regularly conduct seminars to explain new regulations impacting various industries (such as federal financial laws revisions and new data breach reporting requirements). They also offer workshops on how cybersecurity best practices can be applied to a certain company, or how a sales team can market its employer’s cybersecurity protocols as a value-add to prospective clients.

Can. Trust. Will. Hiring for the Human Element in the New Age of Cybersecurity by Leeza Garber and Scott Olson