Craig McDonald 01 February 2019 13:27:48 AEDT 10 MIN READ

Attracting top cybersecurity talent: Building a stellar team

According to the 2019 Annual Cybercrime Report by Cybersecurity Ventures, cybercrime will cost the world $6 trillion annually by 2021, up from $3 trillion in 2015.

You might find this a staggering figure, but for me, I’ve come to realise that’s just what we have to deal with in the current threat landscape. What this means for all businesses, big and small, is that they have to effectively manage cyber risk, to drive down the number of successful attacks, as well as costs to the business.

If you are ready to get serious about cybersecurity, then building a stellar cybersecurity team is a must.

First steps

You may already have a cybersecurity specialist or two. Perhaps they’re in charge of security in your IT department, or a finance professional charged with addressing business risks. That’s a great start, but as I always say, ‘Cybersecurity is a leadership issue, not an IT issue.’

Effective cybersecurity has to start at the top, which means your board and senior leadership team are aware of the risks and responsible for mitigating them.

Here are my first steps towards building a great team from the ground up.

Create a cybersecurity strategy first

Want to hire a great team to handle your cybersecurity? Don’t expect to leave it all up to one or two individuals to orchestrate. If you want to attract top talent you need to demonstrate that you know what you’re doing. Build a proper governance framework to defend your organisation against a cyber attack. There’s nothing that screams unprofessional and unorganised like saying “You’re the expert, it’s up to you!”

It’s also time to start building a cybersecurity culture in the workplace, which is something I encourage all businesses to do. This means your senior leadership and board are setting an example for others to follow, demonstrating the importance of cybersecurity to your organisation.

For mid-sized and larger organisations, form a risk committee to identify and address any business risks, with cybersecurity a key component. Considering data security, IP and other assets that may be stolen or compromised, legal, regulatory and reputational risks, as well as risks to your operations and business continuity.  

For organisations without the internal knowledge to develop a cybersecurity framework, this may require hiring consultants or engaging partners to help out. For example, Deloitte have their own Cyber Strategy Framework they can help you to implement. Partners can also lend their experience from working with other organisations that have faced similar challenges to yours. MailGuard works closely with hundreds of partners around the globe, so our team will be pleased to make an introduction. You can also check out MailGuard’s data security policy framework if you want to build a solid policy to protect your organisation’s data.

Who’s in charge? Do you need a Chief Information Security Officer?

While your leadership team must drive the priority and importance of cybersecurity to your organisation, it’s unrealistic to expect that they will have the capacity to give it their full attention.

Consider searching for a cybersecurity Team Lead while you’re developing your cybersecurity strategy - this way, you can take input from your board and SLT on the requires for the ideal candidate, and the consultant or partners can be involved with the hiring process. Plus, your new Team Lead can then help hone the strategy for your business.

For larger organisations, I always recommend having a person in place that is solely concerned with security risk governance, compliance (especially with cyberlaw), and policy - a Chief Information Security Officer. If this sounds like your company, it’s best to establish this position before or at the beginning of developing your cybersecurity strategy.

Start early when searching for the best Team Lead

Ok, so you want to build an amazing cybersecurity team. Now’s the time to start searching for the best candidates for the Team Lead, even if you’re not ready to hire yet.

It will take time to headhunt candidates for your Team Lead role - a person who has the right mix of technical ability and management skills. You can either dedicate your own time to this task, assign it to a trusted person within your organisation, or outsource to a recruitment company. If you do decide to outsource, make sure the recruitment company and the recruiter themselves are knowledgeable in the cybersecurity space.

LinkedIn is great resource for researching and identifying people you think would make a great hire and fit for your company. It’s how I’ve found many of my best hires, plus you can reach out to your network for recommendations.

While you can search nationally first, don’t necessarily limit yourself: you may be able to attract international talent with the right package. For instance, ICT Security Specialists are on the list for skilled visas in Australia. Do be aware that the process for international applicants may take some time though.

Offer an attractive package

To attract a great Team Lead, you’re going to need to offer them an attractive package. Hopefully, your organisation already sounds like an alluring place to work. That’s the first hurdle!

Beyond that, consider:

  • an attractive salary (possible bonus structure)
  • flexibility in working conditions
  • the chance to have a strong impact on shaping the company
  • upward mobility
  • further learning opportunities

And while these all sound like the fundamentals for attracting talent in any role, in my experience the number one thing that top people are looking for is a stimulating and challenging role, in a company that will provide the support they need to have success. So make it clear to them that the board and leadership team are prioritising this role, and how important it is to all of you that they are successful.

Building the team

Let your fresh Team Lead take the reigns

As soon as you have your Team Lead on board, it’s time to start the team hiring process. With a great Team Lead at the helm, you’ll be able to let them set about sculpting the team they need. Let them take the reigns and offer support in their search via guidance and/or other resources (either by dedicating other staff time to the search or the help of a recruiter).

Get current employees to help out

Your best networks are often the ones you already have. We mentioned LinkedIn earlier, but also put the word out to your staff that you’re on the hunt for cyber specialists and they may be able to point you in the direction of friends, family, or ex-colleagues with the relevant skillset. You may even find among your current team that there are already some with a good base to launch their cyber career.

Cyber defence roles can be highly suited to ex-military and ex-intelligence agency employees

And there’s no harm in reaching out to current military or intelligence employees either. It’s combat of another sense and requires a similar set of rules, procedures, and rigour that these sorts of people have already seen in the workplace.

I speak with experience on this one, because our CTO, Bill Rue is leading the development of our defences, and he comes with a technical background from the corporate world, but he also brings years of discipline and knowledge from his years in the Australian defence force.

Getting the right mix

While a cohort full of tech-savvy professionals might get along like a house on fire, it pays to have a more diverse team, in terms of backgrounds, ethnicity, gender, age, and the like. McKinsey’s 2017 Delivering Through Diversity report shows that organisations in the first quartile for ethnic/cultural diversity are 33% more likely to outperform the competition than those in the fourth quartile. In gender diversity, they’re 21% more likely to outperform their counterparts.

Through my experience not only with my own company but closely aligned with other companies’ cyber teams, you can really tell the difference in effectiveness between a “just ok” team and a stellar team. Getting it right from the ground up, building strategically, then letting your team flourish, means a tight-knit, progressive, effective, and happy cybersecurity team - and that’s what all businesses need in this current climate.

Think beyond your own four walls: Collaboration is key

My final word of advice on this matter is not to limit your thinking to your own organisation. In cybersecurity, collaboration is vital. While those inside your business will have the best understanding of your assets and data, it is vital that they are in regular contact with others outside of your company to hear about attacks on other companies, and about the plans, tools and tactic that others are employing.

We talked earlier about partners, but this should extend to peers in other organisations to share best practices, as well as other industry groups and government bodies. At a lunch that MailGuard hosted with PwC in 2018, keynote speaker Alastair MacGibbon, Head of the Australian Cyber Security Centre said, “Alone we will fail.” I wholeheartedly agree. We all share an interest in keeping our companies and teams safe from harm, so it makes sense for us to work together.

Get the facts

Companies are spending more on cybersecurity now than ever before, but those funds aren't always targeting the most significant dangers. There seems to be a bit of a disconnect amongst many CEOs about the sources of cyber-threat.

Studies consistently show that more than 90% of cyber-attacks are perpetrated via email, yet email security is rarely the biggest item in cybersecurity budgets.  If we’re going to win the battle against cybercrime we have to get real about the nature of the threat.

I’m on a mission to help business people understand cybercrime and protect their businesses from costly attacks. If you would like to learn more about the complex cybersecurity challenges facing business today, please download my e-book Surviving the Rise of Cybercrime. It’s a plain English, non-technical guide, explaining the most common threats and providing essential advice on managing risk.


You can download my e-book for free, here.

“Cybercrime is a serious and growing business risk. Building an effective cybersecurity culture within an organisation requires directors and executives to lead by example. Surviving the Rise of Cybercrime is a must-read for directors and executives across business and in government and provides strong foundations for leaders determined to address cyber risk.” - Rob Sloan, Cybersecurity Research Director, Wall Street Journal. 

... ... ...

Hi, I’m Craig McDonald; MailGuard CEO and cybersecurity author.
Follow me on social media to keep up with the latest developments in cybersecurity and Blockchain; I'm active on LinkedIn and Twitter. 
I’d really value your input and comments so please join the conversation.