How to Hire — and Retain — Effective Threat Hunters

Finding and keeping solid cybersecurity analysts and threat hunters in today's market is challenging and requires evolving the interview process and evaluation criteria as well as engaging employees differently. Here are some strategies to consider.

A Different Kind of Interview
When interviewing a candidate, the certifications and degrees show a certain kind of focus. They picked a field, they stuck to it, they proved they had the skills to pass. But is that more important than sheer curiosity? We would argue no. Three key characteristics that should be evaluated are curiosity, attitude/disposition, and culture fit.

These are not in random order. Threat hunters must think not just like the cybercriminals who came before and the hackers of today. To a certain extent, they must think like criminals of the future. They had better be interested in knowing the unknown.

The Curiosity Factor
Curiosity is critical. Curious people are motivated and want to be at their job. They don't notice the hours flying by when they're knee-deep in a cyber-incident investigation.

The reality is people can be taught technical knowledge, but it's much harder to teach curiosity, motivation, aptitude, and the figure-it-out mentality. For us, sussing out these qualities during an interview means asking interviewees increasingly difficult questions and looking for the ones who can admit they have no idea but are driven to figure it out.

A candidate that makes up an answer to not appear ignorant creates a trust issue. When in a bind and time is of the essence, you must trust that an employee will give you the correct answer or admit defeat and request help.

So once you've hired great cyber talent, how do you retain them? Don't let them go due to your sheer inability to provide a healthy environment for them to grow and flourish.

Don't Box Them In
Security operations centers (SOCs) are notorious for breaking teams into tiers with discrete responsibilities at each tier. This results in monotony: identify an incident, create a ticket, rinse and repeat until the end of your shift. If that's all the employee is doing, though, how will that person ever move up? "Ticket monkeys" will never get the opportunity during their normal shifts to experience the rest of the incident management process. The more confined a curious someone is, the more that person will want to explore what lies beyond their cage.

Challenge your SOC to develop broader roles that give employees an opportunity to work their way through the whole incident management process from incident detection through incident response. By enabling employees to do the full analysis of an incident, and involving them at every stage, they gain experience across the spectrum. Also, encourage your analysts, and all employees, to push their own boundaries because it is a key driver for personal and professional growth.

Build a Safe Environment
Giving latitude for employees to gain new experiences also necessitates an environment in which employees feel safe asking questions. When pushed to their boundaries, security analysts must feel comfortable and confident that they can raise their hand for assistance. Much like a hospital, an analyst working an incident is the "attending." However, that doesn't mean that they can handle every single process or treatment that needs to be done for the patient.

Encourage analysts to collaborate with other specialists who may possess deeper knowledge about a certain stage of the incident response process. Collaborating on a process where they aren't as adept provides real-world experience and an opportunity to learn from a colleague. So with that next incident, they may be able to complete the process on their own and add a new skill to their analyst toolbox.

Don't Skimp on Training
Cybersecurity is evolving at warp speed, so leaving good employees behind will make them feel stagnant. A truly curious individual will crave learning and may often prioritize it over other benefits.

Too often, organizations put a low dollar amount, often set at the corporate level, on employee training budgets. Yet in cyber, the best classes are expensive. It is important to champion for employees and ensure the appropriate training budget is allocated. Ultimately, training is an investment — one that delivers returns in new skills, employee retention, and morale.

Prioritize the training and it will demonstrate how much you prioritize your staff and their development and growth.

Acknowledge the Power of Your Employees
A good experience with your manager, particularly in a high-stress environment, starts with honesty and openness. Employees should know that if they're doing something every day, then their opinion about how they do it is critical. Not every idea can be implemented, but the validation for teams who can speak up goes a long way for morale and encourages additional feedback.

The bottom line is that most security professionals don't leave for money alone. They leave for a place where they feel appreciated, acquire new skills, and are part of something bigger. Employee retention typically won't increase until you have implemented the right foundation to find, keep, and nurture the best.