How to identify and groom cybersecurity talent to fill the fast-changing roles and vast vacancies in APAC.

Policymakers in the region have also recognized that cybersecurity is a critical enabler for digital transformation, and expressed the need for more professionals to protect our cyberspace. Government initiatives like Singapore’s SG Cyber Talent program have been rolled out to better spot and groom talent in the next few years.

For insights into addressing this skills-gap issue, as well as the changing role of chief security officers and cybersecurity teams, CybersecAsia spoke to Larkin Ryder, Interim Chief Security Officer, Slack.

With cybersecurity a critical enabler for digital transformation, what changes do you see with regards to security teams at the workplace today?

Digital transformation requires giving the modern worker access to the digital tools they need to solve their pressing business problems. As business needs are changing, technology is expected to keep pace. IT organizations must be agile, never an impediment to the progress of the business. Today, a broad array of SaaS offerings means IT can quickly select and deploy best-in-class services that their employees are happy and more productive using.

But of course with this change, security teams are under more pressure than ever. Efficient digital transformation means a much greater use of cloud-based services, which means security teams have many operating environments to understand, evaluate and monitor with each new application the business acquires. While some of that risk is shared with the SaaS provider, the security team remains responsible.

Efficient processes for security reviews of vendors, relying on broadly-accepted security standards are a great benefit to the security team, speeding the onboarding of new technologies. Security teams expect rich features for automating user access, protecting data on mobile devices, and monitoring privileged activities. Security and IT need to collaborate with each other to ensure new digital technologies provide baseline security features.

How has the role of the CSO or CISO evolved as a result of these changes?

The role of the Chief Security Officer is more and more about reaching out to customers, colleagues and vendors. We are part of a merging ecosystem, each of us sharing responsibility for the security of our part of the IT value chain. More than ever, our success relies on sharing information and on our transparency.

This is an unusual posture for a security organization. Security professionals often rely on secrets as a way to stay secure. At Slack, my motto is: “No secrets, but secrets.” While we have valuable intellectual property and private business data to protect, we should share as much as we can about our security program. Letting our peers help us by offering assessments of where our products and programs are not meeting their standards is a good way to ensure our maturity is always increasing.

In your opinion, how should organizations in Asia Pacific tackle their security talent gap?

This is a very hard and important problem to solve. As we know, the security talent gap is growing and we will need thousands of security professionals in a few years. A recent study on the cybersecurity workforce by (ISC)² estimates the gap in the APAC region to be a staggering 2.6 million workers. We have to fundamentally change how we think about hiring to address talent shortages of that magnitude.

At Slack, we are taking a multi-pronged approach:

• Encourage interest in the field — We attend conferences, align with communities, and host events to introduce and expand interest in cybersecurity in cities where we have offices.
  
• Leverage colleges and universities with cybersecurity programs — Slack hosts two classes of interns per year and our security team signs up for a full load of interns. We give them a great experience and then offer them jobs when they graduate.
  
• Collaborate internally — We offer engineers within our company the chance to spend a quarter embedded with the security team.
  
• Promote champions to share the burden —  Slack has talented and security-minded employees in all departments. We offer engineers the opportunity to embed with security for a small project. This helps build relationships and security expertise across our engineering teams. Those “embeds” become advocates for security when they return to their team. They learn critical concepts and develop empathy for the security team mission.
  
• Make sure our hiring practices promote diversity — One aspect of this is to make sure that our posted job descriptions resonate with all genders. We will occasionally modify the wording in a job description and post it twice (if we have two similar openings), so that we can evaluate the impact our word choices have on our applicant pool.
  
• In-house training — This year, we opened up a new tier of Security work, available to less senior engineers. This role will be a stepping stone for people interested in a security career but with limited direct experience in the security functions the Slack security program currently supports.

What are some security talent best practices you have gleaned from experience?

I am told that one of the hardest questions I ask during an interview is this: “How do you support diversity?” What I usually learn right away is if the candidate has thought about diversity at all.

One common answer I get: “I give everyone an equal opportunity.” This is okay, but it’s just the beginning. We should be doing that anyway. The problem of making sure historically under-represented personnel are given a culture in which they can thrive is much more complex than opportunity. Chances are, if your environment looks mostly one way, then your culture has gravitated towards supporting that most common employee type, and, perhaps, away from supporting others.

In a resource-constrained hiring environment, we can’t afford to alienate non-typical workers. In fact, we need to do the opposite. We need to lift people up who are not yet experts. People coming to work at Slack are attracted to our security team for many reasons:

• The right candidates have done their homework and know that Slack’s security team has created a number of useful open source tools over the years to support scaling the impact of the security team. Great candidates are inspired by the help and support they’ve gotten in their careers. They also want the chance to give back one day. Creating a culture where open source projects are encouraged and supported is our best advertising to prospective employees.
  
• We know that security is unique in that you must constantly be learning new technologies, tools and practices to stay ahead of the attackers. More than any other part of high tech, security professionals are not maintaining an increasing code base. Rather, they are constantly discovering new and unusual ways that security can be undermined. For that reason, we extend a larger-than-normal training budget to our security team.
  
• Finally, I lean heavily on the culture at Slack as a company that embraces diversity and supports it through constructive action. By building an intentional culture at Slack, not simply letting the culture devolve to that of the most common employee type, Slack’s leadership has unlocked larger resource pools. The Slack service supports this by providing a forum where everyone can interact directly with Slack’s leaders. In Slack, we see our leaders modeling the communication and collaboration practices that help everyone at Slack do the best work of their lives. The result is that I’ve never worked at a company with better diversity.