Cybersecurity's Secret Weapon: It's Not AI, It's YOU (and How to Power Up Your Team!)
Everyone's buzzing about Artificial Intelligence. It's revolutionizing industries, transforming tasks, and yes, it's a game-changer in cybersecurity. But here's the unvarnished truth that often gets lost in the hype: AI doesn't replace people; it empowers the right ones. So, how do you find those "right people," nurture their talent, and even propel your own career in this dynamic digital landscape? We recently delved into this critical topic with cybersecurity and HR guru Casey Marquette on CISO Tradecraft, and he dropped some incredibly practical wisdom you won't want to miss.
The Human Spark: From Patrol Car to C-Suite Success
Casey Marquette's career trajectory is anything but typical, offering a powerful lesson in what truly fuels success. He kicked off his professional life pounding the pavement as a police officer. A fortunate encounter led him into corporate physical security, and then, a pivotal moment: his mentor, Marie Allison, the CISO at Johnson & Johnson for over a decade, saw something special in him. What did she see in a "goofball" with zero computer background who was asking "obvious questions" in forensics training? "Tenacity and passion". Marie believed in his hunger to learn and his determination. This belief propelled Casey to become certified in forensics, earn a Master's in Information Assurance, and accumulate various other certifications to build his technical foundation.
From there, his career took off. He built the Security Operations Center (SOC) at Johnson & Johnson from the ground up, ascended to Deputy CISO at CVS Health, became Chief Delivery Security Officer at Cognizant, and served as COO of a consulting firm, where staffing was a significant revenue source. Recognizing a critical gap in the market – a lack of impressive staffing agencies during his time as a CISO – Casey decided to launch his own specialized cybersecurity staffing company.
His core philosophy, born from his own experience, is profound: "I would rather take the person with one year of experience that's hungry, passionate, tenacious than somebody that has 20 years of experience all day, every day". This isn't just a catchy phrase; it's the blueprint for building high-performing teams and a thriving career in cybersecurity.
Building Your Elite Cyber Team: Beyond the Résumé
As a CISO or cybersecurity leader, you're constantly seeking to fortify your team. There are generally three pathways to bring in talent, each with its unique advantages:
Promote from Within: This is often the most motivating option for your existing team members. It leverages their valuable institutional knowledge and signals a clear growth path within the organization. When employees see their peers advancing, it fosters a positive and ambitious environment.
Lateral Moves from Other Departments: Look within your own organization for that untapped "hungry" talent. These individuals might not have direct cyber experience, but they possess the drive to learn and understand the company's culture. This approach can also significantly reduce the costs associated with external hiring. Casey himself is a prime example of a successful lateral move, demonstrating that passion can outweigh a traditional background.
Bring in Outside Talent: While internal growth is excellent, external hires infuse your team with fresh perspectives and diverse experiences. They bring valuable insights gained from working under both effective and ineffective leaders in other organizations, enriching your team's collective knowledge.
However, simply filling roles isn't enough. Building a truly effective team requires fostering an environment where people thrive. Positive leadership is paramount. As G Mark Hardy wisely noted, "give people a reputation to live up to". Instead of criticizing, approach individuals with the belief in their capabilities, and they will strive to meet those high expectations.
Johnson & Johnson famously evaluates employees not just on what they accomplish, but 50% on how they accomplish it. This critical distinction helps mitigate the impact of "cancerous" but effective individuals who achieve results by running over others. CISOs, take note: rewarding both results and methods ensures you cultivate a respectful and collaborative team culture, not just a productive one.
The best leaders, like a tough but caring coach, push their teams to excel, even when it's uncomfortable. The key differentiator between a demanding leader and a simply mean one? The personal connection and the genuine belief in the team's best intentions. When your team knows you care about them personally and professionally, they will respond positively to challenges and grow tremendously.
Turbocharging Your Own Career: From Analyst to CISO
Your own journey from cybersecurity professional to CISO (or beyond) demands strategic planning and proactive engagement:
Ask About Internal Mobility (Tactfully!): In job interviews, don't be afraid to inquire about career progression, but do so with finesse. Frame your question positively: "If I exceed expectations, can you give me examples of others who did and were promoted?". This shows ambition without appearing presumptuous and helps you identify organizations that truly invest in their people's growth.
Write Down Your Goals (Yes, Really!): This isn't just motivational fluff; it's a proven strategy. Casey and G Mark Hardy both emphatically endorse this. Studies consistently show that specific, time-bound, and measurable written goals significantly increase your likelihood of achieving them. G Mark's personal experience, from launching his own cybersecurity business years ahead of schedule to pursuing his MBA, underscores the power of this discipline. Recommendation for CISOs: Encourage your team members to set and write down their career goals. Provide guidance and resources to help them create actionable plans.
Network, Network, Network (Quality Over Quantity): This is arguably "the most important thing you can do" for your career. However, focus on quality over quantity. Don't just collect LinkedIn connections; nurture them. Crucially, don't only reach out when you need something. Consistently provide value to your network, offering insights, sharing opportunities, or simply checking in. This builds a foundation of reciprocity that will serve you well when you need support.
Find a Mentor (and Offer Value First): Seek out individuals you admire and whose career path you aspire to emulate. Once connected, consider a bold but effective strategy: "I will work for you for free on my off time. Give me something that would be valuable for me to achieve for you and let me show you what I'm capable of". This "try before you buy" approach demonstrates your commitment and ability, creating invaluable relationships and references. Even if they don't have an immediate opening, they become powerful advocates who can personally recommend you to their network.
Reinvent Your Résumé (Lead with Value): Ditch the generic, job-description-style bullet points that begin with "responsible for". Your resume should be a testament to your impact, not just your duties. Instead, start each bullet point with measurable, tangible value, followed by the activity. For instance, instead of "Led the vulnerability management program," write: "80% reduction in critical vulnerabilities by leading the vulnerability department in weekly Executive V meetings". Resumes are often reviewed in mere seconds (some studies say 13 seconds, others 6 minutes), so make every word count by highlighting your quantifiable achievements.
Develop Other Leaders: The pinnacle of leadership isn't just your personal accomplishments, but your ability to develop other leaders. Your ultimate measure of success will be how well your people perform and progress under your guidance.
AI in Recruitment: The Double-Edged Sword
AI is rapidly reshaping the hiring landscape, offering unprecedented efficiency but also introducing new risks.
The Power of AI Tools: Specialized AI tools, like the "Scout" tool used by Casey's firm, are game-changers for recruiters. They can review applications 160 times faster than a human, analyzing a resume and providing a full analysis in just 2.2 seconds, compared to an average human recruiter's six minutes. Moreover, AI works continuously ("Scout never sleeps"), operating 4.4 hours more than a human daily. This means a far greater number of applicants can be reviewed, uncovering "great talent" that human recruiters often miss due to sheer volume (e.g., only 15% of 300-500 applicants typically reviewed by humans).
Fighting Fraudulent Candidates: The rise of remote work has unfortunately led to a surge in fraudulent candidates, including those linked to nation-state actors like the Democratic People's Republic of Korea (DPRK) seeking to leverage positions for financial gain. Advanced AI tools are now critical in detecting these threats. They can flag suspicious activities such as IP address discrepancies (e.g., claiming to live in Virginia but interviewing from China), new resume creation just minutes before submission, or even tab switching during interviews. These tools provide a "confidence score", with one service used by Casey's firm flagging 20% of candidates as suspicious.
Helpful Recommendations for CISOs:
Demand Robust Fraud Detection: Given the escalating threat of fraudulent hires and the significant risk posed by insider threats (who, once onboarded, have granted trust and access), CISOs should demand that their HR departments demonstrate robust fraud detection capabilities.
Consider Specialized External Firms: If internal HR lacks these advanced capabilities, CISOs should seriously consider engaging specialized external firms that have AI-powered fraud detection built into their processes. As Casey noted, "I certainly wouldn't want that fraudulent candidate in my organization". It's far better to build security in from the start (onboarding) rather than dealing with the aftermath of an undetected insider threat.
The Right Partner: When to Call in the Experts
While your internal HR team is a valuable asset, they often lack the deep, nuanced understanding of cybersecurity roles, as they typically recruit across a broad spectrum of positions (IT, sales, warehouse, etc.). This is where specialized cybersecurity staffing firms can become indispensable strategic partners.
Specialized Expertise: Firms like Covenant HR focus solely on cybersecurity. This specialization means they understand the intricacies of different roles and are far better equipped to vet candidates for highly technical positions.
"Try Before You Buy" Contractors: Utilizing contractors offers immense flexibility. It allows both the company and the candidate to assess the fit before committing to a full-time hire. You can set a desired hourly rate, and the staffing firm, leveraging its large database of professionals (Casey's firm has 170,000 cybersecurity professionals), will find qualified talent within that budget.
Understanding Direct Hire Costs: For direct hires, be prepared for fees that typically range from 17.5% to 30% of the first-year salary, depending on the volume of hires and the specific agreement. This transparency helps you budget effectively.
Crucial Recommendation for CISOs (and Hiring Managers):
Embrace the Exclusivity Advantage: Resist the common but counterproductive urge to send a single job description to ten or more staffing agencies. Recruiters are human, and they prioritize engagements where their chances of making a placement (and earning a fee) are higher. If you broadcast a job to too many agencies, recruiters know their likelihood of success is slim, and you'll often receive poor quality candidates because they won't invest significant time in vetting. Instead, consider exclusive or limited engagements with one or two trusted, specialized firms to ensure you receive the highest quality candidates.
Final Thoughts: Don't Go It Alone
In an increasingly complex world driven by AI and evolving cyber threats, the human element remains your most valuable asset. Whether you're a CISO tasked with building a robust, resilient team or a cybersecurity professional charting your own career path, remember: strategic hiring, deliberate career planning, relentless networking, and the wise leveraging of specialized expertise are your keys to success.
Just as you wouldn't "roll your own firewalls" when commercial solutions are superior, don't attempt to navigate the intricate world of cybersecurity talent acquisition and career advancement without leveraging the expertise available. Take advantage of the resources out there.
Stay safe out there!