How to
Ryan Berg
Nov 2015

4 Common Mistakes Companies Make When Hiring for Cybersecurity

Photo by Source


Note: This post is a sneak peek of material from our Getting Started Guide to Cybersecurity.   

With data breaches becoming a fixture in the headlines it’s no surprise demand for security professionals is on the rise. Unfortunately, supply is nowhere close to keeping up. According to Forbes, more than 200,000 U.S. cybersecurity jobs are currently going unfilled, and the shortage is expected to reach 1.5 million unfilled positions by 2019. As a result of that shortage, hiring dedicated security professionals has become increasingly difficult and expensive (the average salary has risen to over $97,000).

Since their value is increasing, it’s also now more important than ever to ensure that the security professionals you are able to hire are actually set up for success (and that involves stepping back and affirming you actually need a dedicated security person in the first place). The last thing you want is for your investment to go to waste. 

4 Common Mistakes to Avoid When Hiring for Cybersecurity

1) Waiting until something goes wrong to make a hire

It happens far too often. Companies find themselves on the wrong side of a data breach and suddenly see the light. They rush to bring in someone who can put out the fire, perhaps under internal or external pressure. The reality is, being in crisis mode often biases your ability to think clearly about what the business truly needs. Instead, you end up looking for the fastest way to make the immediate problem go away.

2) Not understanding why you need security in the first place

In order to save you and any potential security hire a lot of time, resources, and heartache, you need to make sure you understand how security fits into your organization and, more importantly, how this function will be empowered to make sometimes uncomfortable organization changes.

If you don’t have a sense of the goal posts you are kicking toward, I can almost guarantee you will miss. You need to be ready for the function, otherwise you won’t be successful with the person. Answering the three questions below will help you develop a basic understanding of what your specific security needs actually are:

  • What are you trying to protect? This seems almost silly to ask, but many organizations don’t really understand what their critical assets are. Without knowing what you are trying to protect you can’t hire the right people to make sure that’s done in the most efficient and economical way for your business.
  • How much risk are you willing to take? This goes hand in hand with understanding what you are trying to protect. Since there is no such thing as perfect security you have to have some understanding of what risks you are willing to take.
  • How much are you willing to spend? Ultimately, your budget will reflect and inform your decisions about risk, but in order to determine an appropriate and efficient level of spending you also need to go back to your answers to question #1 — what are you trying to protect and how important is it to protect it?

3) Not setting security hires up for success

Hiring someone to own security can be seen as a great first step for many companies, but let’s not forget that having that person in and of itself does not make an organization inherently more secure (some CISO’s would argue it only gives an organization a place to point the finger when something bad happens). We shouldn’t lose sight of the fact that better security requires four things:

  • people
  • process
  • technology
  • an organizational commitment to all three

Without the other three components, it’s likely even the best people will fail.

4) Hiring simply to keep up with the Joneses

The last thing you should do is hire a security manager or a CISO because everyone else has one. Yes, you’ll be part of the club, but there’s no guarantee you’ll be any closer to being secure than you were without one.

Before you bring on a dedicated security professional the key is to take the time to understand what the role means to your organization (hopefully you’re doing that now, before you have a critical security event). You need to make sure you are bringing on board the right person, empowering them the right way, and providing them with the budget and resources they need to succeed.

Photo by: Bethany Legg

Ryan Berg

Ryan Berg

Ryan is Chief Scientist at Barkly. He holds multiple patents and is a popular speaker, instructor, and author in the fields of security, risk management, and secure application development.


Close the gaps in your security

Stop paying for AV, get the strongest protection instead. See how Barkly blocks attacks that are getting past AV.

See a demo


Stay informed!

Get the latest security news, tips, and trends straight to your inbox.