Sunday, April 10, 2016

Hybrid Cybers

At the Women in Cyber Security Conference, someone posted a slide title "The Rise of the Cyber-Hybrid".  The concept was that to advance and develop in cyber security, people needed multiple disparate skills (policy, law, regulatory, interpersonal skills, leadership, etc).  While I don't disagree that having these skills makes someone more employable, I do disagree that they are a requirement.


Hiring a Cyber Hybrid

Instead, this is really more of a list of skills needed on a team in general. The higher up the org chart you go, the more of the skills are needed in aggregate.  As a hiring manager, it's easy request that full list of skills in a single employee for multiple reasons:

  • It's easier to get approval to hire one unicorn than a technical person plus a social sciences major.
  • You don't have to compromise.  The person has everything.
  • If one person presents all the skills needed for the team, there's much less risk and work required to build the team.
However, while hiring the unicorn in theory sounds perfect, the practicality is far from it.
  • The person with all skills, particularly disparate skills, are hard to find.  (And, let's face it, no-one is perfect.)
  • When you do find them, they are both expensive and demanding.
  • You may be hiring a hybrid who has multiple skills on the hope that since they are pretty good at everything, they'll figure out the role you need as well; just to find out that is not the case.
  • If you do get them, they are hard to keep.
  • Even if kept, unless all their skills are continuously utilized, they will lose some subset of them, which is a loss for both the employee and your organization.
Plus, they have an effect on the rest of the team.
  • An entire team of unicorns is under-utilized.  If all are capable in all areas, yet you need 10 hours of technical work for each 1 hour of presenting, you are wasting a significant amount of the presenting skill on your team.
  • Having one overachiever encourages the underachievers with overlapping skills to under perform.
  • Having an overachiever that does everything can hurt morale for the rest of the team who have to work with someone who can do what they can do, plus all the things they can't.  It strongly encourages imposter syndrome.

The Alternative to Hiring a Cyber Hybrid

Instead of trying to hire a single baseball player that can play every position, take the Moneyball approach.  (Not that moneyball was anything more than good, common sense, team building.)  Spread the skills you need across your team.

First, you need to understand the skills you need.  Do you really need someone versed in international law?  (Maybe. Maybe not.)  Do you need a skilled communicator? (Almost absolutely yes.)  Build a matrix of the people you have and the skills you need and note who can provide what.  Once you know what skills you are lacking or weak in, plan to hire to obtain those skills.  That might mean adding an english major to your forensics team or building a strong relationship with an editor.  It may mean hiring a marketing guy who has great interpersonal skills to your pen test team to be the face to the customer.

Many times people have the team they have and simply can't go and add head-count to get the skills they need.  The reality is you probably have what you need in your team, it just takes some skill to tease it out.
  1. First and foremost, care for the physical and emotional needs of your team.  I can't stress this enough.  If you don't, nothing else you do matters.  Your morale will be low and your team will underperform.  Everyone leaves for a reason and your team will leave you if their needs are not met.
  2. Understand the strengths of your team members and maximizes them.  Find the guy who gets along well and use him for presenting.  Find the creative guy and have him suggest solutions to problems.  Find the thorough person and set them to checking technical details.   This is certainly harder than it sounds.  It takes a lot of talking with and observing your team and a lot of trial and error.  However, success is clear.  When the person's productivity shoots up, you know you've hit the nail on the head.
  3. Compensate for team members' weaknesses.  The creative person will probably have bad ideas and miss details.  Get the pessimist's opinion on the ideas and let the detailed person check them.  The social person may not be highly technical.  Let them skip out on the high tech work.  The detail person may have trouble coming up with diverse ideas.  Don't put pressure on them to come up with solutions to hard, complex problems that the creative person can solve.
  4. Continue to grow your team.  For the members who want to improve themselves, encourage them to go to management, interpersonal skill training (and make sure to save the budget to send them), technical training, or however they wish to expand.  Then give them responsibilities that allow them to practice what they've learened.  Many times the skills people are interested in gaining will become just as important as the skills they had when hired.

Benefits

There are a lot of benefits to this approach, (on top of not having the downsides listed above of hiring the hybrid).
  • Your team is more likely to succeed, and succeed as a team.
  • Each team members' skills are utilized.  No-one's skills, (which you pay for through differences in their negotiated salary), are going unused.
  • Each individual team member is less expensive because you don't have to pay for skills you aren't using.  This also frees up money for additional training, which leads to the next bullet.
  • Morale is higher.  Each team member is contributing in a substantive way.  Hopefully each member is happier due to better fit between their role and skills.  And hopefully you have more flexibility to grow your team members.
And, as you go, you are making the better-rounded people who are prepared to take the few roles where one person does need to have it all.  (These roles tend to be in small companies with 1-man teams or in management positions where the manager must have the social skills to deal up the chain and the technical skills to deal down it.)

For Employees

This isn't a blank check to be a one-trick pony.  You may very well be the best person in the country at reverse engineering malware, and that ability may get you the job you want.  But the gal with a reasonable amount of technical experience plus many soft skills and skills from other disciplines is probably the more desirable employee in most roles.  Instead,
  • Make your boss's life easier.  The more of the skills in the WiCyS conference slide you possess, the more options they have in balancing their team.
  • Also, the more skills you have, the more valuable you are to your current and future employers.  That means more compensation, more options, and more flexibility.

Conclusion

In the end, no-one's perfect.  You can hunt the cyber hybrid, but you're probably better off hiring imperfect people and building a team greater than any one person with the same skills.  And, as an employee, always work to build those additional skills to help your team.