Cyber Talent: Hiring Ex-Spies Requires More Than Just High Pay

U.S. companies struggling to find and hire the employees they need to protect their organization’s information security are looking to Washington, particularly the intelligence community, to remedy the skills shortage.

Soaring cybersecurity salaries–one recent poll found that top earners take up more than $400,000 annually–have made it almost impossible for cash-strapped small and medium-sized firms to hire experienced chief information and chief information security officers, creating a job shortage of an estimated one million unfilled positions. Even Fortune 500 companies have struggled to retain the top talent in this field, in part because professionals working in major cities are contacted regarding a new position at least once a week, according to a December 2016 study from the Enterprise Strategy Group research firm.

But security professionals and the bosses trying to hire them to agree that the best way companies can dip into the talent pool is to wade into the military and intelligence community. By recruiting veterans from the National Security Agency, Federal Bureau of Investigation, Central Intelligence Agency, and others, corporate America can at least double a government worker’s salary, and attract a new employee who might have invaluable experience from the front lines of cyber war. Some hires could also facilitate meetings between companies and potential government clients.

But even if companies can easily outspend the government, they’re also competing with each other, which makes it essential to appeal to security experts in other ways, too.

“For true hackers, if they’re bored at work, that’s just a death knell,” said Patrick Wardle, the director of research at the penetration testing firm Synack Inc., and a former National Security Agency staffer. “They thrive on creativity and solving hard problems. A lot of the companies I talked to when I was making the transition [to the private sector] were companies that were really making a difference.”

Money is certainly a factor, Mr. Wardle said, but it’s not the only selling point for a new job. Government workers were paying attention to the technology industry’s reaction to the leaks from former NSA contractor Edward Snowden. Many of the prominent companies named in the leaks publicly criticized the NSA for its surveillance tactics, a stance that roiled many in the intelligence community, Mr. Wardle said.

“If you’re a company that has us versus them mentality, and I’m from ‘them,’ it’s very hard to forget that,” Mr. Wardle said. “But it’s just what your culture aligns with. If a company takes such a black and white approach to something, it could create complicated issues.”

Marketing Skills Enhancement

There’s also a heavy burnout factor in the industry, so security professionals look for a culture where they’re rewarded for independent efforts to improve themselves, experts agreed. Jon Oltsik, a senior principal analyst at the Enterprise Strategy Group, a market research firm, polled IT workers to find that top security experts prioritize almost constant training. For many, that means employers should allow chief security officers, CISOs, and their teams to foot the bill for penetration testing, for example, travel to conferences, research forums, and the like.

“I tell companies that want to recruit and retain talent, ‘Market yourself as a place of cyber security excellence,’” Mr. Oltsik said.

That desire to continue achieving can not only yield a higher salary, experts say it’s related to a “mission first” mentality. It’s a personality trait that keeps the best and brightest motivated to learn more and keep focused on valuable tasks. It’s also something many intelligence community veterans remember after leaving government.

With that mindset, perhaps it should be no surprise that former digital spies move to startups, Silicon Valley, or into the world of private contracting, where they can keep their mission focus while doubling or tripling a government salary, after Washington.

“For many job candidates, “mission first” means keeping as many users as safe as possible,” said Jeremy King, founder of the headhunting firm Benchmark Executive Search.

Mr. King explained that when he’s recruiting job prospects on behalf private intelligence companies, advanced technology manufacturers, or other companies working in national security, he first scours ex intelligence officers with the assumption they will be most interested because of the industry’s similarity to the military.

The challenge is that many hiring managers are thinking the same thing.

“It’s a very aggressive environment for talent,” said Tim Estes, chief executive at Digital Reasoning Inc., an artificial intelligence company that uses software to scan messages at financial institutions to detect potential fraud incidents. “You can think you have a great person, then someone else drops in and doubles the salary offer at the last minute.”

Digital Reasoning announced in February it appointed Al Tarasiuk, the former chief information officer at the Office of the Director of National Intelligence and the chief security officer at Deutsche Bank AG, as a board member. In this government role, Mr. Tarasiuk developed a desktop program that enabled officials across the intelligence community to share information faster.

It’s not the company’s first foray into the intelligence community–Mr. Estes said Digital Reasoning employed a former senior Department of Homeland Security official, among others–but Mr. Tarasiuk’s ongoing employment at Deutsche Bank highlights the difficulty of finding candidates without existing opportunities.

“They just know what tools can be used, and how they can be applied when it comes to key missions,” said Mr. Estes, on what makes candidates like Mr. Tarasiuk so attractive.