Regardless of how robust their technical architecture is, organisations must still manage the human side of cybersecurity risks. Selecting the right cybersecurity personnel is of utmost importance. For this reason, effective human resources practices are critical to complement strong technical systems.

IBM industrial-organisational (I/O) psychologists undertook a research project to identify the essential attributes and aptitudes of high-performing cybersecurity professionals. To do this, they first observed high-performing security analysts (e.g., threat monitoring analysts, incident response and intelligence services analysts, and security information and event management security analysts) in a security operations center. In addition to these observations, these individuals participated in focus groups and surveys to further clarify the requirements. This research revealed several key attributes that distinguished high-performers from average performers.

Sample attributes for cybersecurity success
Sample attributes for cybersecurity success

The impact of the right assessment approach to cybersecurity hiring

Using a reliable assessment that considers more than technical skills to identify the right cybersecurity talent enables recruiters to consider a wider talent pool than might otherwise have been the case. This was the approach taken by Julian Meyrick, head of IBM’s Security Division in Europe, when he turned to veterans to fill talent gaps in cybersecurity:

Even though they may not have done the job before, we knew from our cybersecurity assessments that many veterans would be well suited to the roles we had to fill. We saw people with the right competencies for the role, namely high ethical standards, reliability, and a clear understanding that their role is to protect customers. While they need to learn the specific regulation laws and policies and the ability to interpret them, veterans often bring many other soft skills that we find very difficult to interview for. For example, military professionals are proven self-starters, they tend to be motivated, and they take the initiative.

Looking specifically at operators, which includes roles such as threat monitoring analyst, penetration tester, security operations center analyst and cyber operations manager, Meryrick said:

Anybody who has worked in the operations center in a warship, in a military unit, or in an RAF station is going to have a lot of experience in both dealing with incidents and also training to deal with incidents. I think for me, taking veterans and turning them into cyber operators is typically something relatively easy to do. They frequently have many of the soft skills that are essentially difficult to train people for.

IBM has developed a process for evaluating underlying ability in cybersecurity, rather than simply focusing on existing skill.

Their Commercial Cyber Aptitude Test (CCAT), developed in conjunction with government defense organisations, enables you to assess your current employees, as well as external candidates, for latent cyber skills. This approach can drive rapid workforce scale in cybersecurity, reduce hiring costs, and exponentially increase the quality of your cyber hires.

Work Test is proud to be an IBM Business Partner and offers quick and easy access to the IBM CCAT along with a full range of over 1,000 IBM Kenexa Employee Assessments.

We’d love to discuss this solution with you to see how it can benefit your organisation. You can learn more about the Cyber Aptitude Test here, but please feel free to contact us directly to set up a time to connect.

Click here to download the IBM research paper