Heather Crosley is NetSPI's VP of People Operations. She manages the overall talent strategy and people operations for the rapidly growing NetSPI team. Prior to her current role, she spent nine years recruiting talent for top IT and pharmaceutical organizations. Heather earned her BBA from the University of Minnesota - Duluth.
On October 3, NetSPI VP of People Operations Heather Crosley was featured in the VMblog article called The 2022 National Cybersecurity Awareness Month Kicks Off and Tech Experts Weigh In. Read the preview below or view it online.
+++
Every year since 2003, October has been recognized as National Cyber Security Awareness Month (NCSAM). This effort was brought to life through a collaboration between the U.S. Department of Homeland Security and the National Cyber Security Alliance. NCSAM is meant to raise awareness about digital security and empower everyone to protect their personal data from digital forms of crime.
The month is dedicated to creating resources and communications for organizations to talk to their employees and customers about staying safe online.
Now in its 19th year, National Cybersecurity Awareness Month continues to build momentum and impact, and this year, it has an overarching theme for 2022: "It's Easy to Stay Safe Online - See Yourself in Cyber."
Below, several tech experts have analyzed the importance of a robust security strategy, and best practices to better protect their sensitive data from cyberthreats.
Heather Crosley, People Operations Leader at NetSPI
"With over 700K positions that currently need to be filled, the cybersecurity industry is facing a massive shortage of talent as companies are struggling to keep up with an ever increasing number of threats. Technology cannot solve our greatest cybersecurity challenges - at least, not alone. People are our greatest asset in providing security for individuals, organizations, and the nation. Cybersecurity Awareness Month is a great time to reflect on our cybersecurity hiring and education practices - particularly the areas of improvement. These practices are instrumental in addressing the lack of skilled talent in the industry and easing barriers to entry. Organizations that invest heavily in entry-level training programs that offer mentorship, growth opportunities, and hands-on experience in the field will see greater retention rates. Investing in the next generation of cybersecurity professionals provides an advantage over today's sophisticated threats."
[post_title] => VMblog: The 2022 National Cybersecurity Awareness Month Kicks Off and Tech Experts Weigh In
[post_excerpt] => On October 3, NetSPI VP of People Operations Heather Crosley was featured in the VMblog article called The 2022 National Cybersecurity Awareness Month Kicks Off and Tech Experts Weigh In. Read the preview below or view it online.
[post_status] => publish
[comment_status] => closed
[ping_status] => closed
[post_password] =>
[post_name] => vmblog-2022-national-cybersecurity-awareness-month
[to_ping] =>
[pinged] =>
[post_modified] => 2023-01-23 15:10:14
[post_modified_gmt] => 2023-01-23 21:10:14
[post_content_filtered] =>
[post_parent] => 0
[guid] => https://www.netspi.com/?p=28504
[menu_order] => 210
[post_type] => post
[post_mime_type] =>
[comment_count] => 0
[filter] => raw
)
[1] => WP_Post Object
(
[ID] => 26598
[post_author] => 106
[post_date] => 2021-10-26 14:18:00
[post_date_gmt] => 2021-10-26 19:18:00
[post_content] =>
On October 26, 2021, NetSPI Director of People Operations Heather Neumeister was featured in an online article by CSO:
What if you could spend your days trying to gain access to other people's networks and computer systems—and not get in trouble for it? Of course, that's every spy and cybercriminal's dream, but only ethical hackers, also known as white hat hackers or penetration testers, can feel sure that they'll get away with their break-ins. These security pros are hired to probe systems for vulnerabilities, so that their targets can figure out where their security needs beefing up.
...
Ethics. OK, maybe this seems obvious, since the word "ethical" is right there in the job description. But the truth is that a pentester is given a lot of responsibility and power, and it's important to feel sure that they won't abuse it.
Heather Neumeister is director of people operations at NetSPI, which specializes in penetration testing and attack surface management. "Assessing a candidate’s ethics is based on both background and personal assessment," she explains. "When part of the criteria being considered for a new hire is ethics and morals, there is always going to be an element of gut instinct. But it's also important to ask questions around why someone chose to get into pentesting, as you can usually quickly identify a person’s intent during initial conversations. To find people with strong ethics and morals, it can be helpful to look at the activities a candidate does in the greater community. Extracurriculars like non-profit work, public research, and open-source contributions can be useful indicators of a higher ethical standard, as it's often the case that those who choose to positively benefit the security industry without personal gain are those who are truly committed to ethical behavior."
[post_title] => CSO: 10 essential skills and traits of ethical hackers
[post_excerpt] => On October 26, 2021, NetSPI Director of People Operations Heather Neumeister was featured in an online article by CSO.
[post_status] => publish
[comment_status] => closed
[ping_status] => closed
[post_password] =>
[post_name] => cso-10-essential-skills-and-traits-of-ethical-hackers
[to_ping] =>
[pinged] =>
[post_modified] => 2022-12-16 10:51:48
[post_modified_gmt] => 2022-12-16 16:51:48
[post_content_filtered] =>
[post_parent] => 0
[guid] => https://www.netspi.com/?p=26598
[menu_order] => 356
[post_type] => post
[post_mime_type] =>
[comment_count] => 0
[filter] => raw
)
[2] => WP_Post Object
(
[ID] => 26260
[post_author] => 106
[post_date] => 2021-08-24 07:00:00
[post_date_gmt] => 2021-08-24 12:00:00
[post_content] =>
The cybersecurity talent shortage has troubled organizations for years. Whether you work for a large enterprise, financial institution, a services firm, or anything in between, it’s likely that you have cybersecurity roles listed on your website today that have yet to be filled. With the reported increase in cybercrime and sophistication of attacks, the demand for cybersecurity talent is at an industry high.
ISACA’s State of Cybersecurity 2020 reports that 62% of IT and security leaders surveyed say their cybersecurity teams are understaffed. Plus, those who took longer to fill cybersecurity positions reported more cyber attacks.
The (ISC)2 Cybersecurity Workforce Study 2020 reports nearly identical numbers: 64% of the cybersecurity professionals surveyed reported staff shortages. The study also revealed that the Global cybersecurity workforce gap – the difference between the number of skilled professionals that organizations need to protect their critical assets and the actual capacity available to take on this work – was 3.12 million in 2020.
In other words, we’ve got our work cut out for us – and it’s clear that, as an industry, we need to reimagine our hiring efforts to keep pace with the demand. In this blog, we’ll discuss how the events of the past year have reshaped hiring, creative recruitment ideas, hiring challenges, and why employee retention is key. Bonus: NetSPI’s COO shares advice to help narrow the talent gap while essential cybersecurity positions remain unfilled.
The COVID-19 pandemic has reshaped hiring
The COVID-19 pandemic has caused rapid change in the way we work – and the way we hire. Largely, it has given organizations more flexibility to find the best talent. Dependent on the position, recruitment efforts are no longer bound by geography, and we have the ability to source the best talent regardless of where they live.
Tsedal Neeley, a professor at Harvard Business School and author of the book Remote Work Revolution: Succeeding From Anywhere, communicates this point perfectly in a recent NPR article: "We have changed. Work has changed. The way we think about time and space has changed. Workers now crave the flexibility given to them in the pandemic — which had previously been unattainable.”
Aligned with this sentiment, it is a job seekers market. We’re in the midst of what many are calling “The Great Resignation.” More than ever, employers need to put their best foot forward, offer flexible work options, and understand that work must accommodate life – not the other way around.
7 creative approaches to recruiting
Ask any organization about their primary recruiting channels and the standard answers you will likely receive include popular job sites (LinkedIn, Indeed, etc.), job fairs, and staffing firms. However, there are many creative ways to step outside of those bounds and get creative about where you source your cybersecurity talent. In the name of information sharing, here are seven ways NetSPI has discovered some of its best talent:
GitHub: Are there open source tools that your technical team use on a regular basis? Look to see who has contributed to those tools for potential candidates.
Twitter: The security community is very active on Twitter. Explore hashtags specific to your organization (#penetrationtesting) or follow along with topical dialogues and threads. Often, you’ll come across a public thread of candidates actively looking for cybersecurity work.
NetSPI University (NetSPI U): NetSPI U is a full-time, paid training program that focuses on pentesting. It’s geared toward entry level security professionals that want to get started in the space. The result? Qualified technical talent who understand our technologies, processes, and vision. More on this later.
Meetups: Continued engagement with security organizations such as OWASP, DEFCON, and others have been instrumental in growing our network of candidates.
Referral Program: In 2021 alone, we have hired 20 employees as a result of our employee referral program. We trust our employees to recommend the best talent in their network.
Re-Hires: Given the flexibility of remote work, we were able to reengage with many past NetSPI employees who had moved where there was not a NetSPI office location.
Investing in Internal Recruiters: While staffing firms are certainly helpful, we believe that investing in internal recruitment resources produces the best results. Because we’re boots-on-the-ground at NetSPI each day, we understand the organization’s standards and know exactly what to look for, from technical skills to culture fit.
Cybersecurity hiring challenges
The fact that the cybersecurity industry has a 0% unemployment rate could be seen as the industry’s greatest challenge, but it’s also an opportunity. An opportunity for employers to recognize that the hiring process is a two-way street and, just as employees need to communicate why they would be the best fit for a given position, employers must effectively communicate their strengths, perks, and get competitive about what they have to offer. Ultimately, it’s increasing the urgency for organizations to create a positive candidate experience for applicants.
Another major challenge specific to cybersecurity is the high level of standards that are set for technical security professionals. There is little room for error in this industry as one mistake could result in a detrimental outcome. We take pride in the high-quality work every NetSPI team member produces and it’s important – and an ongoing challenge – to find technical talent that is in alignment.
The security industry has countless disciplines. Cloud security, application security, network security, the list goes on – not to mention the subcategories within each discipline… AWS, mobile apps, IoT, etc. There are many different areas of security that people can specialize in, but we’ve noticed a lack of candidates with a strong focus in a niche area. While there are benefits to having a well-rounded candidate, it is particularly difficult to hire for a specific cybersecurity need today.
Finally, barrier to entry is very high in the security industry. That’s why we developed and continue to invest in NetSPI U, our training program for entry-level penetration testers. Often, the requirements on job descriptions are too stringent to open the door to new candidates with a passion for cybersecurity, but perhaps do not have a traditional security background or education. It features hands-on labs and opportunities to shadow some of the most brilliant minds in security. It gives entry-level security professionals the foundation to jump start their career.
Learn more about NetSPI U and apply for our next NetSPI U class online here.
Employee retention should be the priority
Above all, investing in the growth of your existing team and retaining top talent is key to closing the talent gap. If you invest in your current workforce, people will be more apt to want to join your team.
Employee retention remains a priority for NetSPI, which is why we achieved an industry-high retention rate of 92% in 2020. Pulling from our 2021 Top Workplaces survey results, here are the top five reasons people stay with us.
Collaboration: Collaboration is one of NetSPI’s brand pillars. One quote from the Top Workplaces survey summarizes this well: “The people I work with are dedicated to making sure everyone succeeds to the best of their ability – and enjoys working along the way!”
Fun: We take pride in the relationships our employees have with one another. The ability to create an environment where employees enjoy their work is essential to the success of our organization.
Talent: The caliber of people our employees get to learn from and work with is a huge draw for NetSPI. Top talent attracts top talent.
Growth: We don’t give our employees a ceiling for growth. We cross-train and hire within when possible. We believe in promoting people who can do the job, and do not base growth on years of experience. An indicative quote from the Top Workplaces survey: “Career growth is always visible and in reach.”
Innovation: Something we do well is creating technologies that solve common problems not only for our clients, but also for our services team. The more we can automate redundant, time-consuming tasks, the more time our consultants can focus on finding the vulnerabilities that tools cannot.
Beyond hiring: 3 alternative actions that can help narrow the cybersecurity talent gap
It is important to note that today’s cybersecurity talent ‘crisis’ does not have an overnight solution. However, there are some things organizations can do in the interim to address the growing demand for talent today. We spoke with NetSPI Chief Operating Officer (COO) Charles Horton to learn what steps organizations can take to narrow the gap. Here’s what he had to say:
Automation is a critical tool for narrowing the cybersecurity talent gap. Without automating the more tedious, administrative tasks, security practitioners will not have time to focus on the strategic work at hand – or professional development activities. Keeping talent focused on the more creative, strategic work they enjoy and allowing tools to do the administrative work will keep teams engaged. Also, automation helps keep the team interested in their work and gives them opportunities to build their skills as they support key security initiatives.
Cybersecurity leaders continue to be challenged by filling roles that require candidates with mid- to senior- level experience – and entry level job openings continue to be in high demand. Companies will need to do more with fewer people. To accomplish this, the adoption of program-level or ‘as a service’ partnerships with third parties that can provide dedicated support and capacity to keep key security initiatives running as an extension of the internal security team. This allows security teams to be agile and flexible with their talent as needs arise.
Companies that can think outside of the box can take a creative approach to narrowing the cybersecurity talent gap. This would require building training programs that could be delivered internally, through external partners, or a blend, in combination with targeting candidates that may not have an exact match from a skills perspective but have a core set of skills that could be leveraged to accelerate training. These hiring and training tactics could yield a skilled workforce in cybersecurity where opportunities were not initially visible.
If there’s one thing we love most about the cybersecurity industry, it’s the willingness to share big ideas and new concepts with one another. If you have recommendations for closing the talent gap or are curious about a career at NetSPI, reach out to jobs@netspi.com.
[post_title] => Retention is Key to Overcoming Today’s Cybersecurity Hiring Challenges
[post_excerpt] => Read this blog to learn how the events of the past year have reshaped hiring, creative recruitment ideas, hiring challenges, and why employee retention is key.
[post_status] => publish
[comment_status] => closed
[ping_status] => closed
[post_password] =>
[post_name] => retention-key-to-overcoming-cybersecurity-hiring-challenges
[to_ping] =>
[pinged] =>
[post_modified] => 2022-12-16 10:51:53
[post_modified_gmt] => 2022-12-16 16:51:53
[post_content_filtered] =>
[post_parent] => 0
[guid] => https://www.netspi.com/?p=26260
[menu_order] => 371
[post_type] => post
[post_mime_type] =>
[comment_count] => 0
[filter] => raw
)
)
[post_count] => 3
[current_post] => -1
[before_loop] => 1
[in_the_loop] =>
[post] => WP_Post Object
(
[ID] => 28504
[post_author] => 106
[post_date] => 2022-10-03 11:01:00
[post_date_gmt] => 2022-10-03 16:01:00
[post_content] =>
On October 3, NetSPI VP of People Operations Heather Crosley was featured in the VMblog article called The 2022 National Cybersecurity Awareness Month Kicks Off and Tech Experts Weigh In. Read the preview below or view it online.
+++
Every year since 2003, October has been recognized as National Cyber Security Awareness Month (NCSAM). This effort was brought to life through a collaboration between the U.S. Department of Homeland Security and the National Cyber Security Alliance. NCSAM is meant to raise awareness about digital security and empower everyone to protect their personal data from digital forms of crime.
The month is dedicated to creating resources and communications for organizations to talk to their employees and customers about staying safe online.
Now in its 19th year, National Cybersecurity Awareness Month continues to build momentum and impact, and this year, it has an overarching theme for 2022: "It's Easy to Stay Safe Online - See Yourself in Cyber."
Below, several tech experts have analyzed the importance of a robust security strategy, and best practices to better protect their sensitive data from cyberthreats.
Heather Crosley, People Operations Leader at NetSPI
"With over 700K positions that currently need to be filled, the cybersecurity industry is facing a massive shortage of talent as companies are struggling to keep up with an ever increasing number of threats. Technology cannot solve our greatest cybersecurity challenges - at least, not alone. People are our greatest asset in providing security for individuals, organizations, and the nation. Cybersecurity Awareness Month is a great time to reflect on our cybersecurity hiring and education practices - particularly the areas of improvement. These practices are instrumental in addressing the lack of skilled talent in the industry and easing barriers to entry. Organizations that invest heavily in entry-level training programs that offer mentorship, growth opportunities, and hands-on experience in the field will see greater retention rates. Investing in the next generation of cybersecurity professionals provides an advantage over today's sophisticated threats."
Necessary cookies help make a website usable by enabling basic functions like page navigation and access to secure areas of the website. The website cannot function properly without these cookies.
Name
Domain
Purpose
Expiry
Type
YSC
youtube.com
YouTube session cookie.
52 years
HTTP
Marketing cookies are used to track visitors across websites. The intention is to display ads that are relevant and engaging for the individual user and thereby more valuable for publishers and third party advertisers.
Name
Domain
Purpose
Expiry
Type
VISITOR_INFO1_LIVE
youtube.com
YouTube cookie.
6 months
HTTP
Test
test.com
Testing
7 days
HTTP
Analytics cookies help website owners to understand how visitors interact with websites by collecting and reporting information anonymously.
We do not use cookies of this type.
Preference cookies enable a website to remember information that changes the way the website behaves or looks, like your preferred language or the region that you are in.
We do not use cookies of this type.
Unclassified cookies are cookies that we are in the process of classifying, together with the providers of individual cookies.
We do not use cookies of this type.
Cookies are small text files that can be used by websites to make a user's experience more efficient. The law states that we can store cookies on your device if they are strictly necessary for the operation of this site. For all other types of cookies we need your permission. This site uses different types of cookies. Some cookies are placed by third party services that appear on our pages.
Cookie Settings
Discover how the NetSPI BAS solution helps organizations validate the efficacy of existing security controls and understand their Security Posture and Readiness.
