Charlie Waterhouse is a senior security analyst at Synack.

One major challenge in addressing the cybersecurity talent gap centers on capability. Even when you’ve found a candidate, do they have the right skills for your organization’s tech stack or just the list of certifications from the job description? Many organizations are missing out on talent and talent augmentation because of outdated hiring practices. 

Traditional Hiring Methods Might Screen Out the Best Candidates

If you’re having a hard time finding your next cyber candidate, ask yourself: Are you filtering out the best ones? Many great candidates are screened out by hiring systems for lacking traditional requirements like a four-year degree or a certain level of experience. Sometimes, the listed expectations are not only prohibitively rare, but impossible. I’ve seen job postings ask for five years’ experience in a technology that has only been around for three—and for an entry level position at that! There are also many job postings asking for an unreasonable 5-10 years in testing and analysis experience for an associate position. 

These job description errors have two detrimental effects: First, you discourage quality candidates from applying because they doubt their qualifications are applicable. Second, experienced practitioners may dismiss your company because they view the expectations as unreasonable. 

I have met many individuals with valuable cybersecurity skills who are frustrated at not being able to even land an interview. Priorities should shift to finding a candidate with the right skills, rather than looking for a litany of degrees or certifications. Often, these titles reflect theoretical knowledge but don’t necessarily signal actual hands-on experience or skill. A candidate may lack traditional resume items, but be a driven, passionate security professional who proves to be a star in your organization. 

Education and Investing in Employee Skills

There are plenty of training resources to help individuals start an IT or security career: BUiLT, FedVTE, Love Never Fails and others educate underserved communities. At Synack, we sponsor the Synack Academy, a program to train people for cybersecurity roles and recruit them for full-time roles upon graduation. Synack also actively recruits veterans both internally and for our global Synack Red Team community of top-notch security researchers.

The candidates who benefit from these educational efforts are hungry to advance and excel, putting in hours of their own time to learn new skills. Should you turn these individuals down just because they don’t check boxes like having a four-year degree? I wouldn’t. In my view, the people who graduate from these programs are some of the best you can hire. I would also encourage employers to provide access to training to advance skills of existing employees, an affordable initiative compared to the cost of searching for and hiring new candidates.

I know firsthand how successful a nontraditional candidate can be, as I was a nontraditional hire into security. I spent more than 20 years in the airline industry before coming to Synack as a security analyst. I do not have a degree in cybersecurity or a related field, but I did have an interest and drive to learn. I spent time working on real-life security problems and focused my energy on those scenarios. For example, I worked on Hack the Box to understand network security and exploitation of websites. Today, I am routinely brought into projects or client meetings as a technical expert on securing large enterprise environments. 

Evaluating What Skills Are Needed in Full-Time Roles

Even when a candidate has enticing skills, another dilemma can arise: Is your organization able to use them? Is there enough work to justify filling a full-time role?

Security needs come and go, and sometimes temporary work is a better option than adding a full-time employee. However, managing contractors is time-consuming, and finding them is challenging in its own right. 

Synack is particularly suited to address that challenge through talent augmentation. Researchers in our Synack Red Team can perform security testing on demand. When recruiting for the SRT, we assess each candidate’s skills and vet them carefully. This makes for a community with diverse, highly-skilled researchers who can tackle any attack surface. Some have traditional four-year degrees and practitioner experience, while others hail from less traditional backgrounds. But they all have the capability to help secure your organization. 

It’s Time To Rethink Your Approach to the Cybersecurity Talent Gap

At the end of the day, there are cyber candidates out there who can help bridge the talent gap. But traditional job descriptions might be prohibitively limiting. There are education initiatives underway aimed at bringing new, passionate people to the workforce, but additional hiring challenges may remain for cyber leaders. Alternative talent augmentation, like that brought by the Synack Red Team, may be the best option. 

The post Bridging The Cyber Talent Gap: Removing Barriers for Nontraditional Talent appeared first on Synack.

By Kim Crawley

The Synack Red Team is made up of hundreds of the best pentesters and tech practitioners in the world, hailing from countries across the globe with a variety of skills, who coordinate their efforts to conduct pentesting engagements and other security tests for Synack’s clientele. 

When a large group of ethical hackers work together, they can find more exploits and vulnerabilities than traditional pentesting, which usually consists of two people with two laptops who conduct on-site testing over two weeks. 

But when you have security researchers working as a collective, they are smarter, more adept and more creative. As cyber threats become increasingly sophisticated, the Synack Red Team (SRT) has the advantage of a diverse and holistic talent pool to take on the challenge. 

Not only do the SRT bring a fresh perspective to pentesting, SRT members also help alleviate the widely felt skills gap in cybersecurity. 

>> For an in-depth look at the SRT’s diversity of skills, read our white paper “Solving the Cyber Talent Gap with Diverse Expertise.” 

Whether you’re looking to take your organization’s security testing to the next level or a curious thinker who aspires to have a pentesting career, SRT members gave useful advice and explained how it all works. 

SRT Reduces Noise

Özgür Alp, from Turkey, had a lot of pentesting experience prior to joining the SRT, but working with the growing community of 1,500 security researchers taught him the power of collaboration at scale. 

“When I started at Synack, I had four years of experience as a pentester in a multi-global company,” Alp said. “After joining Synack and working as a full-time SRT member, I see that here we are focusing not only on the theoretical bugs but also trying to find the critical ones that matter and are exploitable within the real world scenarios.”

The gamification of vulnerability finding that happens on the researcher side of the platform means that you get their full attention and focus on finding vulnerabilities that matter. The more critical the vulnerability, the higher the payouts and recognition Synack rewards them with.

“I’m starting to focus on more complex scenarios, since you have time to work for that. For example, I actually learn what a theoretical bug could really mean in terms of business impact,” Alp said.

Applying Prior Cyber Knowledge and Experience 

Emily Liu, like many SRT members, works on the Synack platform part-time. Many SRT already work in a cybersecurity role and use the opportunity to apply the knowledge they’ve learned from their day-time job to their Synack role and vice-versa. 

“It sharpens my skills by allowing me to practice finding different vulnerabilities on real targets,” Liu said. “The whole process of doing work for SRT has taught me to think more creatively and to be more persistent, because you can find bounties so long as you put in the effort.”

But the work of the SRT can only be done with an “adversarial” perspective, from the outside-in. Büşra Turak explained the difference between being an SRT member and an employee or in-house consultant. 

“It is usually enough to show the existence of a finding in consultancy firms that provide pentest services. But we don’t do that here,” she said. “We show how much we can increase the impact of the finding or we need to show how the vulnerability is exploited.”

Taking the “Red Team” to the Next Level

In terms of bug bounties, red teaming and pentesting, Synack’s formula for vetting, monitoring and developing its SRT members puts them in another class of security researcher. SRT members are good at what they do from the start, and they’re also given immediate feedback for continuous improvement.

SRT member Nikhil Srivastava talked about what working with SRT has taught him.

“Initially, my reports were not up to the mark when I had just got into bug bounties. It was sent back to me multiple times for revision,” he said. “But, with the introduction of the Synack Quality Rule, we had to keep challenging ourselves with each new target launch—not only to find vulnerabilities but also to write a quality report that stands out from reports of other SRT members and is clearly understood by the clients. This helped me in leveling up.”

No matter if you’re able to get into the weeds of every vulnerability, a Synack report will thoroughly explain the potential exploit. 

“I started reporting vulnerabilities that could precisely illustrate the impact even to a non-technical person and could be easily replicated by them,” Srivastava said.

If you’re curious about what it takes to join the Synack Red Team, start your journey here. To better understand how the SRT can solve your struggle with the cyber talent gap, read our latest white paper.

The post How the 1,500+ Synack Red Team Members Solve Your Most Critical Cybersecurity Vulnerabilities appeared first on Synack.

At Synack, we’re truly committed to making the world a safer place. We’re doing that by helping organizations defend themselves against an onslaught of cyberattacks. We’re harnessing the tremendous power of the Synack Red Team, our community of the most skilled and trusted ethical hackers in the world, and through the most-advanced security tools available today to deliver continuous penetration testing (and more) with actionable, prioritized results.

Now, the Synack Platform is expanding to help organizations globally overcome the worldwide cybersecurity talent gap. I am excited to announce the launch of Synack Campaigns to provide on-demand access to the SRT, who will be available 24/7 to execute specific and unique cybersecurity tasks whenever you need them — and deliver results within hours. This new approach to executing targeted security operations tasks will fundamentally change organizations’ approach to cybersecurity by providing on-demand access to this highly skilled community of security researchers.

During my time at Synack, I’ve seen firsthand how the Synack Operations and Customer Success teams creatively engage with the SRT to address a growing range of clients’ security operations tasks, in addition to our traditional vulnerability discovery and penetration testing services. 

Now, we are making these targeted security activities directly available to every organization in the form of Synack Campaigns, available through the new Synack Catalog, also launching today on the Synack Client Platform.

The new Synack Catalog, where customers can discover, configure, purchase and launch Synack Campaigns is available now on the Synack Client Portal. Please speak with your CSM to have this feature enabled for your organization.

I know from speaking to our clients across multiple industries that security teams are struggling to keep pace with the speed of product development. At the same time, they are trying to scale defenses to meet the complexity and magnitude of today’s threats. Our customers ascribe challenges with their growing backlog of security tasks such as CVE checks and cloud configuration reviews. On top of all of that, there’s the need to implement industry best-practice frameworks such as OWASP & Mitre Att&ck. Essentially, customer security teams are struggling with demanding workloads and have asked us for assistance in a number of areas:

• On-demand access to talented Synack Red Team members who are available 24/7 and capable of completing diverse security operations activities across a growing range of assets. 
• A flexible security solution that can be configured to meet their specific needs in one centralized platform with their existing pentesting insights.
• A security solution that delivers results quickly (hours and days, not weeks or months) and is aligned with their agile development processes.

Synack Campaigns expands the core capabilities of the Synack Platform, including our trusted community of researchers, an extensive set of workflows, payment services, secure access controls and intelligent skills-based task-routing to provide customers with the ability to execute a growing catalog of cybersecurity operations.

With Synack Campaigns our researchers can augment internal security teams by performing targeted security checks such as:

• CVE and OWASP Top 10 vulnerability checks
• Cloud Configuration Checks
• Compliance Testing (NIST, PCI, GDPR, etc.)
• ASVS Checks

Synack Campaigns are built to complement our vulnerability management and pentesting services, and help customers achieve long-term security objectives, such as Application Security, M&A Due Diligence, and Vulnerability Management. 

I’m excited for you to learn more about Synack Campaigns and to hear how you and your teams would like to leverage our on-demand community of researchers to address your organization’s growing operational security needs.

Peter Blanks is Synack’s Chief Product Officer.

The post The Synack Platform Expands to Confront the Cyber Skills Gap appeared first on Synack.