Truly Exceptional Cybersecurity People

Recently we were alerted by our friend Barry Conchie about a new paper he is in love with. It's a paper by Gilles Gignac, a Professor at the University of Western Australia, entitled The number of exceptional people: Fewer than 85 per 1 million across key traits. Professor Gignac's modeling shows the following (quoted at length):

Cognitive biases can lead to overestimating the expected prevalence of exceptional multi-talented candidates, leading to potential dissatisfaction in recruitment contexts. This study aims to accurately estimate the odds of finding individuals who excel across multiple correlated dimensions. According to the literature, the three key individual differences variables are intelligence, conscientiousness, and emotional stability. Consequently, data were simulated using a multivariate normal distribution (N = 20 million), where the three variables were standardized (mean of 0 and SD of 1). The correlations were specified as: intelligence with conscientiousness (−0.03), intelligence with emotional stability (0.07), and conscientiousness with emotional stability (0.42). Cases were classified into four categories based on z-scores across the three dimensions: notable (≥ 0.0 SD), remarkable (≥ 1.0 SD), exceptional (≥ 2.0 SD), and profoundly exceptional (≥ 3.0 SD). Approximately 16% of cases were classified as notable, 1% as remarkable, and only 0.0085% met the exceptional criterion of 2 SDs above the mean. Just one case was identified as profoundly exceptional. These findings highlight the rarity of individuals excelling across multiple traits, suggesting a need to recalibrate recruitment expectations. Even moderately above-average individuals on these key dimensions may merit greater recognition due to their scarcity.

What this means is that:

1. Three human attributes are important for work performance: intelligence, conscientiousness, and emotional stability. These are, in order, the capacity to learn and reason, the routine development and pursuit of goals while avoiding bad behavior, and the capacity to remain calm without becoming overly anxious.

2. Because these attributes are somewhat correlated, they can be combined to estimate the prevalence of these attributes at the population level.

3. Professor Gignac's model shows that this combination of performance attributes is found in about 16% of all humans, while 1% of all humans are at combined levels that would classify them as remarkable; less than .01% could be referred to as having a combination of characteristics that places them at least 2 standard deviations above the mean of this combination -- ie., that would make them exceptional.

Here are three implications of these findings for a cybersecurity talent acquisition function:

First, what matters is this combination: intelligence, conscientiousness, and emotional stability. These can be measured. They are not certificates. They are not degrees from the right 'elite' universities. They are not years of experience having worked at Big Tech Companies. 

Second, finding "exceptional" candidates means you need to look harder. Not all of your "qualified" candidates have this combination. It's more than degrees or experience, it's raging to learn and extraordinary diligence and teamwork. Being open-minded and curious and calm help also.

Third, before you try to hire "exceptional" cybersecurity people, ask yourself whether you can manage them. Be honest: are they better at their job than you are at yours? If not, why not? If so, what is your plan to develop and lead them?

Whatever your opinion about artificial intelligence in cybersecurity, the bottom-line lesson is that you need to improve your cadre of cybersecurity employees. You need exceptional people. That means you need a plan to attract, find, hire, and lead people who are better than the previous applicants you had.

They have to be better at the job you want to hire them for than you are at your job. 

In later posts we'll explore more about these exceptional qualities.

Ask us how you can develop your plan to acquire exceptional cybersecurity personnel.