We've recently posted about the role of HR in the cybersecurity hiring process. As Brendan puts it, HR's role is to mitigate risk from the hiring manager's unconscious (or not) bias and potentially inefficient hiring practices. Hooray!
The other side of that bargain is that you must assess awkward issues in the hiring process. If you don't ask, you -- managers, HR, whoever -- are assuming that those issues are unimportant.
You are making an ASS out of U and ME.
There are two sets of asks: What productivity talent does this person have? and What propensity does this person have to engage in counterproductive work behavior or deviance?
Let's tackle each in turn.
Talent. We write extensively about cybersecurity talent. It specifically involves high performance in any of three main cybersecurity roles -- individual contributor, manager, leader/executive. We have developed with Conchie Associates a proprietary talent assessment for each of these roles.
Many assessment-takers are not used to this process in the world of cybersecurity. But this is normal course of business for entry into college/university, graduate education, the military, or many occupations. It may feel odd that a test -- but remember (sorry!), an interview is a test -- can assess one's capacity to be successful but in fact it can as has been validated in multiple empirical meta-analyses.
Time in role has marginal if any relation to performance. Being more senior or 'having done this job for 20 years' or whatever is, to be blunt, a sign that you know the business and have relationships with others in the business, but not a sign that you are good at the business.
Additionally, the same sorts of tests are related to being a positive contributor at work, or what is referred to as organizational citizenship behavior (OCB). These are people who are willing to volunteer, put in discretionary effort, and support management efforts. Oh and they avoid trouble and deviance.
Empirically speaking, there is no dispute about any of this.
In contrast, resume reviews are empirically unrelated to performance or identification of OCB.
Deviance. We've seen way, way too many Substack and LinkedIn posts over the past few weeks about insider threat, cybersecurity people being the problem, etc. It's been a month of "
We said/He said."
They're not wrong.
The alternative to OCB is counterproductive work behavior, or CWB. People who engage in CWB are the ones who aggress against people: take other people's stuff (a.k.a. stealing), take credit for other people's work, gossip, and at extreme ends engage in harassment, bullying, or violence. They may also aggress against the organization: goof off on the job/cyberloaf, falsify expense records or timecards, inappropriately use company equipment, and at extreme ends steal secrets or intellectual property.
That's right, you have to return to the office because of people engaging in CWB.
Empirical research shows that simple pre-employment methods are available for flagging people more likely to engage in CWB: first,
you can test them; second, yes really, you can ask them. In one of my favorite new studies,
a set of researchers examining applicants for police jobs found that on-the-job deviance was predictable from pre-hire admissions of deviance. While on the one hand this sort of makes sense, the key is that people will tell you that they have engaged in deviant behavior
even in situations where one might think they would not.
Let's recap. If you want to know, and why wouldn't you, whether an applicant will be effective in doing cybersecurity work, you can test them using a
Pythia Cyber Cybersecurity Talent Stack assessment. If you want to know (why wouldn't you) whether someone will engage in CWB, you need to ask them whether they have engaged in CWB in the past.
Your hold-up is that you ASSUME that people with experience doing this work, or who graduated from the right 'elite' college, or who did a similar job elsewhere are good enough, or that it's...what...rude to ask? But with that attitude you are creating liability. You are creating risk of failure. You are creating risk of aggression against others or the organization.
You may retort that you trust your applicants, that you can't afford to drive away candidates, that you only hire the best of the best, it will take too long, that you have some mystical capacity to read a resume and know the Truth.
Translation: you are saying that you are the donkey.
Ask yourself this. Isn't it better to know, really know and not ASSUME, that your cybersecurity cadre is talented and that you've weeded out people who aggress against others? If not, why not?
What kind of investor wants to buy into an organization that has untalented, possibly aggressive poor performers?
(image credit: RedDonkey, CC0, via Wikimedia Commons)
Comments
Post a Comment