"Word of mouth for infosec professionals about the quality of their work is the biggest business card they can possibly have."
A CV isn't everything
When LinkedIn hires, the business wants to tap the widest possible talent pool, according to Scott. And so instead of harvesting endless CVs and cover letters, the company tried something different - setting a sample test.
"It's a small one- or two-hour piece of work that's very similar to the actual things we'd need them to do: testing a network, decompiling and recompiling an application to find a bug," Scott explained.
"We didn't review their resume. We didn't necessarily look at their job experience. We just saw they had the chops to make it happen.
"Try it without doing resume screens with a good challenge you've written and watch the results. We've done that within our own assessment team at LinkedIn, and gotten very strong candidates we were able to bring in and have produce results immediately."
Mentor your team!
The average infosec positions last approximately 3.1 years, not too far from the industry averages in engineering or operations, in either the tech or financial sector. Regardless, senior management sticks around longer while those in lower or entry level positions leave far quicker.
"When you think about your strategy for retaining talent, you've got to address these folks and find a path for them before they leave your organisation," Scott said. That means engaging people in "high burnout" positions: everything from the right training, to guidance for a career path, and especially in providing ownership of their work.
"I had an engineer who was very interested in specialising in mobile security," Scott explained. "We didn't have the strongest practice in that at the time. He got to build that up, and then from there he knew he wanted to work in a mobile-only company after that - so we actually talked about how he was going to build up that practice, get the public visibility that he needed, and then go and find the next job. Now he's a director of security at another firm."
Balance internal and external demand
Think of internal demand as your security team's own projects that won't really leave the room - things that would not get secured unless the team specified it. External demand could be someone from another department coming to security as part of procedural policy, or to test out the security of a new feature.
"You want to balance this, ideally, 50-50," Scott said. "If you exclusively focus on internal demand, you're either an inquisitor or sitting in an ivory tower. If you're too far on external demand all you are is a service bureau, not bringing your own critical judgment to strategy as a whole. So it's really important to keep that balance, especially when you have so many things you need to do."
Sign up for CIO Asia eNewsletters.