September 20, 2022

Recruiting Talent for Cybersecurity’s Next Open Position with Renee Small

by Hacker Valley Studio

Show Notes

Renee Small, Cybersecurity Super Recruiter, content creator, and host of the Breaking into Cybersecurity podcast, joins the Hacker Valley team to clear the misconceptions around recruiting and discuss cybersecurity’s open positions. Taking labor shortages and skills gaps into consideration, Renee explains how she’s helped others start strong in the industry and hone their skills. Additionally, Renee covers her journey into content creation and podcasting, and how that’s impacted her recruiting work. 

 

Timecoded Guide:

[00:00] Understanding a recruiter’s role in big and small cybersecurity orgs

[06:37] Diving into content creation with the Breaking into Cybersecurity podcast

[12:13] Challenges and rewards of helping entry level cybersecurity professionals

[16:02] Rewarding cyber recruitment stories and tech mentorship opportunities

[22:39] Advising job seekers looking for entry level positions in cybersecurity

 

Sponsor Links:

Thank you to our sponsors Axonius and Uptycs for bringing this episode to life!

The Axonius solution correlates asset data from existing solutions to provide an always up-to-date inventory, uncover gaps, and automate action — giving IT and security teams the confidence to control complexity. Learn more at axonius.com/hackervalley

With Uptycs, modern defenders can prioritize, investigate and respond to threats across the entire attack surface—all from a common solution: uptycs.com.

 

What is the role of a recruiter in cybersecurity? 

Renee knows the idea of a recruiter can be a confusing one, and the role of a recruiter can be radically different depending on the size of an organization or the type of recruitment they focus on. Overall, however, Renee believes that the role of a recruiter is to be a matchmaker for a position within a company. Cybersecurity recruiters have to understand the technical needs of a position and the cultural needs of a cybersecurity company to find the perfect practitioner fit.

“The role really is to be like a matchmaker. You’re seeing who out there is a great fit for which roles, which companies, and which culture, or which company culture, and that's what makes it, for me, a lot of fun.”

 

How has being a content creator impacted your work as a recruiter? 

Although Renee doesn’t always identify as a content creator, her work with Chris Foulon on the Breaking into Cybersecurity podcast speaks volumes about the type of creator she really is. Renee always focuses on giving back with the work she produces, whether that work involves career coaching, recruitment advice, or cybersecurity education. Becoming a podcaster and content creator has allowed Renee to answer questions and provide information that helps the entire online cyber community. 

“I experienced all the positions that were open as a recruiter, but I had no idea that there was this group of folks who were entry level, or transitioning into their first cybersecurity position, and they needed my help [in order to break into cyber].”

 

What are some of the most fulfilling moments that a recruiter can have? 

Being a recruiter gives Renee the opportunity to help cybersecurity practitioners discover their dream job and navigate the industry intelligently. Her fulfilling moments actually center around those she’s helped along the way, including a former mentee and a former helpdesk employee looking for upward mobility. Finding the perfect match isn’t just about satisfying the company needs, Renee explains, but is also about connecting someone to an opportunity for success and growth.

“I get a kick out of people getting a job, it's almost like a little high for me. Every time I'm the person who connects people and it works out and they get paid well, I have a little party in my head. It's just so rewarding. I love that matchmaking process so much.”

 

What advice do you have for professionals struggling with their job search in the cybersecurity industry? 

Cybersecurity’s labor shortage and staff burnout issues threaten even the most air-tight of security teams. Unfortunately, Renee explains that even with so many job openings, entry-level employees or professionals transitioning industries still can’t break into cyber. Her best advice for those struggling to take the first step is to connect with successful practitioners in the field already through nonprofit organizations and network events. Focus on a network that will expand your knowledge of cyber and the state of the industry.

“If you're a college student, if you are someone out there looking to understand what's happening in the field, join one of the myriad of cybersecurity nonprofit organizations and learn about what security really is.”

---------------

Links:

Keep up with Renee Small on LinkedIn 

Listen to Renee’s podcast Breaking into Cybersecurity

Connect with Ron Eddings on LinkedIn and Twitter

Connect with Chris Cochran on LinkedIn and Twitter

Purchase a HVS t-shirt at our shop

Continue the conversation by joining our Discord

Check out Hacker Valley Media and Hacker Valley Studio



Transcript

Hacker Valley Studio 00:07
Who says tech can't be human?
Renee 00:10
But if you're a college student, if you are someone just out there, you're looking to understand what's happening in the field, join one of the myriads of cybersecurity nonprofit organizations and learn about what security really is.
Hacker Valley Studio 00:30
Welcome to the Hacker Valley Studio podcast.
Axonius Ad 00:37
Hey, everyone, it's me, Simone Biles. You might be wondering why you're hearing my voice on a cybersecurity podcast ad. Well, it's because I'm partnering with Axonius. Whether you're a gymnast, like me, or an IT, or Security Pro, complexity is inevitable. I've learned that the key to success is focusing on what you can control. Go check out my video at Axonius.com/Simone.
Chris 01:16
What's going on, everybody? You're in the Hacker Valley Studio with your hosts, Ron and Chris.
Ron 01:21
Yes, sir.
Chris 01:21
Welcome back to the show.
Ron 01:24
Glad to be back again, and this time with a guest that we probably should have had on a year or two years ago, but we have them here today. Our guest this episode is Renee Small. Renee is a cybersecurity super recruiter, talent and acquisition recruitment expert. She's also an author who has authored two books, one, Magnetic Hiring, and also recently, Develop Your Cybersecurity Path: How to Break into Cybersecurity at Any Level. Renee, always a pleasure to speak to you and welcome to the podcast.
Renee 02:01
Hi, I am so excited to finally be here with you two. We must break LinkedIn.
Chris 02:13
I know, we did a lot of things together. We made some content, we broke LinkedIn, you've done a lot, right? Your recruiter extraordinaire, author, content creator, but let's jump right into it, right? Because one of the big things in cybersecurity is recruitment. What is the role of a recruiter from your perspective?
Renee 02:32
So, there are different recruiters and the roles are different depending on the type of recruiter that a person is. So, I used to work in a corporation, and most of the corporations that I worked in were—Most of them were fortune 100. And in those organizations, recruiters are a part of a huge HR organization and they are there to do talent acquisition, sometimes internal movement, or what's called internal mobility. Sometimes, they are there to focus on early career talent. So, going to universities, colleges, and helping recruit, and that's usually university recruiting. Sometimes, it is experience-hire recruiting, meaning recruiting folks who are experienced, just what it says, more than a couple years, so straight out of college, but people who are moving around. And then, there's executive level recruiting, and the purpose of the recruiter in that organization is to find talent and bring talent specifically to that org. And then, in smaller companies, it's somewhat similar, maybe not as many resources, but sometimes, that one recruiter is doing everything. They're the university person, they're the mid-career, they're the executive recruiter, they may be doing a few different things. Then, there's a level of recruitment, which is what I'm in now, which is agency recruiting. When you're an agency recruiter, you're more like a headhunter. And so, you're looking for talent for potentially multiple different clients. So, instead of being one person that's inside of one organization, you and your team are working with multiple organizations and trying to bring talent into one or many of those various organizations. So, the role really is to be, I call it like, a matchmaker. So, seeing who out there is a great fit for which roles, which companies, and which culture, or which company culture, and that's what makes it, for me, a lot of fun.
Ron 04:40
So, you also have your own company, and I know that you help many different people find the right talent. Sometimes, I think that word is almost misconstrued, or misunderstood, talent in cybersecurity. What exactly is that? I feel like there's talent from a technology perspective, there's a talent from maybe a communication perspective. But when you hear cybersecurity talent, how would you explain that to a new customer or someone that just doesn't know how to hire yet?
Renee 05:10
So, the way I look at it is, and it goes back to the matchmaking piece. You have a person bring multiple talents, skills, abilities, so many things with them. And when you're looking at cybersecurity and building cybersecurity teams, many leaders have in their mind, "Okay, this is what an ideal team for me looks like. These are the different skill sets I need, these are the problems I'm trying to solve. And these are the types of people"— When I say people, meaning the types of skill sets— "that I would need to bring into my organization to make it run really effectively and efficiently, and to solve the specific problems that I have." So, when it comes to thinking about talent as a whole, it's really, specifically in the cybersecurity space, it's what skills. When I say skills, I mean, the technical skills, which we always talk about the certifications, all of that. And then, what people are saying soft skills, or essential skills, I
forget what other ways they're describing that, that we can bring together, people that have a
combination of these various skills that are the right fit for a role. That's where talent comes to play. I think that's the best way to describe it.
Chris 06:37
No, I think that's great. When you think about the personas, you think about the entire person, because it's not just, "Oh, I do threat hunting," or, "Oh, I do vulnerability management." It's really an amalgamation of someone's experiences, everything that they've done. We got to talk a little bit about what you have done, because one thing you are is a recruiter extraordinaire, but you also create content, right? You were one of the original people creating content, you were creating content even before Ron and I were creating content, at least for Hacker Valley. What is that particular journey been like? How has that changed the way you recruit folks? How has it changed the way you guide people? What has been some of the impact that has occurred in your life?
Renee 07:20
I never look at myself as a content creator, which is interesting, because so many people now look at me as a content creator. Chris and I, we fell into this truly by accident. I was trying to build my speaking skills, and got some advice from a coach who said, "Ask yourself these questions, or put some things out there, and see what questions they want answered, and answer those questions." And so, I started asking the community, "What would you like to learn?" And they told me, and they shared. I was very specific about in the non-technical arena. What would you like to learn from my expertise? Being in HR, being a recruiter, those sorts of things. I continuously heard from people saying they were struggling to break into cybersecurity, which was mind boggling to me because I had heard about all the positions
that were open. I experienced all the positions that were open as a recruiter, and had no idea that there was this group of folks who were early career, entry level, or transitioning into their first cybersecurity position and they needed help. And so, it was purely by accident. I put the question out there, they responded, I connected with Chris Foulon, and then the two of us started to answer those questions and bring people on.
Renee 08:48
We really wanted to have people come on who were going through the process at the time. So, we always think about people giving advice and there was some very well-intentioned bad advice that people were getting, specifically because you think about how if I'm a technologist, or I come from like a sys-admin background, my trajectory was, I was helpdesk, I was a desktop engineer, I eventually became a sys-admin, and then from the sys-admin role, then I was able to segue into security. Then, you're going to tell this other person who's brand new to the field the same thing. "Oh, you have to go to the helpdesk, you have to go to desktop, you have to move up these ladders and do all of these various things to get to security." And these people were just feeling dejected. And so, we wanted to hear from
folks who were actually had done it. So, if you had been in security under five years, how did you break in? What did you do? And that's how this whole thing got started in terms of content.
Renee 09:51
And then, it's evolved. So, we initially started with Breaking into Cyber, we focused only on people who had under five years cyber experience because we wanted to hear directly from the proverbial, air quoting, wanting to hear from the horse's mouth in terms of what specifically they had done to break into the industry. And then, it evolved to bringing leaders on, and other folks who were more seasoned to talk about other areas of talent and security, and other recommendations of how people should break into security. It's been a phenomenal experience in so many different ways. Number one, I've just grown my network to, I don't know how many 10s of 1000s of people at this point, and more. I've just learned so much, every single person that comes on the podcast and the live stream, we learn so much from them, every single guest. It doesn't matter if they have a blip of experience, like they just broke into security three months ago, or if they're super seasoned. I think that's because to your point, I think, Chris, everyone brings a different perspective. So, even if you have various CISOs, they're still CISOs of large organizations, CISOs of small organizations, the different types of industries that they're in, different challenges that they're facing, the different ways their companies bring in talent. You have CISOs that can bring in more entry level talent in bigger orgs, you have CISOs that can't bring in a ton in smaller orgs. There's just all of these nuances and pieces to the puzzle, and people come from different backgrounds. I love the diversity in terms of not only ethnicity, gender, and a little bit of neuro diversity, but also diversity of thought and diversity of just their upbringing. So, you'll have two people
who may look on the surface the same, let's say two African American men, who are about the same age, who work in the same orgs, or whatever, but their backgrounds are different. One grew up being in the silver spoon, the other one grew up in a different environment, or overseas, or something like that. And so, they have these different perspectives, that I think is just amazing and I've learned so much from the community by being a content creator. I guess I'll call myself content creator.
Ron 12:13
There we go. I really love what you and Chris Fulon are doing because you almost get to tackle the problem from a few different angles. You get the tackle the problem from: What are some of the technical bits and bytes that I need to know? I feel like Chris is really skillful and talented there. And then, you get to bring in the real world application of it. How do you articulate the fact that you know these ideas? How do you articulate the fact that you're valuable? How do you get in front of the right people? And I love the fact that you co-authored the book with Gary Haislip, because he is a sensational Chief Security Officer that always has a fresh perspective, too. So, you get to really melt all these things together, and then give it to so many people on your podcast, on your LinkedIn lives. I'm sure that feels great, but when you look at being this content creator, what are some of the elements that you love most about it? And also, what are some of those elements that you find somewhat difficult?
Renee 13:13
I guess I'll start with the difficult part, booking the guests. That's always a challenge, because people are living lives and I am, too. I have three kids that I'm hoping don't come down these stairs. We're in an industry where there's something happening all the time, so you have so many moving parts. So, a person will say yes, they can come on, and then they can't. So, pivoting when it comes to that. I guess another difficulty is kind of trying to keep it fresh, even though I'm learning something new, we want to make sure that our audience is picking up something new every time and trying to not have constant similar stories or similar discussions happening every week. The counter to that is we encourage questions and interaction and feedback. And so, we tried to keep it as open as possible. We'll kick off with a topic, but we definitely want to hear more from the audience as to what they're looking for.
Because our podcast is called Breaking into Cybersecurity, we tend to get a lot of people who want to learn about how to break in. We're almost like the college professor that teaches the same thing over and over, or any kind of trainer. You're both trainers, so you get it. You know, you teach the same thing over and over again. The things that I enjoy the most are meeting people, because that's just who I am. If you ask my mom, she's like, "Oh, she made friends from day one." You know, I'm always making a friend, always talking to somebody. I just love the nuances of people's lives, and meeting new people is always interesting. They will be talking about something that I think, to most people, will seem like it's not a big deal, and I will just dig into this one little thing. It's just fascinating. People's lives are just so fascinating. So, learning about people and outside of the whole technical component and the job component, that part of it is very, very enjoyable. It's like reading a new book every time I do a live stream or come on with content.
Uptycs Ad 15:23
The complexity of cloud infrastructure means every organization's security challenges are unique. Whether your challenge is threat hunting, policy management, cloud workload protection, or all of the above, Uptycs helps you quickly identify and eliminate observability gaps in your security program. That's Uptycs, analytics for the modern attack surface, observability for the modern defender. Check out Uptycs by visiting Uptycs.com. Thank you, Uptycs, for sponsoring this episode.
Chris 16:02
I'm sure, throughout your entire career, you've had a bundle of great experiences and stories, but let's say there was someone that was looking to get into recruitment, what are some of the most fulfilling moments that a recruiter can have? Is there that one story that stands out to you as like, "I did that," or "I helped make something happen?" Is there something that really pops off at the top of your head?
Renee 16:26
Yeah, I had one person, I was working at one of these financial services companies, most of the companies I've worked at internally was financial services. There was a person who was trying to apply, he was on the helpdesk, and he kept trying to get out of the helpdesk. This is, as an internal recruiter— In some companies, one recruiter will handle internal applicants and external applicants. And in some companies, you have someone who's dedicated to just internal mobility. So, in my case, I was working on roles an internal person could apply and external people could apply, and this one person kept applying over and over and over again. He got rejected so often. I sat with them and we were in the offices at the time, and I asked him what he was looking for and ideally, what kind of role did he want, because I think he was at the point, he was just trying to get out of the helpdesk, getting anything, anything out of helpdesk. And so, I helped him and coach him, and then did a little bit of persuasion on the other side. So, when hiring managers would say, "I don't know about this person," I'm like, "Nah, I think you should give him a shot, and these are the reasons why." And so, eventually,
he did get a role. I want to say it took maybe six months or so of interviewing. I mean, you would think that this person got a million dollars, he was just so excited. He bought me flowers, he gave me chocolate cake, but it was so rewarding to help move this person and again, getting off that helpdesk was just like, he's like, "I needed to." You know, he wants to progress in his career, and so, that was very rewarding. That happened 10 years ago, 11 years ago. So, that's one scenario. And then, I have my mentee, I talk about him all the time. I met him probably 12 or 13 years ago, giving a career talk. So, prior to getting into security, I was doing some career coaching with MBA students, and met him giving an MBA talk. I think it was Black MBA in New York, met him given an MBA talk, and I just loved his energy. He's just one of these awesome people. His energy is so positive. He's so upbeat, so outgoing, and he was looking for an internship. And so, I helped him find his first internship. Did y'all meet Dr. Dan? Dr. Dan Schafer.
Chris 19:04
We watched a few of the episodes, yeah.
Renee 19:07
So, that's Dan Schafer, and I gotten him his first internship. And then, when he was applying to his first full-time, out of grad school, role, I helped him and coached him with interviewing strategies, and things like that to get in his first role. He soared. I mean, this guy, I told him, "You're mentoring me now. I'm done. I can go relax." He is the quintessential mentee. I mean, he's amazing and seeing how far he's come in 10 years and where he is, or 10 plus years, it's probably 15 years now, where he is now. He's just phenomenal. He's doing amazing, amazing work. Those two, in different aspects of my career, have been so rewarding, because I get a kick out of people getting a job, it's almost like a little high for me. So, every time I'm the person who connects to people, and it works out and they get paid well, and they do well, it's a little party. I have a little party in my head, sometimes out of my head, sometimes it's some champagne. It's just so rewarding. I love that matchmaking process so much, but those two stand out the most.
Ron 20:22
What do you think are some of the elements that people don't know about breaking their way into cybersecurity, or even working in cybersecurity? I would imagine, I can only speak for myself, but I would imagine for some, there's this constant learning element, where if you join this industry, you get to learn all the time, but I don't think that's really advertised too much. What are some of the unadvertised elements of this industry that you think is worth talking about and telling others on your content, or things that you would like others to know about it?
Renee 20:52
I think you make such a good point, Ron, that is one of the areas, the constant learning. People may not know that, and that could be a positive and a negative, right? Because if people feel like, "I am not the type person that can just jump in something and learn it, or they give me a book." There's maybe not as much books nowadays. But say, "Hey, go research this, go figure this out." And if you're not that type of person that has to be constantly doing that, this may not be the right field for you or fit for you. But that is an area that I think folks don't talk about it as much as some of the other things. I think that people from the outside looking in, they think security is one thing, and immediately, due to the media and everything else, it's just hacking, coding, they just think it's just one narrow field. Whereas I say all the time, it's like the medical field, you can be anything. You don't have to be a dentist or a doctor, that's not every job. Every job isn't that one thing. And then, even within those jobs, there's a multitude
of different variations of those roles. I think that security, it would be great to kind of show what a person in security is doing, in comparison to another job. So, maybe relate it to something else. I think if we had more of that, then people who are just interested in getting into the industry would say, "Oh, this is similar to firefighting, this is similar to incident response," and security might be similar to triage in a medical field, in a hospital. You know, like these various things where you're relating it to something that they may already know, I think that we haven't really done a great job of doing that.
Chris 22:39
So, with all the experience that you've had, we talked about, is there a skills gap? Is there not a skills gap? People are looking for jobs. Obviously, there's a mismatch that happens, sometimes with the recruiter, or sometimes the internal recruiters for organizations, they're really just trying to fill many roles, not just the role in cybersecurity. So, sometimes, they get a bad rap. There's someone listening right now, and they're frustrated. They're either frustrated, because they're trying to break into cybersecurity and they're having a hard time doing it. Or, they're trying to go to that next role, they're trying to get that promotion up to that next level, or maybe they're just trying to change things altogether. What is that piece of advice that you would have for the people that are looking for the jobs, that are looking to take that next step on their journey?
Renee 23:25
I know there's a lot of frustration out there right now, especially with folks trying to break in. I mean, I get LinkedIn messages daily, where people have said, "I've been trying, I've applied to hundreds of jobs." The first piece of advice that I would tell them to do is listen to the Breaking into Cybersecurity podcast. But the second one I would tell them to do is to pick one of the cybersecurity organizations, the nonprofit organizations, and join it and connect with people who are already in the field. I think that's one of the easier ways to do it, because I know some people have a challenge when it comes when we say networking, folks don't fully understand what that means. Trying to make friends on LinkedIn could be kind of weird if you're brand spanking new and you don't know anybody, but if you're a college student, if you are someone just out there, you're looking to understand what's happening in the field, join one of the myriad of cybersecurity nonprofit organizations and learn about what security really is. I think that's a good place to start to understand really what security is because I think, from the outside looking in, I mean, I was a person doing recruiting from the outside looking in, super confused, I had no idea what any of this meant. So, I think that's probably the easiest first step for most people is to do that. That would be my biggest piece of advice and do not give up. Until you start speaking to multiple people in security, that are actually in various jobs, don't only go to a bunch of GRC folks and ask them and not ask architects, getting into one of those organizations, I think, is the best way to kind of diversify your network of cybersecurity professionals, so you start to kind of understand what these roles are, and the people who are doing those roles, how they feel about doing the roles, the pros and cons of various roles, and seeing where you as an individual would be able to fit in. That would be my piece of advice.
Chris 25:39
Love it. Do your research, talk to people, really get a lay of the land, and keep moving forward. Renee, this is absolutely a treat for us to have a conversation with you on the podcast, long time overdue. But for the folks out there that want to stay up to date with you, the content that you're creating, and everything that you're contributing to this world of cybersecurity, what are the best ways for people to do that?
Renee 26:01
Easiest way is to just connect with me on LinkedIn. That's where I am most of the time, more than any other platforms. I am on other platforms, but I don't check them nearly as much as LinkedIn. So, LinkedIn. I'm Renee Brown Small on LinkedIn. If you Google me, I pop up pretty quickly, Renee Small cybersecurity, that's what my 10-year-old son told me. So, here I am, but definitely connect with me on LinkedIn. And if you have questions, if you want to break in, if I can't help I point people in all different directions and I'm happy to continue to do so and hopefully grow more talent in this industry.
Ron 26:40
I love it. I would highly recommend everyone to check out Renee, watch some of her content, whether it be the podcast or the live stream or the book. Renee, always a pleasure. And with that, we'll see everyone next time.
Chris 26:58
If you found value in this content, it would mean the world to us if you shared it on social media, sent it to a friend, or talked about it over coffee.

00:00:00