Skip to main content

Perspectives Home / CISO CIRCLE

Keys for Recruiting Top Talent

Hear insights from security leaders at Just Eat

office space with clear glass walls, shelf, laptop on desk

Trying to recruit talent and build a security team may feel like spotting unicorns these days.

But finding — and keeping — top talent can be achieved if you cast a wide net, find individuals with copious curiosity and aptitude, and build a culture where it’s safe to fail.

I sat down with Neal Potter, head of security operations, and Richard Fawcett, lead security operations engineer from Just Eat Takeway. During our conversation, we discussed the challenges of hiring security practitioners that have technical skills as well as the need to build a team that’s multidisciplinary, as opposed to overly specialized. 

But it doesn’t just stop at hiring. How do you retain and empower standout individuals on your team to do their best work without suffering burning out?  Tune in to our conversation with Neal and Richard to learn from their insights. 

For more perspectives from security, IT, and engineering leaders delivered straight to your inbox, sign up for our monthly newsletter.

Note: This is an auto-generated transcript, which may contain errors.

Shaun Cooney: Hello and welcome to Splunk Perspectives, an executive podcast for leaders by leaders today. I'm excited to be joined by Just Eat Takeaway. We have Richard and Neil and we're going to be talking about the topic of recruiting technical people. So thank you for joining us today. Maybe you could do a quick introduction. Tell us a bit about yourselves and your roles.

Neal Potter: Hi, I'm Neil. I'm the head of Security Operations and I've been just for about three and a half years now. Before that I was doing data engineering consultancy and I was in the Royal Navy at one point as a intelligence analyst.

Richard Fawcett: I am Richard, so I'm the lead security operations engineer at Just Eat Takeaway. And I've been there for just over a year, but my previous experience was working in the UK government where I've covered engineering, technical analysis, data science. So like yourself and previous to that I was in the army doing analysis and intelligence.

Shaun: So interesting backgrounds and certainly an interesting set of roles that you're in at the moment for very interesting company and industry. What are the typical types of challenges that you face in your industry?

Richard: So one of the interesting things from my point of view of being in a security team as we fundamentally work in an industry that's based off of making transactions. So it's one of those kind of places where we have to keep up with the pace of cyberattacks. Basically in their own microtransaction fraud, personal details.

We had an awful lot of those. Turns out when you organize a courier, you kind of want to deliver at your house. So the platform allows you to address your name, your phone number. So we need to make sure all of that is appropriately protected.

Neal: I find that the things that we were asked to do need a very wide range of skills as well. You know, Rich is perfect for this with his extremely wide skill set, but finding people that have skills in everything you want, they're almost like those magical cyber unicorns, and you're probably not going to find those kind of people.

Richard: And our business is pretty varied. One of the things at least about the organization that we work for, this is a great big organization that its business model is operating on a number of individual brands across the world, and that creates quite a diverse platform. Stop conducting cyber attacks for, but also creates a nuance in an architecture that means you to be honest, we can't tackle our problem with skills that are a team of unicorns. We need a multidisciplinary team with people from various backgrounds to be able to cover the kind of stuff that we have.

Neal: You have to be able to come up with a plan in the moment as well? You can't preplan for everything. People who are adaptable and are able to think on their feet because we get so many different chaotic, almost problems that arise on our lap week to week. You need to be adaptable and able to think quickly.

Shaun: So it's a really tough market at the moment to recruit technical people, let alone people that can think on their feet. And all of the things that you just attributes that you've just mentioned. And you're you're, I guess, a very technical role that you're trying to recruit for and you're in your organization for your specific security in particular. So how have you gone about doing that?

Neal: One of the most important things you need to do to begin with is to cast your net as wide as you can. And there's a whole raft of things you can do to achieve that. First one it's worth mentioning is if you're tying your recruiting to a specific location, your net can only catch as much as the recruiting pool for that area. So if you're able to choose a remote hiring stance and if you can't do that, hire in as many physical locations as you possibly can, just so you've got the largest number of people to hire from.

Richard: The other thing is be be realistic with your expectation of those people adding an awful lot of roles that have say things like I need ten years experience for a thing that's only five years old. It's not helpful that's one of the things to avoid if possible and a big chunk of avoiding that actually becomes being by having a productive discussion with your recruitment teams.

So it tends to be that most of us use recruitment services, managers, all that kind of stuff. And it's very rare that they're actually specialist security recruiters. So be careful we don't presume things, you know, you need to go and equip those people to be able to cast that net red flag what's are reasonable amount of experience. And that's based off of my idea of reasonable.

You know, you need to be able to have someone else to be able to assess that with some specifics. And the temptation is to shy away from it because it takes time, but it's definitely worth it in the long run.

Neal: Worth putting the investment in to start with. Yeah, I think quantifiable.

Richard: Yeah. Specifics. And the other thing about being fair is you need to think about a minimum criteria rather than a maximum criteria. You'll find that you get more people in through the door. If you actually put what the kind of minimums are that you require and you're fair and you use accessible language where possible as well. Because the big thing about it is we need a multidisciplinary team.

And that also means that just from a point of view of how much analysis we do, we need multiple personalities. We need multiple brains who think different thoughts. So the recruitment process has to be open and accessible and in order to be able to invite those people to make it the best place for thinking.

That magical Venn diagram of geek plus investigator slash analyst slash some social skills to be able to deal with it, understand it. And then I want this one.

Shaun: Absolutely. Somewhere in the middle. So what are the typical challenges you face up from the ones you've mentioned so far?

Richard: One of them is good candidates don't always come from predictable places. It's actually something I've been struck with working in the Army and the civil service as well. That some of the most technically qualified people I've worked with for instant response and analysis have come from the most unlikely of backgrounds. The best developer I've ever worked with had a degree in history, you know, that kind of stuff.

So you need to be careful with that. That's not to poo poo someone's experience. You know, if someone's got a Ph.D. in computer science, like, I'm sorry, that that is worth it. It's worth the effort and stuff for that. But it might be that person isn't so good with instant response. So you need to give some people who have got different levels of experience with different sources of experience a fair go as well.

Shaun: So qualifications versus experience versus maybe way of thinking, you need a blend of all of them together in a in a previous role. I'm saying to you just earlier today, right, we were we were recruiting in a very tough market for a very tough organization. And we were looking for curiosity, aptitude and passion. If you could prove that, you could demonstrate them three things, I would take the risk.

I would provide a bunch of training on the job, training in a safe place to fail over the six month probationary period that we gave them. And as long as you could prove that you could fail safely and support other people in the organization and also learn some technical stuff along the way, then we would recruit you.

And because of that, we ended up recruiting a whole bunch of creative thinkers, musicians, psychologists, alongside the technical people that we clearly needed as well. And that blend, it worked really, really well and creating this kind of culture of learning and the ability to feel safe. Is that similar to your approach?

Neal: Absolutely. You can teach technical skills, but it is much harder to teach that kind of curious and passionate attitude. And if someone rocks up in an interview showing those qualities, then that's always a good sign.
Richard: I mean, we have legitimate situations in our workplace. There are faults, you know, insecurity. It's one of those places where we are one of those departments that rate the run books. The auditors look for. So you need someone who can think that diversity of thought is is really important.

Shaun: it's one thing getting people in the door. It's another trying to convince your management that you that you need this this level of people, you need to pay them this level and how to retain them. So how do you how do you go about convincing management, Sinhalese, senior leadership that this is important?

Neal: Yeah, that really is the hard sell part of this. You know, we brought the SOC in-house at the start of 2023. That obviously meant we needed a lot of people, but we had to explain to our management why we wanted to do that and what problems we wanted to solve. For us, it was around having a moving away from the sort of hybrid MSP model of security operations to bring it all in in-house because we'd reached a level of maturity when that was needed.

You know, we'd been operating with the MSP for quite a long time. We were starting to find that there were things they couldn't do for us that we wanted to do in security, and that was mainly around dealing with issues that would crop up on our consumer platforms. And that's how I sort of framed us bringing the SOC in-house and why we needed these extra people.

Richard: There's definitely things you can do to improve the case. So one of the thing about our recruitment process is that recruitment process is split into two stages. There's a technical part which is where we ask people questions to make sure that they know the stuff that's needed. And then there's the like, pivotal competency to make sure that someone is, you know, kind of like professional and so on and so forth.

So we get to have kind of a list of required behaviors and a list of kind of technical levels and scale that would be required because in security, we that would need people to be able to understand things like basic networking. So our recruitment process can also act as a little bit of the business case for it's these people at this level with these skills and we will also check for them. The only thing we ought to be careful with is a recruitment process was more about technical questions rather than saying you have a Ph.D. in computer science.

Shaun: How do you do that translation? How do you make sure that your technical leadership or so your leadership, have the right technical knowledge to understand what they're trying to achieve? Neal: You've got to explain to them what the function of this group of people is going to be. We have had to explain what the concept of a security operations center is to certain people in the business and why it's there and what it does and what value it brings to the business as well. If you start talking in terms of risk, that is definitely something that the upper levels of management understand.

Richard: We also use the language. So it's really easy inside one of these technical domains to use a domain specific language, whereas I mean, fundamentally the organization that we work for is people aren't getting their orders. If you start bringing it back to that core metric that the organization uses, it does get an awful lot easier to have that discussion.

It becomes often management. You've only got them for a short period of time. You need to make best use of that. So it's worth it to try and bring the language to them rather than them to our language.

Yet so talk the language of the business. Because ultimately we need talk about impact and we want these people that we hire to have impact with stability and reliability and compliance.

Neal: People have got to get their pizzas.

Shaun: So you've recruited people. Hopefully you've written to convince your leadership. You need to recruit people. You've recruited people. How do you go about making sure you keep your technical, talented people?

Neal: Yeah, retention is a well, if you do your retention right, hopefully you don't need to hire people, right? And it's it's a tricky thing to do. I really like to have a good culture in the team when I joined Just take takeaway one thing that struck me was the culture in the team that I joined was really good.

It was really open. Everyone was asking each other questions. People were falling over each other to help as well. Because I was new to the team, I needed to get up to speed and I was really struck by that and I thought, that is a culture that we need to continue and grow. It's kind of around inclusivity, giving everyone a place in the team, making the space for the new people or every level of performance that you have in the team as well.

And try not to rely too much on your superiors that you have on your team. Give everyone something meaningful to do. Give them space to ask questions, even questions they might feel think are stupid. That's difficult to do those well, you challenge people's natural way of sort of behaving when you need help. I like to encourage people to help ask for help out in the open, which gives everyone the opportunity, first of all, help them and second of will learn from what is happening as well.

Richard: But that's not the only avenue we have in the team. So one of the things I really like about the organization we work for currently is it's driven by somewhere that's safe to feel. You know, you can you can be open with the mistakes because the mistakes are educational and actually makes it quite a powerful educational environment. But people work on different mediums.

So for instance, there's that open platform isn't, you know, we're not asking everybody to share all of the things that have messed up to the end that although it does help everyone if they do, but everybody's kind of got different mediums and you do need to respect that. It's one of the things we have to do in that environment as people.

Most people do need as part of their date to feel like they're growing. And that's the thing. If you if you wrangle chaos is part of your job, you need to make sure that the opportunities for growth and development are respected, that they're not just weak. Is it that there's a huge temptation inside that environment to go that is an instant on everybody. Drop your courses. That's what enable shit, which is what makes people feel as if they're developing and moving on in life. And it's also enabling your team with an experience that are required for the instant response. So we have to respect that space as well.

Shaun: Maybe I'll touch on what you've both just said there. So I know you said hero culture, the rich. You said safe place to fail. Now they are two concepts that I obviously have to work side by side. Having people in your organization that are superheroes all of the time is something that maybe people will strive to, that actually it's not necessarily good for the organizational culture. How do you tackle that in your organization, making making sure you don't have these superheroes, but give the people the ability to to learn and grow?

Neal: I like to make sure that because you do have heroes on your team, just don't give them everything to do. Give people the chance to do meaningful work. You know, maybe it takes longer because they've got to learn new things or learn the way of doing it, but just give them space to do it. Relying 100% on your team superheroes does not scale well and burns them out.

Richard: You need to use them as enablers. Yeah, and I mean enablers like so where there's opportunities to share some of that experience. But if you've got one person that can cover five topics, you shouldn't expect one other person to then pack up those five topics. That's not how human brains we've got all different types of capacity and we suppose, but if you've got people in the team who could start diversifying one of those five topics until like two or three people, that's when that starts to ease off.

And that is an incredible temptation from a task management point of view to if someone's a problem solver, give them all the problems. But critical analysis and problem solving, the kinds of things that we need, the things that some people learn through experience. You need to diversify those, even if it might take an extra day, you kind of need to respect that.

You need to count every single point of failure because people have life moments in a sickness hit by a bus, all that kind of stuff. And it's just bad luck. Task management modeling and a business to start creating the single bottlenecks or failure. 

Shaun: Love that approach. Also win the lottery rather than hit the bus. Right. So you've you've gone through an incredible journey over the last couple of years and it's I'm sure it's been there's been tough times, but there's been great times as well. If you were to do the whole thing again now, what would you do differently?

Richard: I think I probably ask some like one of the things that became educational through the process of interviewing all these new people and stuff that is that are technical questions at the end were definitely better than our technical questions at the start. We had some technically capable people coming in and our terminology was too niche. We need to work on more accessible language.

So that's something we learned during that. We would keep up, stop, don't use the US specific term, use the generic clothes like architecture or term. If someone wants to talk, you need us term slang, you know, let them crack on. But that that language. Yeah, we could've done better with that in the beginning.

Neal: Hiring my first set of people, I had relied on job descriptions that already existed. I definitely wouldn't do that again. You know, every time you hire, look over your job descriptions that you've used in the past and improve on them and use them to really sell the role and what you're trying to do, that sort of thing. Making the role sound exciting really sells it to people. It's one of those things that helps you cast your net wider for it to be more effective.

Shaun: And if you were to give our listeners today one piece of advice they should do what they should consider in their own hiring processes, what would it be?

Neal: Let people move into security who don't have 100% security backgrounds like Rich and I are both those kind of people. We've hired people in as side of his movies as well into our team, and they've been very successful.

Richard: The other one is Make your recruitment process reflective of the role that people are going to go into. And one of the things I've changed my opinion on over the past couple of years is how much do you pre arm a candidate with? And I was actually talking about this with a colleague that we've got Dave about. Should you share the questions before and my well after I sat and thought about it for a little bit I think I said Steve was I think it depends on the role so if someone is meant to be someone who is a photon of knowledge, well read, you know, all that kind of stuff.

But she added the questions beforehand and allowed them to prepare for that. It's actually probably reflective of the kind of day that they're going to have, which probably means you're going to get the best out of the recruitment process. But one of the things we do is we hire for instant response. Unfortunately, as uncomfortable as it makes some people, we need to ask an unprepared question.

You know, we didn't tell you about it because we just need to see what somebody does. We'd see if they stop and break it down. Some of the best candidates we've heard or been the least well read, and we just watched them process a problem. But I think going forward I would share the themes of our questions, you know, especially some of the technical stuff like basic networking and stuff.

So yeah, to bring that back to a headline, make the recruitment process and what you're looking for reflective of the role and environment, someone's going to be on.

Shaun: Great advice. Thank you. Well, thank you for joining me today. That's been some some great insights there and some great advice for our listeners. So thank you. I wish you all the best of luck on the continuation of your journey.

Read more Perspectives by Splunk

SEPTEMBER 7, 2023 • 3 minute READ

How Leaders Can Ease Generative AI Growing Pains for Their Workforce

Will generative AI improve employee resilience or cause massive headaches? Splunk's Petra Jenner discusses with analysts Daniel Newman and Pat Moorhead.

February 9, 2024 • 4 minute read

5 Ingredients for a Robust Cybersecurity Culture

What it takes to help every part of your organization understand the function and value of security.

MARCH 4, 2024 • 4 minute read

On Road Maps, Strong Board Relationships and Passionate Security Teams: A Q&A with Soriana CISO Sergio Gonzalez

The Chief Information Security Officer of one of Mexico’s largest grocery chains weighs in on the key ingredient for a successful security team, managing risk and more.