Cracking the Code

Recruiter Robert Half shares how to find the best cybersecurity talent.

As digital transformation (DX) touches every aspect of how we work and communicate, businesses face ever more complex challenges when it comes to protecting data—whether it is their own or that of customers. The evolution of cybersecurity means that companies must rethink how they hire for this critical task.

Steven Li, senior division director for cybersecurity at recruitment company Robert Half, told The ACCJ Journal that they see a lot of companies going through digital or IT transformations to shared service models, including for security.

“One of the challenges with security is that it’s all about data, and it’s all about being able to see your entire ecosystem or environment using a single source of truth or a single tool,” he said. “And a problem you may face is how to bring different business units that you’ve acquired onto a common platform for security operations and vulnerability management, so that when someone asks, ‘Are we impacted by this incident?’ you can answer with a degree of confidence.”

Robert Half advises clients on how to do just that and helps them find the right people to lead that transformation.

Expertise Matters

From a people perspective, previously siloed teams are being consolidated on a group level to create a centralized point of contact for cybersecurity that then provides support to each business unit, Li explained. Instead of outsourcing technical tasks to consultants, companies are now looking to hire specialists for their internal teams. But with much of this talent coming from outside Japan, domestic salaries are an obstacle.

“Employees here in Japan are typically rewarded based on tenure and age instead of merit and skill,” he noted. “To get around this, some companies have started to offer contracting solutions. They’ll say, let’s do a fixed-term contract. And with this fixed-term contract, we can step outside the bounds of our salary structure and give the specialist what the [global] market is paying, and a little bit more.”

This is important as there is an estimated shortfall of 190,000 cybersecurity professionals in Japan.

“Japanese companies are not used to hiring mid-career security professionals. They are used to hiring graduates, so to bring in someone mid-career, they don’t know how to do it, where to find them,” Li explained.

“Good cybersecurity engineers don’t typically fit the traditional model of an IT person. They may not have finished university, but they are adept at problem-solving and seeing patterns that other people might miss. We’ve placed people like this, and our clients have been absolutely happy with them,” he added.

Recruiting Manager for Cybersecurity Naoto Hamada shared an example of how Robert Half successfully placed a candidate who made a big difference for their client. But to do so, they had to overcome a challenge common in Japan: hesitation to change jobs.

“It was for a key project, and closing the role was a high priority. However, it’s challenging to find this talent in Japan,” Hamada explained. “We were able to find a match, and he received a competitive offer. But just one day before the deadline, on a weekend, he messaged me and said, ‘I can’t take this.’”

The problem wasn’t the offer but that he felt sympathetic towards his current manager should he leave.

“After receiving the message, he asked me to come meet at his station in person. I outlined the benefits of joining this international company and how it would provide him the career growth opportunities in line with his goals,” Hamada explained. “In the end, the key element was that we helped him visualize his priorities, then compare them to his current company. Based on this exchange, he decided to sign the offer and is now a key member in the newly created incident response team at his new company.”

Working hands-on in this way is at the core of Robert Half’s approach to recruitment. An important part of that are cyber risk meetups, which they host to bring together security professionals to share information and experiences which can help bridge the gap in cyber skills. A recent senior leaders’ meetup at Deloitte focused on ransomware resilience, and a public security meetup at Microsoft focused on software supply chain security.

“If we all share best ideas, best practices, and experiences, and implement those, perhaps we can improve cybersecurity maturity in Japan,” Li said.

Changing Regulations

Another thing to consider is the impact of changing regulations. Fabrizio Fumagalli, Robert Half’s recruiting associate director for cybersecurity, pointed out changes to ISO 27001, an international standard for information security management systems.

“This was updated in 2022, and companies have three years to comply,” Fumagalli said. “There are a few notable requirements on code security and the code supply chain. Companies need to be extremely careful about what’s in their code and conduct appropriate audits to assess where vulnerabilities may be.”

On average, about 80 percent of the code in a typical application is open source, Fumagalli noted, so it can be difficult to know what vulnerabilities may be hiding there. As a result, companies will need people in security who are proficient in software development.

“Instead of relying on documents from an external vendor, companies need a specialist who can check the code to ensure it is secure. Teaching security is easier than teaching the development side, so that is where companies’ priorities should be,” he added.

Specific to Japan, he said, is the need for mid-career cybersecurity talent. “You cannot randomly reassign, or do rotations, as most Japanese companies do. Due to the specific set of skills needed for the role, there is an urgent need for individuals who are experts in cybersecurity.”

Li added: “Our clients are sharing that they need people who are application security engineers and can dynamically test the code, play around with it, see if they can break it. Or do static analysis by reading the code itself and figuring out where the logic problems are. These skills are in extremely high demand.”

Partner for Success and Security

In closing, Li said that Robert Half is working to change the perception of recruitment in Japan and to help clients look beyond the numbers and the next quarter. If you are reassessing your cybersecurity, Li, Fumagalli, Hamada, Taeng, and the Robert Half team are ready to expand upon this approach and partner with you to build the best teams for today and the future.