Q&A With Michael Race, Senior Consultant in Cloud/Infrastructure Security and DevSecOps at Stott and May
Hiring and retaining talent in continually changing areas such as Cloud Security and DevSecOps has never been a straightforward, black and white process. Given the way these disciplines are evolving as well as the unique needs that individual organizations have in these areas, finding, recruiting, and retaining the best talent can be a complex and challenging proposition.
To sort out some of the key issues, I recently sat down with Michael Race, Senior Consultant in Cloud/Infrastructure Security and DevSecOps at Stott and May. In the resulting Q&A, he shares some of his insights on the current state of the DevOps and Cloud Security markets as well as guidance on how to grow successful DevOps, Cloud Security, and DevSecOps team.
How would you assess the current state of DevSecOps?
Michael: There’s never just one way to describe the particular state of any job or talent market at any given time. This is particularly true of the DevOps and Cloud Security markets, which are constantly evolving and redefining themselves.
One could argue that DevOps is definitively moving toward a heavier development focus, but that doesn’t hold true for every DevOps hire being made right now. In fact, many DevOps teams are still scaling up Ops heavy talent to balance their intake of Dev heavy DevOps Engineers.
It really comes down to finding a balance when you’re growing teams with niche skills sets (e.g., DevOps, Cloud Security, and DevSecOps). Many still view DevSecOps as a buzzword, and there can be some truth to this depending on how much a company has invested in and defined their security efforts in relation to CI/CD. DevSecOps is still a relatively new concept and has not had as much time to establish itself. DevOps, on the other hand, has had the luxury to evolve and be sculpted by companies, hiring trends, and industry leaders alike. In other words, DevSecOps still has a way to go.
What experience and backgrounds do companies look for when hiring DevSecOps or Security Engineers?
Michael: It depends on what the company’s needs are, and these can vary significantly among organizations. Over the last couple of years as DevSecOps has begun to gradually evolve from being a buzzword, I have seen companies hire from both Ops or Dev backgrounds. Usually if a company is a global entity in, say, Life Sciences or Finance, a cultural fit tends to weigh more heavily than tech expertise alone.
Cultural fits differ greatly depending on a company’s tech goals. In most cases, hiring managers can be flexible when they’re looking at candidates’ company backgrounds. However, onboarding someone from a slow moving, massive Bank or Big Pharma house onto a lean startup is almost non-negotiable in many cases. The culture shock from this kind of transition tends to linger far beyond the first 90 days and can seriously undercut chances for success.
Salaries play a part as well, of course. People who have worked for large, multibillion-dollar organizations can have a difficult time accepting the need to wear multiple hats at a startup, especially for a significant drop in compensation. Oftentimes their salary expectations can only be matched by other massive entities.
No matter the tech background, a company will almost always choose the most well-rounded candidate, considering the abundance of responsibilities involved in a DevSecOps-related job.
If this is such a constantly shifting and budding market, what’s the reality of finding someone with the right skills? Do these skills really exist?
Michael: As a recruiter in these areas for some time now, I’ve learned that the right skills often exist somewhere. Maybe the right person isn’t in every company’s backyard, but if a company can’t be flexible in the skill set it’s looking for, then they might need to consider a relocation hire or create a remote option to broaden their search.
On the flip side, in a case where skill sets are negotiable, companies can explore candidates who have the majority of the preferred skills, and then offer a realistic ramp up period so the new employee can build up the remainder of the skills or knowledge required. This can be done by training a new hire internally or leveraging outside resources.
In the cases of DevOps and DevSecOps where live interactions and a collaborative mindset are part of the role’s core function, the latter option is usually optimal.
Keep in mind that there is always more than one way to make a hire. Simply relying on job boards and key word searches seldom does the trick. In such highly specialist markets like DevSecOps and Cybersecurity, valuable qualifications like soft skills and cross-group collaboration can rarely be effectively expressed on a resume.
So, if they do exist, where exactly can they be found?
Michael: Again, this is determined by an organization’s hiring strategy. If you were to exhaust multiple search options (e.g., relocation, remote work, being flexible on skill requirements), you will most likely cast a wide enough net to generate a sufficient number of candidates from a variety of companies and locations.
But how far is a company willing to go before sacrificing too much and risking an ineffective hire? It really depends on which areas weigh heaviest on the company’s priority list. It also depends on how honest and informed a hiring team chooses to be on the realities of a niche talent pool with newly budding skill sets.
In the worlds of DevSecOps, DevOps, and Cloud Security, there are also engineering teams that have been leveraging these highly innovative mindsets long before they were accepted into the mainstream. This phenomenon usually occurs when a company doesn’t adopt the market’s most well-marketed tools but uses their own internal tools that do great work. Unfortunately for their engineers, these simply don’t appear on keyword searches as their resumes or profiles lack the tools everyone else is looking for.
This type of industry expertise is usually only practiced by highly knowledgeable internal recruiting teams or a specialist external recruiting partner.
How do we keep these highly sought-after people engaged during interview stages and even after onboarding?
Michael: DevSecOps and Cybersecurity Engineers can have a huge array of choices while they’re on a job search and move off the market quickly.
To keep candidates engaged, higher salaries may help, but they are not the end all for everyone. Many people are more motivated by technology exposure that keeps them relevant to the market. The way a company values their engineering teams and treats their tech staff is also a common influencer.
For those who are not aware, it is really career progression and the way a company values its employees that keeps people at organizations (or drives them away). This goes for everyone, especially people whose skills need to remain sharp in a constantly evolving landscape.
How do we define DevOps and DevSecOps job descriptions when the actual hire will define so much of our technical vision themselves?
Michael: I always recommend honesty and transparency. When people are brought onto teams that have misrepresented themselves during the interview process, they realize this immediately. No matter how large or small your tech community is, the reputations of your company and your team carry most rapidly by word of mouth. This is particularly common in niche markets like DevSecOps and Cyber Security where there is a limited number of such engineers to begin with. Everyone wants to sell their engineering team as “the one to join,” but how about being known as the best culture to stay with and grow in?
If you are a bare bones shop, then transparently expressing that you’re hiring for a ground floor role that will define a DevSecOps mindset is the way to go. People in general, not just engineers, will respect and remember that long after they interview and even join. Niche markets are exactly like they sound — small and familiar. Companies cannot afford to miss out on talent due to a blemished reputation.
How competitive is this space for hiring teams and candidates?
Michael: Highly competitive. More so for DevSecOps and Cloud Security Engineers who have their pick of jobs. It’s their skills that are defining how technology flows throughout organizations, and everyone needs them. From LinkedIn to recruitment partners and even personal networks, almost everyone in tech knows someone who needs either of these skill sets to one extent or another. It’s a candidate-driven market that naturally causes organizations to be at the top of their game when attracting and retaining top talent.
What’s the future for DevOps/Cloud Security and DevSecOps?
Michael: No one has a crystal ball, but tech markets will always continue to define and redefine themselves. Any tech market — not just DevSecOps or CyberSec — can grow rapidly. Even those who are just competent in these niche skills can soon grow to define and become the market as their skills sharpen.
Case studies from high profile teams such FAANG entities (Facebook, Apple, Amazon, Netflix and Google) will also influence the future as companies leverage these resources as examples for their own teams.
Another factor is meetup groups that will influence local teams even though they don’t have FAANG budgets or resources but can learn from other engineering groups facing similar challenges and successes. Again, there is never one answer to where a market is moving or what’s causing it to move. The only certainty is that there are always multiple influencers who continue to mold the DevSecOps and Cloud Security space.
So keep your eyes and ears open, learn from what others are doing in their organizations, and strive to be one of those companies that attracts, trains, and retains the best talent.