How LinkedIn Ditched the "One Size Fits All" Hiring Approach for InfoSec and Won

What drew me to LinkedIn was the chance to take on the challenge of scaling and adapting the security framework for the world’s largest professional network. Today, our Information Security (InfoSec) team is responsible for protecting LinkedIn’s infrastructure and data for our members, customers, and employees. As our platform has scaled, our security programs and strategies have grown in tandem to keep up with the company’s trajectory. But we haven’t stopped there. We want to be more than just protectors of our members, customers, and all the data we process internally and externally; we also want to expand our efforts to proactively support the goals of our business and the people who join our team. I’m a firm believer that cybersecurity is as much a business function as a technical one, and that means we have a crucial role in contributing to our company’s ongoing growth. 

To realize this vision of an InfoSec team that’s both protecting our company and enabling business growth, we need to attract and retain world-class talent. As the demand for cybersecurity professionals has remained high, this is a major challenge for many organizations. According to ISACA’s State of Cybersecurity 2022 report, 62% of survey respondents said their cybersecurity teams are either significantly or somewhat understaffed, and 63% said their teams had unfilled roles. And amid the Great Reshuffle, the ability to retain such in-demand talent has become more important than ever.

Despite these headwinds, we were able to attract and retain strong talent for our InfoSec team by reimagining our approach on a simple principle: cyber threats come in all shapes and sizes, so our InfoSec team should mirror that diversity, too. From a hiring perspective, this meant that instead of looking for people who fit a specific mold—particular educational backgrounds, prior experiences, or specific training—we doubled down on looking for and leaning into people with diverse experiences, perspectives, and skills needed to fit both our culture and our team’s priorities. As a result of this skills-first hiring approach, the number of new members joining our InfoSec team increased by 182% in 2022 as compared to 2021.

From a retention perspective, we took a similarly people-centric approach by meeting our team members where they are to best support their contributions to the InfoSec organization. This encompassed everything from providing a remote-first working option to enabling internal mobility as team members sought new challenges to grow in their careers. It might seem counterintuitive to be excited when an all-star player on your team wants to try a different role, but the fresh perspective and renewed energy they bring to their new area of focus will only benefit the organization as a whole.

These are the three components that we incorporated into our reimagined approach that helped us build the InfoSec organization we have today.

Broaden your talent pool

One of the practices we’ve leaned into is investment hiring, which we define as fostering talent through on-the-job skills development. While the more traditional version of this strategy was used only for very easy-to-train skills, taking an intentional approach and having a strong focus on longer-term talent support and skill development can lead to some excellent results even for technical career paths. This has the benefit of creating an opportunity for your team members to tailor their skills to what’s needed in your particular environment.

Investment hiring can have many forms. For instance, our REACH apprenticeship program at LinkedIn gives those with non-traditional backgrounds the opportunity to get their foot in the door and develop their technical skills. REACH has been an excellent source of talent for the InfoSec team at LinkedIn and InfoSec has doubled down on the program. I’m excited to see that in the last two years nearly 10% of all apprentices hired by LinkedIn joined our team.

Another aspect of investment hiring is to leverage learning and training opportunities for skill development. These types of courses can be a great way to uplevel your talent—it’s one of the reasons why we offer a variety of cybersecurity courses and learning paths through LinkedIn Learning. In fact, one of the REACH apprentices who’s since joined our team full-time got their start through online introductory coursework.

Adopt a skills-first mindset 

To successfully grow and strengthen our InfoSec team, we have adopted a skills-first approach when hiring talent. This mindset means that you look at a prospective candidate’s existing skills and think about their transferability to an InfoSec role. For instance, our team began hiring software engineers with strong computer science backgrounds who didn’t necessarily have InfoSec experience. We found that many of the fundamental skills for areas like site reliability engineering transferred well to cybersecurity work. We could attract a deeper and stronger pool of talent by avoiding a reliance on specific, niche skills for our candidates. 

An additional benefit of this approach is that it can better future-proof your organization for the inevitable changes we constantly see in the technology field. Today’s most popular coding language or infrastructure skills can often be relegated to “obsolete” in just a few years, which means that focusing exclusively on niche skills can hamper your team’s ability to pivot and innovate. By concentrating instead on fundamental and foundational skills, you can build a more adaptable team.

Meet talent where they are

Meeting talent where they are means being flexible to accommodate the preferences of your team, where possible, whether that’s in where they’re based or in the specific role they have. This can benefit both recruiting and retention for your organization and it also applies to more than just geography, although that can be a key component. 

As part of our hiring process, we embraced a remote-first option for candidates. Nearly a quarter of our InfoSec team is currently working remotely full-time. A key benefit of remote work is that it opens up a broader talent pool, and can also help build a more diverse team. 

Another component of meeting talent where they are is finding opportunities to create new opportunities and internal mobility for team members to improve retention and keep your team engaged. We encourage our team members to explore opportunities they find professionally challenging and fulfilling, which helps us keep a strong team even as individual members may shift to new roles.

Don’t be afraid to reimagine your approach

It’s important to note that these practices work best when used in combination with each other. While there can be real challenges in finding InfoSec talent, there are also opportunities to explore new ways of closing the gap. Our team at LinkedIn has leaned into this opportunity and has been able to grow and strengthen our InfoSec organization as a result. Hopefully sharing our experiences inspires other organizations to reimagine their approach and help more candidates find exciting opportunities in cybersecurity.