PODCAST
Cracking the Code to Cyber Talent and Recruitment

About the Guest

Craig Johnson
Founder and Managing Partner, Root 5 Consulting

Craig Johnson
Founder and Managing Partner, Root 5 Consulting
Craig Johnson is the founder and managing partner of Root5 Consulting, a strategic executive search firm specializing in the cybersecurity ecosystem. With over a decade of global experience in cybersecurity leadership recruitment, Craig has successfully placed more than 250 candidates into roles across the USA, EMEA, LATAM, and APAC. His clients range from startups to Fortune 500 companies, reflecting his expertise in aligning top talent with diverse organizational needs.
Craig’s core competencies include recruitment, go-to-market strategy, organization design, and open-source intelligence. He leverages these skills to identify and attract top leadership talent, providing guidance on aligning candidates with the right organizational environments. Additionally, he offers insights into the cybersecurity threat landscape, market trends, and talent development to support organizations in achieving their cybersecurity objectives.
Craig’s mission is to empower organizations to strengthen their cybersecurity capabilities while enabling candidates to advance their careers and unlock their full potential.
Credits:
Presented by: Paul Jackson
Studio engineering and editing: Roy D’Monte
Executive producers: Paul Jackson and Ian Carless
Co-production by: THEOS Cyber and W4 Podcast Studio
Stay Connected
- Craig Johnson LinkedIn: https://www.linkedin.com/in/craigjohnson9/
- Craig Johnson Substack: https://substack.com/@cyberheadhunter
- Root 5 Consulting LinkedIn: https://www.linkedin.com/company/root-5-consulting
- Root 5 Consulting blog: https://root5consulting.com/blog/
- Paul Jackson LinkedIn: https://www.linkedin.com/in/jacksonhk/
- Theos Cyber Website: https://theos-cyber.com/
- Theos Cyber LinkedIn: https://www.linkedin.com/company/theos-cyber/
- Theos Cybernova LinkedIn: https://www.linkedin.com/showcase/theos-cybernova/
- Theos Cybernova Instagram: https://www.instagram.com/theoscybernova/
Episode Transcript
Paul Jackson: Wherever you are in the world. Hello and welcome to Theos Cybernova podcasts. Before we begin, I’ve got a quick favor to ask from you. There’s one simple way that you could support our show, and that’s by hitting the follow or subscribe buttons on the app that you’re listening to the show on right now. It makes a huge difference in helping to get the show out there to as many people as possible.
So please, please give us a hand and click that button now. Thank you very much for.
Theos Cybernova podcast hosted by Paul Jackson. So here we are with the second episode of Theos Cybernova podcast. I’m Paul Jackson, and each week we are digging into the latest trends, challenges, innovations that are shaping the cyber security landscape. As well as talking to a fantastic mix of leading industry experts, thought leaders and technologists. So whether you’re a professional in the field or simply curious about staying safe in the digital age, we hope that Theos Cybernova will operate valuable knowledge and actionable insights for everyone.
So here we go. And today’s guest is Craig Johnson. The best cyber recruiter on the planet. Is that a correct way to describe you, Craig?
Craig Johnson: Well, I’ve heard you say a few times. It doesn’t often come from other people, Paul. So, yeah, maybe, in your career, which is, is a good opinion. But, yeah, I’ve tried my best. I’m not. I’m not sure I’m the best, but I’ll always try my best.
Paul Jackson: Great. Well, look, let’s start by just, you know, getting to know you a little bit, or the audience to get to know you a little bit. And the first question I’m going to ask you, though, is, why the hell did you leave sunny Singapore to go move to? Where is it? Middlesbrough.
Craig Johnson: Well, not quite Middlesbrough. I don’t think anybody would ever leave Singapore for Middlesbrough. I’m in North Yorkshire, so I’m not too far from Middlesbrough. But, Yeah. Good question. I mean, you know, we spent a long time in Singapore. We were there, you know, nearly a decade, my wife and I, from around here, we, we sort of moved back home, and we left together.
We, you know, we spent a bit of time in Manchester and then, you know, over to Singapore. So we’ve been away for about 15 years. We didn’t necessarily plan on coming back. We, we knew we wanted to leave Singapore, but we had, we had other things in mind. But, you know, as life often, does, you know, things didn’t really go as planned.
So we, we sort of ended up back here by default. But in actual fact, it’s been great, to be honest with you. I mean, you know, we’re now living in the countryside and there’s, you know, there’s no traffic. There’s no not many people. There’s more, probably more sheep and cows and there is people. So it’s it’s quite a nice change.
Paul Jackson: Well, you do quite a good job of selling it, but not enough to make me want to move back, I’m afraid, because.
But tell us a little bit about Root5 Consulting. Because I know you’ve worked with the larger recruitment companies. You’ve been in-house, of course, as an in-house recruiter and also now an independent recruiter. What what all the difference is, I mean, yeah, tell us, first of all, though, about Root5 and how you came up with the name and what it’s all about.
Craig Johnson: Yeah. So, so Root5 is, is we’re essentially a cybersecurity specialist recruitment firm. So we, we operate across the entire cyber ecosystem. So whether that is, you know, vendors providing products and services, or, or and users who are looking to, you know, build CISOs and CSR teams and whatnot. So we’re quite broad in our in what we cover because cyber is quite a broad topic, and there’s lots of different functions that make up cyber security.
But we’re hyper focused on the cyber industry and that’s kind of or will or will ever do the name Root5. Yeah. An interesting one. It kind of comes from a bit of a sort of mathematical type, theory, where it all to do with the kind of square root of five and how that tracks towards, a number called the Fibonacci sequence, which is kind of a, a sequence of numbers that you find in nature and things like that.
So, you know, you’ll see, you know, the, the, the, the petals on a, on a, on a, on a flower will be typically account to a Fibonacci sequence or within leaves and things like that. So the the square root of five, is is a number which the Fibonacci, the, the ratio between the leading two Fibonacci sequence numbers tracks towards in a mathematical sense.
So the concept is that you’re working towards perfection.
Paul Jackson: Right. So let me put you on the spot like what is the square root of five.
Craig Johnson: Oh god I don’t know what that is. It’s something like 2.2 or something like that.
Craig Johnson: So yeah. Yeah, it’s something like that.
Paul Jackson: But you also have external experts, you know, working with your company on contracts.
And what is the rationale behind that?
Craig Johnson: Yeah. Well, I think, you know, having spent a couple of years working internally when, you know, when I was across with, with, with the South Pole, you know, I kind of, for the first time in my career, I got exposure to, you know, competitors, essentially other companies out there doing recruiting in cyber.
And I’m not commenting on every everybody here has some cracking recruiters out there, but the large majority of the industry didn’t fully understand really what they were doing and what they were looking for, what cyber really was, and having worked in inside a cyber company and working very closely with cyber professionals, you know, my knowledge, I think improved significantly in those couple of years, about what I was actually doing. But there’s always there’s always a limit to what I’m going to be able to do in terms of, you know, assessing a candidate. You know, I can do my bit. And I always imagine it like a, you know, recruiting like a funnel, the top of the funnel, you’ve got every possible candidate who could get that job at the bottom of the funnel.
You’ve got the candidate that gets the job, and there’s a whole bunch of processes that you go through. I’m really good at the top of the funnel. You know, if a company comes to me and they want a certain candidate, I know who to go after, I know which companies to target. I might even know some candidates that I think would be good.
And I can get a rough sense of how good they are so I can bring them set so far down that funnel, but that at some point they need an expert to look at. They need someone who can, who’s been in that position before, who’s recruited for those people before, who’ve managed those types of people who basically come from, you know, a technical background.
So that that was a rationale around bringing in external contractors who could work with us on searches so I can bring the candidate so far down the funnel, then hand them off to an expert who will do a real thorough technical screening on them. So by the time the candidate hits the client, they they’ve been validated far beyond what they would do if they just went through a recruitment agency.
So that that was the idea. And I think, yeah, it’s take, you know, we haven’t done a huge amount of searches involving the external contractors, to be honest with you. It’s something we’re pushing quite a lot. And, you know, the clients that we’ve had who have gone through that process, they’ve got better results. They’ve spent less time and they’ve they’ve probably got better candidates. So yeah, it’s a new model. But I think, I think it’s the right the right way to go.
Paul Jackson: Yeah. Nice. No, no it kind of leads in nicely to my questions for you. And I’ve got some real thorny questions around the complexities of hiring when companies get it right, when they get it wrong, as we’ve seen. And, how the best approach is.
So let me, let me start off by just talking a little bit about Asia, because I know, obviously you primarily focused on Asia until your recent move back. Yeah. To the UK. And we’ve seen some interesting changes out there. Yeah. I mean, you know, with, with Kroll and Thales withdrawing from the, the APAC cyber, cyber consulting market, question view, what does it take for a consulting firm to succeed out in Asia?
Paul Jackson: Because, you know, there’s been so many withdrawals.
Craig Johnson: Yeah. And, I don’t think it’s just consulting, you know, it’s, it’s across the board. I think, Asia is complex, as you know, you know, you know, that there’s a it’s complex from a cultural perspective, but it’s also complex from, you know, market maturity. You know, you’ve got Singapore and Hong Kong that, you know, very mature markets.
You know, there is modern as anywhere in the world from an infrastructure perspective. I think the talent is strong in both of those markets, but they’re both small markets, you know, they’re very, very small. So you’ve you, you know, when you’re building a business in Asia, you’ve got to take into to, to account all of Asia.
Craig Johnson: If you want to grow a significant business, you’ve got to start recruiting people in Malaysia, in the Philippines. And and then all different nuances come into play in terms of, you know, the the maturity of the market, the culture and everything like that. And, so I think companies don’t often take all of that into consideration. When they look at it.
They look at it as a, as a region.
Paul Jackson: Right.
Craig Johnson: And they look at it as an opportunity, as a region. But then they don’t maybe think about what are all the different nuances within it that are going to make it successful. I think long term, again, short term thinking as well is is a big challenge. We see, I think in reality probably going to lose money for a few years in, in Asia if you’re launching a business.
And, you know, the way companies work these days, they often want results fast and you can’t always get them in Asia. Which is a bit of a problem. I think rates as well, I hear, is is quite a challenge because I think Asia is maybe compared to other markets, maybe a bit more price conscious.
Which means that it’s hard to kind of get, you know, big, be competitive. And it’s hard to develop talent. You know, it’s hard to do everything because you’ve got to develop talent in, you know, it takes time to develop talent. You’ve got to have a program in place. You’ve got to have support, you know, and and companies often just don’t have that appetite for long term thinking.
And I think that’s the overarching problem.
Paul Jackson: So yes, I mean, you’ve nailed it there. And my experience has been exactly that, of course. And what we’re trying to do at Theo’s is build on a, on a practitioner or expert base in lower cost locations so that we can afford to be competitive. We can pass on those savings.
But here’s a question for you. I mean, is the talent really there in some of these low cost centers? Is it as good as you know is it needs to be for the market? Do you think, you know, because you’ve obviously looked at the, the talent available in some of the low cost centers in Asia.
Craig Johnson: Yeah, I mean, I would say most of the time, no, to be honest, I think it’s there’s definitely pockets, you know, like when we were building out the, the SoC, for example, a crawl in the Philippines, you know, which was a pretty sophisticated MDR solution.
And, you know, the, the type of analysts that we were looking for, were not you typical SoC analysts, you know, they were more aligned with, you know, proper incident responders. So in in that sense, it can become very, very difficult if you’re comparing the region with the US or you comparing it with certain parts of Europe, then you’re always going to be underwhelmed, you know?
Craig Johnson: And that’s not to say that there’s nothing against anybody personally within those market. But it’s just it’s just a maturity of the market, you know, like but having be back in the UK. No, I mean this a 60 million people here, you know, there’s 5 million people in Singapore, for example, you know, so the size of the markets are completely different.
The maturity, the markets are completely different. So you’re always going to struggle. But I think the important thing is to not compare it with other areas and try and look at what the potential is and what you need to do as an organization to get that potential where you need them.
Paul Jackson: Yeah, definitely. And I do agree with you about the pockets because we’ve obviously at the also we found pockets deep pockets actually of talent.
You know that we’ve been able to mine here in the Philippines predominantly. And it’s a matter of maturing and mentoring those folks, I think in getting them to, you know, to world class standards. And when they’ve got the thirst and the passion, it’s not that hard to do, but it’s finding those people with the thirst and the passion to because it’s, hard yards, a lot of hard yards to learn this business.
Paul Jackson: But, you know, yeah. So note, I mean, is education system to blame perhaps. I mean, in Asia, you know, this is quite famous for academic brilliance, but in terms of rote learning and memorizing rather than lateral thinking, do you think that’s possibly one of the hindrances?
Craig Johnson: Yeah. Well, you hear that a lot, don’t you? I mean, that’s one of the, the common things you hear, you know, particularly in Singapore, that, you know, kids are incredibly academic.
But sometimes, you know, they people say they, you know, they won’t get that well-rounded, that critical thinking type of approach. And it, it it’s an interesting move because like where does that come from. You know, it’s often cited that it comes from adversity. So you know you look at people who come from through adversity and what make their way to a certain level in their career.
Craig Johnson: They’ve, you know, they’ve had to think their way through and they’ve had to overcome problems. So people will often say, you know, Singapore doesn’t have any problems. You said when you could grow up there and you don’t you don’t experience any issues, any hardship. You know, life is is fairly straightforward, but I don’t think that’s always the case.
And particularly if you go beyond Singapore, into the Philippines and Malaysia, Thailand, you know, these are, you know, tough places to grow up, and tough places to kind of make it. So I don’t know whether it’s the education system, what you know, what it well, what it is, where you struggle to get those critical thinking kind of skills that the people often say is lacking in Asia.
Craig Johnson: But I think sometimes that, you know, a lot of people are a victim of taking that kind of Western mindset and applying it to Asia and saying, well, you know, we don’t we’re not finding this type specific type of skill set. That would be an abundance in if we were recruiting in the US, for example. And sometimes I think that’s a bit of a mistake within itself.
You know, you spent your whole time focusing on something that’s not there, rather than saying, well, let’s pivot our business and let’s think about different delivery models. Or maybe the problem is us. You know, maybe we’re not asking the right questions and not looking in the right places. Maybe, yeah, yeah. Because I think the talent is there that,
Paul Jackson: You know, there’s obviously sort of lower end all to the lower end of the working level to find it.
Oh, sorry. I talked over you a bit there. Sorry. I do at a working level. Okay. That’s fine. But what about at the senior level? So what we’re seeing and, you know, we’ve seen it happen recently and in our industry is that CEOs are struggling to hire the right leaders in cyber. Why is that process failing and what could they be doing better?
Craig Johnson: Yeah, I think there’s a few aspects of this. And I think one of the reasons why we brought in the external advisor model is to kind of help with this. You know, we, we, we recruited a head of information security for, a tech company recently. There were a couple of hundred people, had no internal security before this was their first security hire.
Reporting into a CEO and a CTO, none of them having a security background, you know, so we were able to help them because we brought a technical advisor and you could actually help them find what they wanted. So I think there’s an element of that where people just don’t really know what they need. I think ego comes into play quite a bit as well.
Because in reality, a CEO, if they’re going to hire a CSO and have them report into them, they’re probably going to hear, you know, you can’t do this and you can’t do that more often than they would like. And so I think to hire the right CSO and to give the CSO the kind of the runway that they need to do a proper job, ego needs to be put aside, and the sea CEO needs to be prepared to have some tough conversations.
It’s a little bit like, you know, have you ever seen the show billions?
Paul Jackson: Yes, yes.
Craig Johnson: So, you know, you remember the spin offs character, right? Yes. The head of compliance. He’s like the ex SEC, investigator who kind of goes internal and he’s a he’s the head is compliance. And he’s constantly telling them, you can’t do this.
You can’t do that. You know, and he’s hated in the office because of that. Now, I’m not saying that, you know, that you should hate your security guys, but I’m saying that, you know, you need to hire people that are going to have tough conversations. And I think that may be a bit of a bit of that is often not in play.
When, when, when when, see when CEOs are making these hires because they don’t want to be told they can’t do this.
Paul Jackson: They want yes, men.
Craig Johnson: Yeah.
Paul Jackson: Interesting. So but you know, when we talk about hiring, what’s the right balance to be taken when you’re hiring in cyber? Because I’m guilty myself of doing this, right? I’ve hired people that I know and I trust rather than going through, say, yourself or, you know, a formal recruitment process because I know they’re good at their job and I trust them to do the job. So it’s kind of an easy and easy fit. But to what extent should we be doing that without going through an open recruitment process? Where do you draw the line on that?
Craig Johnson: Yeah, it’s a funny world because, you know, you kind of go into this world of the AI a little bit, right? It’s like, you know, we haven’t we haven’t gave everybody the right opportunity because we haven’t run a recruitment process.
I can understand that to a degree. But also my advice, you know, if you know someone, if you know what you need to achieve with this hire and you know someone and you trust them, and you don’t need to go through the rigmarole of a recruitment process and spending money on advertising and just get it done.
In my opinion. Make the hire, make it happen. But so maybe sometimes, you know, it pays to kind of run a proper process and maybe get some, some comparison comparisons in place as well. Because I think sometimes when people hire people that they’re comfortable with, it might be more because they’re comfortable with them and not because they’re the right person for the job.
So I think you’ve got to you’ve got to ask yourself, right, what do I need this person to do? And you recruitment process should always work back from the business objectives. Right? We want to double revenue in the next five years or whatever, you know. So who do I need around me to get that done?
Right. And, you know, you might say, look, yeah, well, I’ve got someone who worked with me in the past and they did this, but were they really, someone who drove significant revenue? You know, maybe they did to a degree, but maybe they didn’t do it at the level that I now want them to do it. I think the easiest thing would be to, well, let’s get them involved because I’ve worked with them in the past and, you know, we work well together and we’ll figure it out ourselves.
But sometimes, you know, you maybe need to say, well, actually, maybe they weren’t the right person for what I need now, and maybe I’ll give them an opportunity to interview what they’re going to interview alongside of the people in the market. And we’re going to run a process that is designed specifically to draw out that that skill set that we’re looking for.
So I think it all always pulls back to what, what, what the business goal is and what you’re trying to achieve from the higher. Right.
Paul Jackson: Yeah. No, this is great advice is good advice for me because I could, you know, continue to grow the team here at Theos because obviously I don’t want to just be bringing in people just because I know and trust that they can do a good job.
But I do feel that there is a balance to be struck because, you know, you’ve got people who you know are good. And to your point, that can drive revenues, that could drive customer success, etc.. But from then on, once you’ve got that foundation, I think from then on it should be an open recruitment process, you know, for further hires.
Once you’ve got that, you know, the leadership bench that you’re trusted, that you’re comfortable with. Is that fair?
Craig Johnson: Yeah. Yeah definitely. Definitely. It’s you know, if you if you always recruit people that, you know, you’re going to run out, you get people to follow you, you’re going to get out fairly quickly. And I think also what, what it’s going to be a challenge is when you’re recruiting people that, you know, you know, you you’re almost on a bit of a backfoot sometimes because they when they get that cut, like if I got a call from someone now that that I’d worked with in the past, like, you know, Craig, I want you to come on board and, you know, we’ve got something here that we need you to help with. You know, my mind would initially think of, like, what’s the bigger picture opportunity gonna look like for me? You know what what what this move going to look like for me. And sometimes you can’t always deliver that to somebody.
So when you’re hiring mates and old colleagues, I think they sometimes come in with a bit of a I’m, you know, this. They might think more of a I’m not quite sure what I’m trying to articulate here, but I think they probably come in with an expectation level. Right. I guess is what I’m trying to say, which sometimes is not always the case, you know.
Paul Jackson: Good, good. Great advice there. So let’s take it back a little bit and, and, and, and start talking about how you go about your job. How do you find the best talents? I mean, there’s so rare out there on there. How do you actually find them?
Craig Johnson: it’s I think time recruiting in a market helps. You know, when you I’ve been recruiting in cyber now for about ten years so that that helps because over time you get to know who’s good and who’s not. But it is hard because, you know, I’m speaking to new people every day. You know, probably on average, ten new people per week will kind of come into my network.
So and all of them are selling themselves, you know, they’re all you’re having a call with them and they’re all telling you all the great things that they’ve done in their career. And it’s very easy as a recruiter to just believe it all and take it as face value and, and then try and sell those people to your client.
But more often than not, people are not in that top tier. They’re not in that elite level. And and it’s hard to kind of find out who who’s who. I think in time, you get to know what a good incident responder looks like or what a good pentesting looks like. And you know what the right questions are to ask to kind of get that information out from them.
But I think also over time you start to connect dots as well. Also, that person works for that person. Well I know that person really well. So I’m going to give them a call, just see what they think of this person. And you know those kind of discreet reference checks I think help to try and determine who is top and who is it.
And I often ask people as well, you know, like if I ask if I’m recruiting for a client, they will probably know who’s got in their market. They will know who that dream person is, you know, in the same way as, you know, Football Manager knows which striker they’d like to have. The reality whether they can get that striking a different a different question.
But they know they usually know who’s good in their market. So I think asking the question who is really good, who you’ve who’ve you work with in the past that you thought they’re a superstar, they’re going places. And making a bit of a mental note of those people is a way. But it’s time in a market above anything.
There’s lots of different nuances to find the right talent, but you’ve got to commit long term as a recruiter, I think.
Paul Jackson: Right. Well, you know, I don’t want to inflate your ego, but there’s nobody better asking those questions than you in my experience. But yeah, that’s, you know, you’re absolutely right with your points there. So let’s, let’s, switch up a little bit and talk about new entrants to the side market, because obviously I’m, quite high profile out here in Asia.
And I get asked a lot, how do I how do I break into this? I’ve done this, you know, university degree, I’ve done x, y, z, but nobody will hire me because I don’t have any experience. And
it’s kind of a chicken and egg situation, isn’t it? And you know, what’s your advice for, for a new starter in the cyber field?
Craig Johnson: Yeah, it can be really hard. Because, you know, you hear and frustrating as well because, you know, you hear all the time that, this is skill shortage in cyber. You know, we’re missing 10 million people and all this sort of stuff. So people go and they’ll get a degree in cyber security or they’ll do a master’s or, you know, maybe do a couple of certs even, and then they can’t get a job.
And they think about, you know, all that bullshit about it. But for a lot of people, I’m ready to go and I can’t get a job. So I think right place and right time is a big thing. You know, I think, you’ve got to network, you’ve got and one thing about the cyber community, it’s very open to networking.
You know, there’s I was having a conversation about this on New Year’s Eve with a friend who’s in a he’s in biotech. So we’re completely different. But we were talking about communities, and I was specifically talking about the cyber community and how open it is and how, you know, there certain, you know, for example, like the Cape product.
Right? It’s like an open source tool, right? That is for the good of the industry, you know, where that tool could be commercialized. And, you know, some people could make a lot of money out of that, but they don’t because it’s the right thing for the industry. So I think the cyber community is very open and it’s very willing to kind of bring people in and give them an opportunity.
So I always advise people to network, don’t be afraid to connect with somebody and ask them some questions about, you know, how to get in and, and do you have any advice for me? Because those questions lead to opportunities. People like that. People like people to be on the front foot, to put themself out there. But I think some kind of technical perspective.
One good thing that that I hear people being advised that that I’ve had people being advised to do before, which seems to work, is to build a home lab, you know, if you want to be a blue teamer or you want to be a red teamer, you know, go buy some old equipment and build a lab at home and start running some simulations and start figuring out what it might
be like to work in a SOC or work in a Pen Testing team and get some real world experience and then publish your work, get your work out there, even though it might be, you know, not cutting edge or it might not be, you know, I do think game changing, but for it’s going to show people that you’re really trying to get that excludes a certain thing. But getting hands on with stuff is another thing. And you can’t exactly go out there and start hacking systems in the real world and say, look how good I am. I’ve just hacked into your system. You might get into a bit of trouble, but you can build a lab at home and you can start working on that type of stuff. And I think that that goes a long way.
Paul Jackson: It definitely does. Whenever I ask questions of potential candidates, I always ask them the same questions. What? What have you built at home? What systems do you have at home? Which blogs do you go and read? You know who’s research, who’s books have you read? You know, just to show, demonstrate that they have a passion beyond being spoon fed in whatever course or wherever, whatever program they have attended. But on the subject of courses and certs, which ones do work best, though, in your experience, which one? Getting folks the most traction?
Craig Johnson: Yeah. So I, I think, it depends on what area you’re in. I think if you, you know, if you want to be a CSO or you’re going in a general sort of, you know, head of security type role or, CISSP is probably the way to go. It’s hard to do. I mean, there’s a bit of controversy about it. Some people think it’s a waste of time, other people don’t. I actually started to, by my study, CISSP, because I thought it might be a bit of a differentiator for me. Is a recruiter to have a CISSP. So I’m, I’ve got some experience with it. And it one thing that I felt from the CISSP was it’s so vast, you know, there’s so many different topics, that if somebody has got their CISSP, you know, they’ve got some grit and some determination and, and commitment, which is a big aspect of being a security leader.
So even if the content is maybe not to everybody’s taste, at least it shows that somebody is really committed to their career to kind of go and do that in their spare time. So I think CISSP is very good. So the kind of broader security leadership type, person, if you’re going into the blue team space, I think SANS are probably the best search to get GCFE, GCSA, they’ve got some good offensive search as well, like GXPN and GWEB and things like that, which are really, really good, but SANS are very expensive, very expensive, probably eight and $9,000. You know, a per, per course. But, you know, if people can find the money, they should do those courses because they firstly, they show commitment. Secondly, the content of the course is a fantastic, and thirdly, that they will get a bit of a network doing
those types of courses because usually it’s people being sent by their organizations and they’re usually quite experienced.
So you’ll get a, you’ll get a bit of a network from the on the offensive side, it’s usually CREST and OSCP. I think the better ones. OSCP I think if somebody who’s got that, then then usually they’re, they’re fairly capable pen tester or I think that shows. But yeah. So there’s a few in there. But I think blue side, you want to be SANS. And then on the red side you want to be OSCP or Crest.
Paul Jackson: Got it. Got it. So looking forward, last question really on cyber anyway. Looking forward to are you optimistic about the cyber recruitment or cybersecurity industry in Asia? Obviously I’m here in Asia, so specifically about Asia. Bearing in mind that, you know, we’re seeing a bit of a shift in the laws and regulations that, you know, across the region, this new laws coming in everywhere Hong Kong where I am, you know, there’s a, there’s a new critical infrastructure, security, cyber security, law coming into place.
Is this going to be driving firms, do you think, to find better talent or increase their increase their staffing on, cyber security or do you think it. Yeah. So I won’t make a difference.
Craig Johnson: Yeah, it you would hope so. You know, I, I launched Root5 in, in December 2023, so we just literally turned a year old about a month ago.
And at the time, it was around when the SEC launched their new regulations around filing 8-K, rulings, you know, when you’ve had a material cyber breach, that type of stuff. And we looked at that and, you know, I thought, well, that’s going to have a knock on effect everywhere, you know, because it’s a major change in the regulations.
And there’s been loads of stuff in Europe as well, to restore regulations and all this sort of stuff so that it’s not just happening in Asia, it’s happening everywhere. But so far it hasn’t really. Well, from what I’ve seen, it hasn’t really resulted in or we better get some people in to get our head from this new regulation.
Right. The general theme, certainly in 2024 was do more with less. You know, we’ve seen a lot of security leaders being let go to be replaced by younger, cheaper talent. I don’t think that will persist for the 2025, because we’re already seeing an increase in DFIR cases around the world. And I think that that is more likely to drive, recruitment than the regulations are because, you know, regulations are not maybe as in your face as what,
ransomware is so I think that’s going to drive recruitment a bit more than what the regulations do, because I’ve just historically I’ve just not seen big recruitment drives come off the back of regulatory changes.
You know, I think people see regulations and they like, oh, well, you know, yeah we’ll look at that. Well you know, someone’ll they’ll take a look at it. But they don’t necessarily think recruit. Whereas I think if they get hit there under the cost then I think recruitment will come. So I do think this year is going to be much better than it has been the last couple of years.
Paul Jackson: And do you think this will also drive work towards high quality consulting firms like Theos cyber?
Craig Johnson: 100%? Because one thing about. But to be fair, going back to the regulations where I think you it will have an effect, which I guess is a bit of a talent plays that. The trend in regulations over the years seems to have gone down the food chain in the sense that, you know, the top organizations, the banks, the healthcare companies, they’ve kind of always been under the spotlight.
And because of that, they’ve got big sophisticated systems in place, you know, you know that from your time at JP Morgan. I mean, you guys had massive budgets, huge teams. You know, you could do whatever you wanted, really. Now more and more smaller companies are under the spotlight as well. You know, through, you know, when you look at critical infrastructure, critical infrastructure is now not just the first tier of the infrastructure.
It’s supply is into the critical infrastructure. And that could be anything from, you know, someone like me, you know, if I’m recruiting for a big bank, you know, to a and I’ve got maybe my system is connected to that applicant tracking system. You know a I’m now under the spotlight. So do I need help from a company like Theos?
Probably, you know, and I think that’s the way it’s going to go. So I think the SMEs space, it’s the companies that have not had to think about cyber anymore, where the regulations are now impacting them, where they’re going to, they’re going to have two choices. Do we build an internal security team which is hard and competitive and expensive and not guaranteed to, to be successful?
Or do we go to a company like a Theos, where we can outsource it and get them to run it? And so I think that’s going to be a big trend moving forward. I think companies offering MDR,
DFIR type solutions are going to be big winners moving forward.
Paul Jackson: Well, certainly hope so. And I certainly hope that you’ll be around to help us, you know, step stuff up should we need that?
So, hopefully. Yeah. All right. Couple a couple of last questions. So away from cyber, you know, I’m a music fan, don’t you, Craig? And I’ve got to ask this. What are you listening to these days?
Craig Johnson: You know what? I went through a period of time where I was a massive music fan as a kid.
I think, like most people are, that, you know, was off it for quite a long time. And then I was moving back home. I sort of reignited the passion a little bit. My little boy has just started playing the guitar, and we bought him a piano for his birthday the other day, and he’s now playing, so your deepest, best.
Paul Jackson: Your neighbors must love you.
Craig Johnson: Yeah, yeah they do. They’re over the moon. And it sort of reignited the passion a little bit. And so, yeah, I’ve started to listen to some of the stuff that I listened to years ago, and I’m a big fan, and so, or what I would call proper rock and roll, like the Stones and Hendrix, Deep Purple and the Kinks and Creedence Clearwater and all that sort of stuff that, that I’ve been listening to a lot recently.
Paul Jackson: Brilliant, brilliant. And lastly, we a time of recording. Anyway, it’s, just moved into 2025. What’s your New Years resolution?
Craig Johnson: You know, I never I never really do resolutions because I’m a I’m always, I’m a big believer in, like, balance, you know, and don’t cut stuff out. Just, you know, like, don’t quit drinking, just maybe go to the gym with balance it out a little bit.
You know, I think people are constantly trying to look for, for ways of if, you know, drastic improvement, but really it’s just kind of small improvements to make. Well, one thing that I, I’ve wanted to do for a long time, and we, we live quite close to an airfield about 20 minutes
away. And you see people flying over the top of the house all the time and learning how to fly in these little airplanes.
So I’m, I’m hoping to start that this year. I’ve always wanted to fly, so I’m hoping to start learning this year.
Paul Jackson: Brilliant. Well, don’t crash because we need you. So. Yeah, all right. Great. Thanks very much. That was, cyber recruiter extraordinaire Craig Johnson. And, what a great conversation it was. Thank you very much. So, Theos Cybernova was presented by myself, Paul Jackson, the studio engineer and editor was Roy Damonte. The executive producer was myself and Ian Carless. And this podcast is a co-production between Theos Cyber and W4 Podcast Studio.
The Theos Cybernova podcast.

Episode Summary
How do you find the right cybersecurity talent in a competitive and evolving market? In this insightful episode of THEOS Cybernova, host Paul Jackson chats with Craig Johnson, founder of Root 5 Consulting and one of the most respected recruiters in the cybersecurity industry.
Craig shares his journey from Singapore to the UK and dives deep into the art of hiring for cybersecurity. From the complexities of the Asia-Pacific talent market to the challenges of finding the right balance between skill, culture, and leadership, Craig provides a masterclass in recruitment strategies. They also discuss the rise of external experts in the hiring process, how to nurture emerging talent, and the impact of evolving regulations on the industry.
Whether you’re an aspiring cybersecurity professional, a hiring manager, or just curious about what it takes to build a world-class team, this episode offers practical insights and candid advice from one of the best in the business.