A new way to recruit: Our approach to building Expel’s Phishing team


A lot of companies are experiencing a brain drain in what’s being called the Great Resignation. It’s a pain that security teams know all too well. You hire great people who have the skills you need, they get familiar with your environment, and then…they’ve already moved on to their next job.

You’re happy for them. But now you’re back to the beginning.

Is there a solution?

We’ve written blog posts about how optimizing the human moment helps us not only create greater efficiencies in our operations, but also helps us prevent analyst burnout while giving them meaningful work.

Optimizing for the human moment here at Expel means letting tech handle the work that can be automated — think decision support, enrichment and automation of repetitive tasks that increase cognitive load (i.e. the things that cause analyst burnout) — so our crew has the time and space to shine in the moments when a human eye is required.

Fun fact: the initial beta of Expel’s phishing service was built in a Jupyter notebook written by one of our security operations center (SOC) analysts. He’s now one of our detection and response (D&R) engineers.

Creating space for people to do what they love is at the core of why we do what we do. We do it for our customers and it’s important to us that we also do it for our Expletives.

So we asked ourselves: how do we build a service and training program that’s accessible to folks early on in their security career journey?

We discovered that part of the answer is in widening the pool for recruitment by focusing on traits, not skills.

Allow us to explain.

The Expel Phishing team is one of our newest teams, and recruiting for that team created an opportunity for us to experiment with this approach. So we set out to hire for the traits that are important for these roles (curiosity, candor, passion for learning, desire to help others, drive and attention to detail), knowing we could then teach our new team members the skills they need to be successful.

In this blog post, we’ll share how we’re using the Expel Phishing team and its simple, narrow focus, to achieve two goals:

  • Protect managed detection and response (MDR) service continuity

  • Increase diversity in cybersecurity

At the end of this post, you’ll also hear from some of our newest Expel Phishing team recruits. They’ll share their stories and what it’s like to be a new member of the team.

The Expel Phishing team

Phishing is still the top threat facing most orgs. In fact, business email compromise (BEC) attacks made up 61 percent of the critical incidents Expel’s security operations center (SOC) responded to in September.

Knowing that phishing isn’t only going to remain a top threat but that tactics will also continue to evolve, the Expel Phishing team was created in partnership with our customers. They had a need and we knew how to help. The initial team was a temporary experiment. After finding success during the research and development phase, we decided to pull in some of our other customers to beta test the service and see if we could run it on a larger scale.

The beta test was a success and we introduced Expel’s managed phishing service.

The Expel Phishing team functions as a cost-effective bench for our managed detection and response (MDR) service. We expect a lot of our MDR analysts — providing world-class service against every bad actor on the internet on a staggering number of technologies and attack surface areas, in a transparent platform, while also communicating the findings directly to our customers in Slack.

No pressure, right?

We’ve got their backs, just like we’ve got our customers’ backs.

Protecting MDR service continuity

Finding people who can provide that kind of MDR service on even one of our service offerings is difficult at an entry-level position. This means we have to spend time teaching our analysts what attackers do on roughly everything and how to use the Expel Workbench™ to update customers about our work in real-time.

It’s a lot to learn, and it takes a while.

On the other hand, because phishing has a much narrower scope, phishing analysts can focus on learning to find attackers in one threat vector (emails) and how to use the Expel Workbench to do so. Then they can communicate their findings to our customers. Through this learning process, they’re also interwoven into the MDR service (think our SOC’s always-open Zoom room, chats and meetings) so they see the MDR operational tempo and texture.

As a result, phishing analysts focus on emails but also get exposure to more attack surfaces over time. So when there is an opening on the MDR team, phishing analysts can slot in and rapidly provide value because they’ve effectively been in MDR training for their whole time on the phishing team.

Because of these dual levels of exposure, we can draw out the learning timeline and have a lower technical threshold for recruiting phishing analysts because we can teach them how to do security at the MDR level while they initially provide value to phishing customers.

As a result, we’ve found that analysts who transition to the MDR service from the phishing team have a significantly greater familiarity with our customers, internal processes and the investigative methodology/analyst mindset we use — which they can put to use right away.

Our phishing to MDR pipeline enables analysts to join our SOC even if they’re new to the industry, gives them space to build additional skills and experience and our customers benefit from having them stay here as they continue to grow and have a clear path for career progression.

Increasing diversity in cybersecurity

This brings us to our second goal: increasing diversity in security.

There are plenty of high-performing people looking to get into security. And a complex service offering has traditionally required either hiring people who have extensive experience in the field so they can perform the job now, or a lengthy onboarding period where a less experienced analyst is learning and having to produce under high expectations and pressure.

Not only does this make it difficult to hire — it‘s one of the many driving forces behind the lack of diversity in our field. The barriers to entry for underrepresented groups in tech (and other industries) result in a lot of terrible things. And one of those is limited opportunities for people from underrepresented backgrounds to gain the years of experience that so many security jobs require.

Bringing on someone who doesn’t have the skills or knowledge to perform at the expected level impacts margins and puts the person in a bad spot for their mental well-being and likelihood of success. So we designed our hiring process with simple enough technical requirements and we focus almost exclusively on the traits of the people we’re hiring. These are important traits that’ll help them be successful in the role while we teach them the hard skills they’ll need to do the job. This hiring strategy dramatically increases the pool of potential candidates who have the enthusiasm and willingness to learn but maybe haven’t yet been given the opportunity they need to learn some hard skills. It lets us hire folks much earlier in their security journey and set them up for success.

Entering a new industry, and particularly security work, can be intimidating. So we start by teaching our new phishing analysts technical fundamentals for a niche area of expertise. This foundation allows them to grow and expand as they’re ready, and we tailor our approach to each individual based on their skills, strengths, growth areas, goals and personal life. Maintaining balance for each of our analysts is key.

We get to provide them with a potentially life-changing opportunity to enter the field and learn the skills they’ll need to succeed while they get to help our customers stay ahead of emerging threats.

In a rapidly changing global landscape, we need to make sure we’re prepared to quickly adapt. This doesn’t just mean building new capabilities and building automations that continuously increase efficiency. It means planning for personal leave for both planned and unforeseen circumstances so our team can take the time they need to recharge while making sure that we never skip a beat. We also need to account for promotions, job changes and training time for new analysts.

And we make sure that if an analyst leaves the team for one reason or another, we’re still resourced to continue providing the same high-quality service our customers expect. This is thanks to our streamlined initial training that gets new hires combat-ready in just a few weeks.

We also prioritize getting to know and staying in touch with folks who we believe will be a good fit for the team, even if we don’t immediately have a job opening for them. That way, when a position becomes available, we can reach out and find someone ready to enthusiastically step into the role.

Widening the talent pool

Our approach to hiring and training our phishing team has already paid dividends. We’ve promoted multiple analysts from our Expel Phishing team into our MDR service. And they’ve stepped in and provided Expel MDR-level service in just two weeks.

In May 2021, our phishing service became part of our 24×7 operations. Since going 24×7, we’ve seen a 500 percent increase in email submissions. And our crew transitioned seamlessly.

With equity at the forefront of our minds, we’re also excited about the incredibly talented people who’ve joined our team. So far, 31 percent of our phishing team hires are women and 44 percent are people of color. And by working in close collaboration with our Equity, Inclusion and Diversity (EID) leads, we plan to continue widening our talent pool to bring on the best of the best from different backgrounds and experiences. We know a focus on EID initiatives will help us create the strongest team.

Meet some of the crew

So, how’s it going for our new Expletives on Expel’s Phishing team? Here’s what they’re saying:

“I was so burnt out on applying for positions and going through lengthy interview processes that I was having major anxiety. Expel’s recruiter, Neiko, picked up on that immediately and went into ‘how can I help’ mode. This was my first major indicator that maybe Expel wasn’t like any other company. We talked, rescheduled and thankfully two weeks later I was presented with an offer.

I never could have imagined the trajectory my career has taken in such a short amount of time, but that’s the thing with Expel — anything is possible!! From day one, my team lead was proactive in asking about and helping me develop some career goals. I definitely credit our weekly 1:1’s as well as my growing responsibilities as a huge catalyst for me learning new things and strengthening my skill set. Coupled with the fact that you are surrounded by like-minded individuals who love what they do and are passionate about cybersecurity, you have a recipe for success. Both my team lead and senior analysts helped me thrive. From a junior phishing analyst to associate MDR analyst, cheers to an environment that fosters real growth!” Stacey Lokey, associate MDR analyst

“Breaking into the cybersecurity industry is not an easy task. Be prepared to edit your resume, prepare for interviews and just keep pushing ahead after hearing ‘no.’ Even when one does break into the industry, landing in an environment that is positive and actively promotes one’s growth is like finding a needle in a haystack.

Then there’s Expel, a company that not only looks for entry-level analysts but also provides a pipeline to become a career-level analyst. My experience with Expel was the dictionary definition of seamless. After speaking with the hiring managers and hearing many of their journeys to the security field, I knew I wanted to join the team. At Expel, it wasn’t only about the technical expertise of the industry but about who you are as a person and relatable skills that successful analysts tend to possess.” Dom Bryant, SOC security specialist

“My experience as a junior SOC analyst on the Phishing team greatly prepared me for a role on the MDR team. Working on malicious email submissions and BEC activity provided a great foundation for “working on the bad” (one of my favorite parts of the job). Additionally, although I was on the phishing team, our SOC is one team as a whole. It was because of this that I was able to gain exposure to MDR alerts, processes, incidents and even get some hands-on experience with the help of other team members. All of this experience led to me feeling much more calm and confident when transitioning to the MDR team.” Tucker Moran, associate detection & response analyst

“Starting out as a member of the phishing team allowed me to focus on a single alert type while getting familiar with all of the technology that Expel has access to, as well as the various customers we support. This experience allowed me to focus on developing my analyst skill set, while figuring out my personal process for triaging alerts. Given a few months in this role, I became comfortable with taking the next step over to MDR where we handle a much larger variety of alert types. While it can certainly be done, it was a much less overwhelming transition being comfortable with the different technology and processes before making the jump.” Kayla Cummings, associate detection & response analyst

Interested in joining our crew? We’d love to hear from you!