Are you thinking about adding more senior resources to your security team? It may be that you are looking to create your first stand-alone security role or maybe you’re prioritizing security experience as a desired skill in your newest senior IT hire. If so, you aren’t alone. Recently, a workforce survey done by the International Information System Security Certification Consortium (ISC)2 projected that the gap for cybersecurity personnel will grow from 1.5M jobs in 2015 to 1.8M by 2022. This means that your plan to fill your position will have to be a strong one.
Finding the right security leader requires locating, qualifying, and then closing on a candidate who is operating in a turbulent seller’s market. Here are three steps that can help you succeed, while minimizing wasted time and effort.
1) Create a Sufficient Slate of Candidates
There are boutique recruiting firms that can connect you with their own network of cybersecurity personnel, but for those on a tighter budget, LinkedIn will provide plenty of fodder for your recruiting mill. At last check, over 200,000 members call out cybersecurity as a skill. To make the number of potential candidates more manageable, you can apply some filters, such as CISSP certification, industry, and years of experience.
Using the CISSP certification as a discriminator is not universally embraced, and in fact, I am not a CISSP. There are undeniably plenty of excellent security candidates who aren’t certified. However, given a dataset of over 200,000 candidates, employers with limited security expertise, and an amorphous market consensus on security skills, I recommend that organizations start with people that took time to learn and get certified on the CISSP material. In a survey of several hundred security analysts by ESG and the ISSA, 56% had acquired the CISSP and thought it was valuable.
2) Assemble a Qualified, Diverse Interview Team
It’s very difficult to interview candidates who bring an entirely new skillset to your team. In security, if you are hiring your first leader, there is probably no one on staff who will be able to ask the kind of specific questions that you need. So what to do?
You are likely to have some good resources among your vendors and your own contacts. If you are using an MSSP or are engaged with a security consultancy, they can help to create the position description and to vet the resulting candidates. If you are concerned about a potential conflict of interest, think about retaining some supplemental hours from a resource recommended by your network or your own IT people. Don’t shy away from this. In their “State of Cybersecurity 2017” report, 64% of ISACA respondents report that less than half of applicants are actually qualified, and an unqualified security leader can wreak havoc in a very short time.
In an effort to get the right cultural fit, remember that security is a job that is mostly defined by the needs of the organization. Being good at security also means being good at viewing the best practices of security through the lens of your business. When constructing your interview schedule, include other department members, like Engineering or Sales personnel, who are naturally going to have differing views of how security should be done, or how much security is necessary. You aren’t looking for complete consensus, but you can quickly weed out candidates who are too opinionated, or too parochial, for your corporate culture.
3) Deliver a Meaningful Opportunity to Join
Once you have found that rare and qualified match for your needs, how can you hook their interest and emotion sufficiently to get them on board? To differentiate your offer, you will need to meet the candidate’s need for mission and income, and there are other factors that will attract the best candidates.
A study of security professionals by John Oltsik of the Enterprise Security Group (ESG) showed that most professionals are looking for opportunities to improve their knowledge and advance their careers. Whether it is a formal plan for training, or a roadmap to increased responsibility and contribution to the business, the candidate you want is undoubtedly interested in adding value beyond firewall configuration, update checking, and negotiating anti-virus contracts every 3 years. Be honest with them about your budget and the relative priority of security, and where they will sit at the strategic table. Do your best to articulate the security concerns for the organization and be open to the way that your candidate thinks protection and response will best be applied.
You have already begun….
If you have taken the time to read this far in an article about finding a security leader to improve your protection, you are ahead of many of your peers. Most people will wait for an emergency, or on the exit of a trusted resource before they consider this step. Others will burn-out existing IT staff by underestimating the burden of today’s security technologies and events. Finding the right security resource will be a challenge, but there is a growing body of qualified professionals who will be attracted to a team that takes the time to understand and communicate their security needs with the same clarity and seriousness that they bring to their job.
About the Author
Jack Danahy is the co-founder and CTO of runtime malware defense pioneer Barkly, and a 25-year innovator in computer, network, and data security. He was the founder and CEO of two successful security companies: Qiave Technologies (acquired by Watchguard Technologies in 2000) and Ounce Labs (acquired by IBM in 2009). Jack is a frequent writer and speaker on security and security issues, and has received multiple patents in a variety of security technologies. Prior to founding Barkly, Jack was the Director of Advanced Security for IBM, and led the delivery of security services for IBM in North America.