Skills Gap: 3 CISOs Offer Advice for Finding Talent
The cybersecurity skills gap is a topic that has garnered a lot of attention over the past years. For example, the talent shortage was brought up repeatedly throughout RSA, not only in sessions specifically about how to address the growing need for a strong cybersecurity workforce but also in sessions about specific cyber issues. If you are going to talk about what the threat landscape looks like and the battles being fought, you are naturally going to discuss the need for someone to do the fighting.
In a post-RSA article, I wrote in response to a cybersecurity skills study, “Cybersecurity is becoming more specialized. We are past the days when an IT person could be told to take over security duties.” Instead, the study by ESG and ISSA pointed out, companies should think about candidates whose skills fit a specific need—such as cloud security, application security or analytics—rather than a generalist.
That’s the opinion of analysts and researchers, but they aren’t the ones who are hiring cybersecurity staff. That would be the CISOs. At the Akamai EdgeWorld 2019 conference in Las Vegas last week, a panel of three CISOs provided their outlook on the skills shortage and what they are looking for.
Managing the Hiring Challenge
The talent shortage isn’t an American problem. There are 3 million unfilled jobs globally, so this is a problem that all CISOs everywhere in the world is dealing with. The EdgeWorld panel, which included Iain Hunneybell, Global Digital CISO at Aviva; Frank Breedijk, CISO at Schuberg Philis; and Shane Watt, CISO at News Corp Australia, represented this global outlook. Yet, when asked how they were managing the cybersecurity skills hiring challenge, their approaches were similar. To bring in good employees, they suggested, companies have to think outside the box a bit. In fact, their strategy was almost the complete opposite of what was suggested back at RSA. Yes, cybersecurity is more specialized today, but you have to be creative in where and how you find your employees. After all, most CISOs ended up in security because of their IT skills, so they need to recognize that others can also gain the skills from within the job.
Companies need to measure job candidates by their aptitude, and not necessarily their current skills, the CISOs said. These are folks who are curious and are eager to learn and take directions, the ones who will do their homework and their research to find an answer. You might find someone who has the right skills, but if they aren’t able to come up with solutions on their own or need a lot of hand-holding from management, then those skills aren’t useful.
Quality Over Quantity
You might have the budget for five security professionals on your staff, but these CISOs are willing to go with a smaller staff if they have quality workers. Automated tools and technologies such as AI can help make up some of the shortfall. But overall, it is better to have the right team in place rather than fill a perceived quota.
The panel also suggested to look inside for your security needs, and not necessarily in the IT department. Again, it goes back to aptitude. Look for someone who has the tenacity to learn new skills or has been quick to pick up security awareness training. Offering internships to college students is another way companies can attract potential new employees. Hiring interns allows them to get hands-on experience, while you get the security help you need, especially at an entry level, which could eventually become a permanent hire.
When it comes to meeting the hiring challenge, CISOs need to be brave and be willing to embrace some risks. You might make a mistake and hire the wrong person, but you can move on from that. Accept that everybody is going to have some gap in their security knowledge—even the most highly experienced security professional will need to get up to speed for your company’s specific needs. The willingness to learn new skills is often more important than having the right skills.
Many security teams have vacancies that are open for months, the panel members said, so don’t be so picky. Rather, be willing to train new talent and take a few risks. Who knows? That new hire could be the next CISO.
Pingback: Is Security Getting the C-Suite Attention It Deserves? - Security Boulevard