Many organizations struggle with the challenges of information security on a pretty constant basis. Size, complexity, and market segment have little to do with most of these challenges, though certainly some sectors are bigger targets than others (government, banking, healthcare, etc). The greatest of these challenges isn’t about risk management or strategy, or any other traditional security concern per se – the number one challenge is in finding the right people to do the job!
A big part of this challenge stems from our own perceptions, beliefs, and biases though – and has little to do with the reality of the situation. Yes, we need more trained and experienced security professionals to meet the rising demands of organizations that are concerned with information security, cyber warfare, and the like. But there are already a number of extremely talented security professionals in the marketplace today who, because they don’t meet certain ‘standards’, are often passed over for consideration.
As an employer, HR professional, or hiring manager, it’s important to understand who and what security professionals really are – and what’s needed to be successful with security initiatives before diving into the hiring process. Security professionals are a rare breed. As I’m often fond of saying, “we’re paid to be paranoid”. It’s more than that though… Some of our dominant character traits include a degree of suspicion and pessimism, but they also include a desire to explore, to question, and to speak our minds.
We aren’t generally ‘normal’, 9 to 5 people who can just go in, work for a few hours , and head home without giving our professional responsibilities a second thought. Most of us have a tremendous amount of personal and professional pride in what we do – and we worry (constantly) about what might happen on our watch. We have a vested interest in the security outcomes we create or influence on a daily basis. Many of us are quite guilty of taking things personally as security professionals because to us, it IS personal!
These factors have both positive and negative consequences for many employers and hiring managers who may be used to dealing with the nuances of IT personnel in general, but who are a little taken aback when it comes to the increased level of ‘care and feeding’ that may be required when working with dedicated and outspoken security professionals. Or when meeting those of us who insist on crazy hairdos, beards, tattoos, etc., and may not show up at job interviews wearing a traditional ‘suit and tie’. We may also lack some of the social graces you may be accustomed to – but none of these initial reactions, perceptions, or biases should influence your decision making process…
Before I go any further with my line of thinking here, I want to point out that I am STILL a FIRM believer in taking a holistic approach to one’s own professional development – through a combination of training, education, certification, etc. I consider these to be signs of a well-rounded security professional who has put the time and effort into developing their portfolio and earning the moniker of being a professional in the field. What matter most though is the SKILLSET of the individual – a fact that is often overlooked when seeking someone to address an organization’s security needs.
There’s also the matter of aligning the right skillsets to each type of security role that exists. More often than not, organization’s try to find everything they are looking for in a single candidate (deep technical expertise, business acumen, communication skills, etc.), and are surprised or disappointed when they discover that there are VERY VERY FEW security professionals who can claim expertise or demonstrate character traits that are consistent with ALL of these expectations. In truth, you usually need more than one individual if you want to succeed. Diverse backgrounds, opinions, and areas of expertise are ABSOLUTELY ESSENTIAL to creating a protective security strategy that will actually work.
Yes, if you are a small business you may simply look to your one-deep IT manager to handle your security needs, but you’d still probably benefit by bringing in temporary help from time to time to make sure that you have the right controls in place (ones that are properly suited to your business needs). If you’re a bit larger and able to bring in a dedicated security professional – you might be able to find a candidate who has some balance of technical and business expertise, but it may take a while. If you can, your best bet is to have at least two people in place to help address your security needs – one with a strategic business focus to help drive the people and process side of things, and a more technically savvy security engineer who focuses on cyber security and systems management.
Even then, you may still find that the security field is SO BROAD that you need different skills sets and different people to address more granular needs. This is where diversity becomes increasingly important – and is often applicable in larger organizations that are big enough to warrant one or more security teams to address specific security issues. This is where things begin to get more complicated though, because now you’re talking about requirements for a dedicated CISO type, along with audit and compliance professionals, policy and program folks, architecture and engineering experts, and so on. The mission may even get sub-divided into operational, tactical, and strategic security aspects.
The bottom line here is that it can be hard for an organization to find that ‘one special person’ who can do it all – and still meet your definition of a ‘professional’. So how do you go about finding the right person for the job then? Especially when you are a one-deep shop, or don’t currently have a dedicated security professional or an experienced security opinion on hand? We’ll talk about that next time – for now… just be open minded, focus on skills, and be a little forgiving of our unique quirks.