everythingpossible - Fotolia

Information security needs to cast recruitment net wider, says panel

Companies struggling to fill info sec roles should focus on finding people who can do what they need, not on qualifications, according to a security industry panel

Organisations can help to fill the cyber security skills gap by casting their recruitment net wider, according to a discussion panel at the (ISC)2 Emea Congress 2016 in Dublin.

“The security industry has a very narrow definition of an information security professional,” said independent security consultant Brian Honan.

“The industry needs not only traditional security people with technical skills but also people with skills in business management, public relations, sales and marketing,” he said.

There needs to be a clearer pathway into the information security profession for people with these and other so-called “soft skills” said Jessica Barker, an independent cyber security consultant.

“From experience, I know there is no clear way into the industry for someone who has a background in sociology or human behaviour,” she said.

Richard Nealon, a member of the International Information System Security Certification Consortium, or (ISC)2, board of directors said organisations need to approach information security recruitment differently. 

Instead of focusing on qualifications, he said organisations should focus on what they need people to do, and then look for talented people in other areas who fit that requirement, regardless of their age or gender.

“Recruitment should also be about finding the person who has the right range of skills to do a particular job, which is particularly relevant when recruiting security leaders, who typically are not technical specialists in any one area,” he said.

Some lateral thinking by recruiters is required, said Ade McCormack, digital strategist. “They should look for people on the periphery of security, where there is often some overlap and a fairly high degree of understanding of the challenges and environment, and encourage them to consider committing to a career in security,” he said.

Barker said the unwillingness to draw from a wider pool of talent means organisations end up recruiting people from the ranks of those who have in some senses failed to address the problem.

“Some people wear 20 or 30 years’ experience as a badge of honour, but the problem has not been solved in that time and, while experience is important, we need fresh ways of thinking too, so organisations should be looking to combine experience with innovative thinking,” she said.

Understanding business

While technical [security] skills are important, Honan said information security professionals also need a good understanding of the business they are supporting.

“Ideally, they need to know where the organisation is trying to get to and not just focus on security issues, but few information security professionals read their organisation’s business plan,” he said.

Business understanding, he said, needs to factor into the recruitment process. However, on the other hand, training for information security professionals also needs to focus more on business aspects of the job, said Barrie Millett, an advisory board member of the Cyber Rescue Alliance.

“Information security training rarely includes some sort of grounding in business so that those entering the profession have the tools and background they need to understand what they can do for the business,” he said.

Long term, Millett said the information security industry needs to engage more with young people in schools and at career fairs to educate them about the career opportunities in security.

Short term, Honan said organisations need to assess what they can outsource and what they can automate to help address the shortage of information security professionals.

Read more about security skills

  • Demand for people with the right mix of skills to keep organisations in Australia safe from cyber attack is far in excess of supply.
  • Despite the UK’s shortage of cyber security skills, recent changes to immigration rules make it no less difficult to hire skilled workers from outside the European Union.
  • Sans Cyber Academy unveils eight-week security boot camp after businesses demand more cyber security specialists.
  • Cyber security is among six fast-growth industries that could boost the UK economy significantly if they are not hampered by a lack of skills.

“I know of one organisation that was able to free up several people on the security team by outsourcing and automating what they could, and other organisations should think about doing the same and not be afraid of taking some risks,” said Honan.

Organisations should not only seek to build skills internally, said Honan, but also to invest in people from outside by teaching them basic technical skills that they can combine with experience in other areas which is not as easily taught or learned as quickly.

“Organisations need think about developing people beyond the skills they have when they enter an organisation,” said Nealon.

“We need to stop treating people like commodities by hiring them for the skills we need at a particular time and then discarding them when needs change,” he said.

However, Nealon said people should not rely on their employers to provide opportunities for further development. “If your organisation is not providing the right opportunities, take the opportunities that you need elsewhere,” he said.

Honan said ideally there needs to be a partnership between information security professionals and their employers to find ways of adding value to individuals that will benefit both them and the organisation.

Read more on Privacy and data protection