In the ‘advancing security leaders’ panel at (ISC)2 Security Congress EMEA in Dublin, a panel of industry experts discussed how to recruit and retain the best information security talent
- Chair: Dr Ciaran Mc Mahon, director, Institute of Cyber Security
- Richard Nealon, board of directors, (ISC)2
- Dr. Jessica Barker, independent cybersecurity consultant
- Ade McCormack, digital strategist, author and Financial Times columnist
- Brian Honan, independent security consultant and founder and head, IRISSCERT
- Barrie Millet, Cyber Rescue Alliance and former head of resilience, E.ON
Is the information security industry looking for the right people to fill the skills gap?
Brian Honan: We actually need more skills in the industry, to broaden who we work with and who we meet. We need good business management skills and excellent PR. How we promote ourselves as an industry needs work, so we need to expand what we’re looking for in terms of recruitment.
Jessica Barker: It’s right to focus on technical skills to some extent, but those skills are much easier to teach – I’m testament to that. There are many young people who want to focus more on human aspects of cybersecurity, but they don’t know how to get in and they ask me for advice on how I did it (with a background in sociology). Unfortunately, there are no clear pathways into the industry without a technical background and that’s something we need to work on. We need to focus on helping people with more human backgrounds get into industry because we desperately need those skills.
Barrie Millet: We need people that understand operations and the challenges around them. Those from technical IT programs don’t spend enough time in the business itself. There is a huge opportunity to help the new generation who are fundamentally guided towards a technical career, to give them the business grounding too.
Ade McCormack: There is not enough good security talent on the planet, and what we need is a good balance of commercial understanding with an understanding of innovation and failure. Security professionals need the ability and authorization to stress test security architecture too.
How are organizations approaching recruitment?
Richard Nealon: When we look at talent now, we’re looking for a much broader skillset. It’s really hard when HR departments go out looking for potential leaders, as it’s difficult for those recruiting to know exactly what we want them to do because the nature of our [information security] jobs has changed so much. From a security leadership point of view, however, you certainly need to recruit a broad skillset.
Brian Honan: We still need security professionals to have strong technical skills – there has to be an understanding of how technology works. Security professionals must read their organization’s business plan – how can you be a leader and direct a security plan when you don’t know what the business plan is? Security professionals always need to be aware of the bigger picture.
Where are we going to get the next generation of security talent?
Ade McCormack: Start by finding a recruitment company that isn’t playing buzzword bingo. The problem requires lateral thinking, to find people that work on the periphery of security and encourage them to commit to a career in security. Even if we get colleges producing the next generation of talent today, we’re looking at another eight years before they are ready to be placed and close that skills gap.
Barrie Millet: For the long term, we have to get into schools and career fairs and engage with young talent and socialize the opportunities that are available in the industry.
This morning’s keynote talked about Critical National Infrastructure security vulnerabilities. How are we placed to handle that given the skills gap?
Barrie Millet: As long as we recognize the threats out there, and don’t bury our heads in the sand, we can respond to the threats of now and the future.
Brian Honan: Our industry tries to create a culture of fear, and we also have a culture of victim blame in the industry. In the physical world, if a person gets mugged in a park, they are the victim. In the cyber world, if an organization is breached, the CEO of breached company is portrayed not as the victim, but as the one to blame. We need to address that as an industry. We also need to think outside the box and not be averse to taking risks with our own careers.
Ade McCormack: We’re at danger of thinking that the security problem will be resolved by throwing good talent at it, when we have to acknowledge that the bad guys are better organized at working together. I advise the industry to talk to each other, and develop collaborative ecosystems within your organizations that matches your foes.
Richard Nealon: We are our own worst enemy: We say we have a huge skills gap, but there’s a lot of people out there who are very talented that we could develop as great security professionals. We need to stop being restrictive, consider the diversity gap, and change what we’re looking for.
A lot of industry professionals wear their 20-30 years of industry experience with a badge of honor, and so they should, but, the problems haven’t been sold in the past 20-30 yearsDr. Jessica Barker
Often, recruiters won’t consider talent if they don’t have letters after their names, so the demand side is narrowing potential candidates to such a narrow field. Is this an error?
Barrie Millet: We need better education of boards who have a pre-determined idea of what they want. I’ve taken a risk on staff that I’ve recruited, bringing them in from different areas, and they’ve been truly successful. We need to pull down the barriers by shouting about those success stories. Our traditional route to market obviously isn’t working.
Jessica Barker: A lot of industry professionals wear their 20-30 years of industry experience with a badge of honor, and so they should, but, the problems haven’t been sold in the past 20-30 years. So we do need fresh perspectives and new ways of thinking. That experience needs to be combined with new talent and new perspectives.
Brian Honan: If we’re going to hire people outside of traditional security background, to keep the board happy we could develop programs that develop that talent. Invest in people by offering them training, and giving them that education.
Ade McCormack: Remember that the market often values value over experience, so when writing your LinkedIn profile, focus on the outcomes you’ve delivered.
Once you have recruited that talent, how can you retain it?
Richard Nealon: We recruit people and expect them to have skills and talent, but we’re not interested in developing them past those set of skills. We bring them in and dispose of them, rather than develop their careers. I’m a firm believer in life-long learning.
Brian Honan: Look at ways to add value to your staff by offering them development and training. That will help retain talent.
Barrie Millet: If I invest in training someone and then realize I have no way of retaining them, as long as they go on to have a bigger and better career in the industry, then I’m happy, because I’m contributing to the industry.