Cyber is quickly climbing the list of organizations’ top risks, but managing risk isn’t only about tools and training the employee base - hiring the right security staff is the most critical activity for managing risk.
In a detailed study of information security functions at Fortune 500 companies, CEB found that the single most important predictor of the function’s effectiveness is not policies, technologies, or company leaders’ “tone from the top” – it is security staff and how they are managed. Unfortunately, finding the right security staff is difficult, and getting harder.
As reported here recently, the issue of demand for cybersecurity professionals outpacing supply is predicted to get much worse before it gets better.
Most CISOs and their HR partners think that the way to solve this issue is to look harder for candidates with specific security experience and certifications like CISSP and CISM, but continuing to try to source more candidates with these skills takes a lot of work and a lot of resources, and is largely a wasted effort as those attributes don’t indicate strong performance.
While there is no panacea for the challenge of finding the right people for security roles, there are three common mistakes that CISOs can avoid that will put them at much better odds for success.
1. Relying on HR to do all of the work
Most recruiters are experts in finding staff to fill high volume positions, not niche areas like “cyber-hunter.” As a result, they often create inadequate job descriptions for specialized positions. They also don’t have a keen sense of where to look for good candidates, so they often end up trying to poach employees from similar companies, which just exacerbates the price war for security talent.
Rather than relying on HR to do all of the work, the security hiring manager needs to work closely with the recruiter to provide content and coaching on each step: creating the job description, identifying what to look for in candidates, recommending where to find candidates, providing true salary benchmarks, etc. For recruiters to return the candidates that security hiring managers are looking for in a timely manner, they need this level of guidance.
2. Hiring the wrong person for the wrong reasons
Those hiring security staff almost always look for candidates with some combination of experience in IT or security, a relevant technical college degree, and/or a security certification. However, none of these are predictive of success.
This isn’t opinion, it’s the result of scientific measurements. CEB has measured various competencies, as well as training and experience, of more than 350 information security professionals at 46 organizations, and correlated these with their performance reviews. According to the data, the most important things to look for in a security candidate are not technical skills, but five general competencies:
- Business results orientation
- Decision making
- Organizational awareness
- Analytical ability
Job descriptions that focus on technical skills limit the applicant pool, as many strong candidates may not view themselves as security experts. Because the five competencies above are the best predictors of success, CISOs recruiting for them will not only have a bigger talent pool to choose from, they will also build a more effective team.
Startlingly, fewer than 40% of today's information security workforce is proficient in any of these competencies except for analytical ability.
3. Ignoring what staff want in a job
Few job descriptions have a section on why the job is one someone would want to have, and if they do, it’s probably hidden at the bottom. HR professionals call this the “employment value proposition” or EVP. Most job descriptions lack an EVP, and instead are a long list of job requirements. Job requirements are essentially the reasons someone should not apply for a job: “If you don’t have X years of experience please don’t apply.” This is not a great approach in a tight labor market!
The EVP must also offer what security staff actually want in a job. Most CISOs would cite “money and location” as the top value propositions, but when CEB surveyed security professionals, neither were the number one reason applicants chose a security job. Instead, work-life balance topped the list. Money was the second driver, and development opportunities, stability and integrity rounded out the top five.
Most information security leaders don’t go in to the profession because they love talent management. But the most important job of a security leader is to build a successful team. Avoiding these three mistakes will help in hiring and retaining top security staff, which is a key ingredient for the success of the function.