A significant aspect in building a good and effective security team comes down to managing the talent within your organization.
That’s according to Cory Scott, director of information security at Linkedin and keynote speaker at Infosecurity Europe 2016.
Scott said it’s important that companies are able to successfully find talent, evaluate it and lastly, retain it.
However, locating the right kind of talent in the first instance is where a large part of the problem currently lies, said Scott.
He explained that in recent research “We [Linkedin] took the total set of information security professionals broken down by region and industry, and took the number of active and open job postings for the industry; and in the US we found that there is a demand ratio of four people who are already actively employed in infosec for every three new, unfilled infosec positions that exist. There is far more demand than there is existing staff.”
“So, when I give advice to people who are looking for talent,” he continued, “I say, look around you; look in your existing company.”
Next, once, or if, adequate talent has been found, the next challenge companies face is being able to evaluate it, something that Scott argues is no easy task. This is because issues such as vague security certifications that may not be reflective of people’s true career interests, product specialization – lots of people know how to use a particular scanner, administe a particular firewall and use a particular risk methodology, but can’t adapt to the more complex side of the industry – along with educational factors make it difficult.
Scott advised companies to abandon some of the more traditional recruitment screening processes like resume checks and instead urged them to implement bespoke, practical “work sample tests” that suit the specific needs of the organization.
Finally, for a company to truly build an experienced, effective security team, it has to be able to retain its talent in the long-term.
“The average infosec position lasts approximately 3.1 years,” and whilst this is not too dissimilar from other roles in engineering or operations in technology companies and the financial sector, “you’ll actually find that those in some positions, such as more senior management, tend to stick around longer, while those in entry level positions typically stick around less,” Scott argued.
When you think about your strategy for retaining talent, a company has to address the employees working in these high-burnout, more poachable roles,” said Scott.