One of the most current topics in the (cyber) security community discussions lately is the workforce shortage in the field. Since it is obvious that is a real problem to find an appropriate security team for almost all businesses, there are still a lot of things to be clarified in order to have a common understanding on this issue.
First, i am frequently asked to recommend people for such jobs, but usually i am asked not for a security professional, but for a “hacker”, an IT Security, network security or other different similar acronyms. The questions like this are coming from C-Level or HR pillars, usually from non-IT based businesses/organizations. This might look great, comparing with the lack of concerns for security from these categories of people for many years in the past. But we still have a big problem…. the way some HR professionals or even C-Level are researching the workforce market for professionals is telling something about their level of understanding related to the skills they need in the field.
Since I don’t want to upset the HR professionals or the executives I know, but still be very honest in what I have to say, I would not comment more on the reasons behind the lack of clear view when they are recruiting (cyber) security personnel, I will write down some general advises/questions I am always giving when being asked about the topic:
– what is the security maturity level of the organization you are recruiting for? are they aware about any security maturity model or are they fallowing any security management standard/framework?
– if the organization is well positioned related to the above question, the HR professional should rely exclusively on the security manager of that organization for writing down job descriptions for the entire security team and to interview them from skills/knowledge perspective.
– if the recruiting process is done for companies at the early stages of building a security governance framework, they first need an evaluation of the exact category of skills and knowledge would be appropriate to be researched by the HR professional on the workforce market. This action is nothing an HR professional is able to accomplish ever.
– if there is a need for security determined by other reason than compliance, then the right name for that reason is a RISK
– if you know the risks your business/organization is exposed to, write them down and there will be the first filter for searching for security professional.
– small businesses/organizations and corporate environment/big organizations have different needs in terms of resources allocated for securing their operations.
– anyway, everybody needs a risk based approach, and also only based on such assessment, one can determine what are the size of the security team to be hired and what are the skills needed within that team. This is also NOT a HR task
– once the need is well described, i would recommend to look closely to the profile of the needed professional based on the identified need. If there is a need for a specific skill in security (network security, application security, information security and so on), then who will manage this category of personnel and who will assess their work?
– does the organization need a security manager then? then look for an experienced security manager, not for a “hacker”, not for an IT engineer, developer, incident handler or any other technology hands on people. They might be excellent professionals, but they will generally be unable to understand the business you are recruiting them for, general security risks landscape and they will never be able to speak the business and executive language needed in order to build and run a security framework adapted to the business and operational goals.
– recruit based on needed skills gap, but also based on TRUST
– TRUST is something where security professionals can better cooperate with
HR ones 🙂
security manager is a job itself, so, don’t hire experienced managers for security, look for – – security managers. Their CVs and professional achievements speak for themselves. A simple and real world test for a security manager is to explain (ad hoc, by speaking and writing it) a complex cyber security topic to a non-technical executive and to be able to sustain the same complex topic with a hands-on expert in an IT Security discipline.
– reduce compliance burden for security teams – compliance is important but is not similar with security.
– knowing that salaries are a big topic, i would simplify this topic also: assess on how critical is security for your business/operations and invest in it accordingly. An underpaid security role could not be filled by a top professional in the field or could easily become a risk.
– the security manager (CSO, CISO…) should report to the right role in the organization in order to be empowered with the appropriate decision and visibility.
– assess investments in security based on a risk based approach – if you hire the right security manager, this should be easy to have it – it is the first task to be achieved by a professional occupying this role.
– a lot of business flows are generating or are exposed to security risks – make sure the security team is involved to evaluate/assess it.
– top management is a valuable target for criminals and other kind of actors posing security risks to your organization – that is why is very important to rely on security teams – sometimes, some risks need to be approached even in top managers’ personal environment.
– don’t invest money in IT environment without security assessments – even you have the best IT team in the world, their focus is usually on functionality and efficiency, not necessary on securing the IT environment.
– invest in security education according to the roles. A huge amount of successfully breaches and cyber-attacks are still using humans as attack vectors, still being the big vulnerability. Education remained one of the only control to mitigate this risk.
– even though I believe that everybody deserves a second chance, i don’t generally believe in “ethical hackers” who learned security by being criminals first or companies promoting themselves with such professionals. There is nothing to be proud of when you have a criminal record. There are great security wise professionals who have earned their alumni by studying and researching without stealing other people data or money. And…. if such a person has a criminal record, he/she wasn’t so good as they might think of.
My personal belief is that, when recruiting a (cyber) security professional, an HR specialist should be supervised by a security manager or by an external high level security expert.
Build a security team, risk and business goals adapted is leading to an appropriate security maturity framework for any organization.
The starting points are humans behind security, not technology.
If the above comments are too general for you or consider them obsolete, then you don’t need security consulting services, but believe me, based on the discussions I have almost daily on the topic and also based on the conclusions coming out from the big failures in building appropriate security frameworks that we are able to see more and more often ( WannaCry, non Petya, BadRabbit and so on) I can fearlessly say that there are a lot of people in need when is about understanding how to hire people in security – basic points.
And yes, I have put cyber between the brackets on purpose… there is no cyber security without business and/or operational security, including physical security and personnel security.

Eduard Bisceanu | National Technology Officer, Microsoft Romania

Other Magazines