Photo Credit: Brad Arnold via Compfight cc
We hear it every day. We read it in every article: It’s the Great InfoSec Staffing Shortage, Charlie Brown!
…except it isn’t, if you are willing to think outside the box, and think about how we develop talent, and doing it yourself. Traditionally, most technology and InfoSec job postings have demanded certifications, and expert-level experience with multiple technologies, for entry and analyst-level positions. Often times, these positions literally want an ‘ideal candidate’ who can’t possibly exist in reality, the ‘shoot for the moon, land among the stars’ approach… If you don’t believe me, go look at the job boards. MCSE for a Helpdesk position. CISSP, CISM for an entry-level security analyst position. 10 years of experience, for a technology only five years old.
I don’t dispute that there is a shortage of filled positions within InfoSec. But there are LOADS of passionate people who are wanting to break into the field, who can’t get past the HR/hiring manager chicken and egg of ‘no experience, but I can’t get experience because I can’t get an infosec job.’ (Tangentially, I might even be so bold as to suggest that our industry could benefit greatly from such an influx of people with passion and diverse backgrounds and perspectives.) The catch – and to be fair, it is a big one – is that you must be willing to train them, and mold them, which requires a time investment, as well as a commitment to their professional growth. There is no such thing as a Calvin and Hobbes’ ‘Transmogrifier.’ You have to find your own diamonds in the rough, and cut them and polish them, not just to fit your particular needs, but so they can shine in their careers down the road. We get so hung up on finding the right person, who can be an immediate contributor, whose level of knowledge and experience can be brought to bear immediate fruit, that we miss the people who can see problems in a different light, or perspective, especially those who have a business background relevant to your particular industry.
Propagating talent within your organization is much like being a farmer: your crops require constant cultivation, some attention, and investments, whether it be plant fertilizer, or professional development and training. In the long run, you gain more by having your own garden of talent, than by essentially relying on others to do the work of molding and shaping. Plus, they are far more in tune with your organization than a ready-built one-size-fits-all, cookie-cutter worker.
I am fully convinced that tomorrow’s leaders in information security will be more of those who are getting MBAs, and less computer science degrees. For businesses to accept information security as part of the discussion of business strategy and alignment, they will look to their own to leverage their business acumen to drive security solution integration and acceptance into their environment and culture. When you are hiring, make sure you look at the total package of what a candidate can offer, not just their technical chops, because technical skills can be taught, but soft skills can make or break an Infosec career. Competency = Skills + Knowledge +Behavior, and attitude is far less important than aptitude. Poach those employees already in your organization who have demonstrated competency, and you will be setting you, your organization, and your employee for long-term success.