The past three years were difficult for information security organizations: threats continued to escalate, IT environments grew increasingly complex and the availability of resources to address these problems failed to keep pace with need. Thankfully, good news is on the way. Forrester Research Inc. is witnessing an early trend, arising in sectors such as thepharmaceutical and petrochemical industries, of increased information security spending. Of the three main areas where organizations will invest -- staffing, skills and technology -- staffing will present the greatest challenge to security leaders.
Despite the economic downturn and increased unemployment rates across IT, finding the right people for an information security team has become increasingly difficult over the past three years. This is a worrying trend and one that is only likely to escalate as austerity recedes and demand for quality staff increases.
Building an effective information security team requires myriad roles and skills, with a scientifically precise balance of technical and business understanding, threat insight and risk expertise. Such a balance requires the careful selection and development of individuals together with a fair amount of strategic planning and creativity.
In Forrester's Security & Risk Playbook, we advise security leaders keep the following seven points in mind when sourcing and selecting talent.
1. Consider a range of recruiting channels to improve your odds
In a challenging market, chief information security officers (CISOs) wanting to attract talent and build an effective team need to think outside the box. One CISO recruited the winner of a local cyber-security competition, whilst another brokered a deal with a local university to offer internships to outstanding candidates. Open your mind to alternative channels and work with your human resources (HR) department to create inventive and appealing recruitment initiatives.
2. Make sure to review key criteria at each step of the process
Once the résumés have been delivered, it's vital that the CISO rapidly review them to identify the candidates most closely aligned with the organization's needs. This is a challenging process, and CISOs should prepare themselves for an iterative process, removing the least suitable candidates at each cycle. Each review step is critical and, ideally, they should be completed in a specific order. To maximize your chances of selecting the right candidate, adjust your recruitment process to accommodate the following steps: 1) Review the résumés; 2) undertake preselection tasks; and 3) conduct the interviews.
Forrester is witnessing an early trend … of increased information security spending. Of the three main areas where organizations will invest … staffing will present the greatest challenge.
principal analyst, Forrester Research Inc.
3. Certifications provide insight into a candidate's aspirations
Forrester's research of the security market shows a clear trend: The opportunities are dwindling to become a security specialist who only deals with technology, and the majority of security roles -- even technical-facing ones -- now require the candidate be capable of business engagement. The necessary soft skills, such as relationship-building and communications, are commonly more difficult to teach than are the technical skills, and as a result, many organizations are opting to employ less technically experienced applicants, while understanding the need for training.
Within the security community, the hard skills are almost synonymous with certifications. These certifications started as the best intentions of an immature industry, but now many training organizations are jumping on the bandwagon in the hunt for profit. Whether you believe the certifications to be a true indicator of talent or a marketing cash cow is irrelevant -- certifications are here to stay, and the choice of certification does say something about the applicant.
4. The right candidate wants more than money
Any job interview is a two-way engagement. It's important to give a candidate the opportunity to clearly verbalize the responsibilities, challenges and rewards they seek, as this information will help you create an offer and ultimately an experience that the candidate will be unable to resist.
In a competitive marketplace, be creative with the compensation package and make sure that the candidate knows the offer is crafted just for them. Consider proposing unique benefits that appeal directly to his or her primary motivators.
5. It's better to retain than recruit
The attackers and threats that you hire an information security team to address don't pause to accommodate vacant positions and "training days," so it's always better to retain than recruit. From a financial perspective, the cost of replacing a member of staff is always significant and tapping existing staff can be the more frugal option. However, this must be balanced against the available skill sets and the value of fresh thinking. Don't be caught out by this financial differential; Forrester learned that the executives at one global organization were surprised at the salary rates they would be expected to pay to replace a departing CISO. They decided that they could not afford a direct, like-for-like replacement and sourced internally instead.
More from Forrester on information security strategies:
Mobile operations and security specialist makes mobile strategies sing
Realities of risk today require a chief business security officer
6. Engage with staff to drive loyalty and retention
Don't fool yourself: In this marketplace, every one of your good staff members is regularly taking phone calls from recruiters and potential employers asking if they're interested in alternative roles. As the market heats up in the coming 18 months, they will receive even more tempting offers. If you don't breed loyalty, they will leave. Think through your retention strategy, and plan to retain rather than replace good talent.
7. Extend your network with dignified farewells
Every great relationship comes to an end sometime. As a security leader, your role is to challenge and develop your staff to become the best that they can be, and hopefully they will reward your support with high performance and loyalty. Sometimes, however, the organization will be unable to accommodate the growth needs of a staff member, who will need to move on to find the next suitable challenge. Work to ensure that your ex-staff are your greatest proponents, as their connections and influence will reward you many times over during your career.
Andrew Rose is a principal analyst at Forrester Research, where he serves security and risk professionals.