Over the last few weeks, I have had various discussions with colleagues across the information security field, at all stages in their careers. There is a significant amount of frustration that becomes clear in these discussions. As such, I want to socialise a few of the key themes that came out of the chats. Theme 1 sets the scene, but topics 2, 3 and 4 are where I’d like your comments. Are we serving the security industry well
Theme 1: An overarching theme is that the information security industry is woefully unable to fill all of the millions of open security roles that exist to protect companies today. This gap is expected to increase precipitously as security risks rise, and as technology continues to grow. Companies are seeing increases in security spending and attack surfaces evolve.
Theme 2: The next perspective comes from those who want to find their first role in information security. This demographic has completed technical training and formal education but is finding job descriptions for traditionally entry-level security roles (e.g. security operations, level 1 support, app testing) written with requirements well beyond entry-level. They find it extremely difficult to break into (no pun intended) the field despite the ongoing theme that information security is severely lacking people.
Theme 3: The final idea is about unrealistic expectations of the candidate pool by those writing job descriptions. Those writing these job descriptions are often seeking the mythical unicorn candidate for each role, are generally unwilling to compromise until they find that magical person. Additionally, there seems to be a hesitancy to bring in “ready-soon” candidates with potential, either from other areas within the company or external candidates, and take the opportunity to train them into the role.
Theme 3b: A derivative of Theme 3 is that security managers don’t have a complete idea of the types of people they need or want to hire. Therefore, they write job descriptions that are broad and all-encompassing as a way to not have to define specific requirements. Such experienced “utility player” security professionals are rare and expensive; therefore, this approach results in positions remaining open, unfilled. When hired, there is also a higher chance of disappointed candidates and hiring managers due to poorly-defined role responsibilities.
A few things that need to happen to resolve this dilemma:
- Hiring managers must realise that there are highly capable people ready to enter information security roles but don’t have previous security work experience. Take a leap, hire them and take the time to train them, and make them into the types of security professionals that our industry needs.
- Ensure that there is the time in schedules to mentor, coach, train and grow colleagues both in security and outside. We all have valuable experiences and perspectives to share with others. Let those that would like to benefit from learning from the traits that have made the existing security organisation successful and grow to become key contributors and leaders themselves.
- Work with HR teams, CFO, CEO and Boards of Directors to set appropriate expectations about what security professionals cost to hire, to train and to keep motivated. Adding security responsibilities to non-security jobs can be used for the development of colleagues that want to grow and learn the security field, with an eye toward a full-time move to a security role.
- Don’t relegate experienced security staff to entry-level positions unless that is an explicit desire by that staff member or a way to broaden to a new topic area. Security has a lot of room for growth, and with proper budgetary expectations set,
- Take a few moments to inventory the security skills you have and need. This inventory can be used to define roles in a way that they are genuine and reflect skills and experience that people are capable of having; no one has 15 years of AWS Security experience!
I appreciate your insights on these themes and approaches; please feel free to write them below for discussion. Also, If you have additional ideas that you have seen or experienced, please write them in the comments below as well. A meaningful discussion is the best way to help address this broader challenge.
Note: This is a repost of an article I wrote on LinkedIn earlier today. See below for the link to the article itself and referenced comments section so you can add your own to the discussion. Thanks.