Hiring the modern IT Security Professional

This post sponsored by the Enterprise CIO Forum and HP.

I just finished reading Rafal Los’ piece on the Enterprise CIO Forum titled Hiring information security talent a challenge.

Its a good piece that highlights the difficulty of hiring quality IT profiessionals int he security space.  In the article, Rafal highlights two key areas that he argues are causing the challenges…they are:

• The lack of technical talent
• The lack of business-savvy analysts

On the lack of technical talen, Rafal says:

CISOs I’ve spoken to primarily complain about the lack of skilled technical information security workers out there to hire.  The ones that are left are the low-level talent or fresh-out-of-college persons with only a command of the ‘concepts’ of security rather than the practice.

On the lack of business-savvy analysts, he writes:

When the CISO does find a technically qualified candidate the big question becomes does that candidate have the business savvy to be more than a blunt instrument?  What is critical for many security organizations is finding people who can apply security and risk principles to the business, and understand the business is the driver for security, not the other way around.

While I don’t disagree with either of these challenges, I’d also argue that another challenge facing many CISO/CIO and IT groups is much more fundamental. That challenge is the challenge of developing your people.

If you don’t train and develop your folks…and your competitors don’t train their folks…then of course there will be a shortage of good folks in the future.

Rafal goes on to offer the following solutions:

• Find a good recruiter to help find the right talent.
• Outsource/offload non-business critical work so your security people can focus on critical security tasks.
• Increase incentives to keep people on your team
• Work with HR to have them help you find talent within your organization.

While I agree these approaches are useful, there’s a few things that cause me to stop and think.

First…finding a good recruiter who can help you find the ‘right’ talent in the Security space is probably harder than finding the right security professionals. That said, its an ideal approach if you can find someone who has transitioned from IT Professional to Recruiter and can really dive into the backgrounds of candidates .

Increasing incentives will always help…but many times its not the ‘pay’ that drives people away. There are many reasons that drive people to change roles/companies. A few of these reasons (from my experience) are: lack of leadership; lack of advancement opportunities, lack of training opportunities, lack of challenges/new technologies….and there are many more.  So…saying that Increasing incentives will help solve the hiring challenge isn’t exactly true.  While it can help in some instances, it won’t help in all of them.

Rafal’s last point of working with HR to have them help find talent in the organization is a great idea. At every place I’ve ever worked, there have been people working outside of IT that had the right skills and mentality to work inside IT but they could never quite find the “in-road” to make the transition.     If the CIO and IT group can put a program in place to build up an internal (and external) identification program, the hiring challenge will be become a good deal easier.

Lastly..hiring for IT has always been a challenge.  There will always be the conundrum of hiring ‘new’ folks (those straight out of college) or hiring experienced folks. At the end of the day, its one of the many challenges that the CIO must face and find ways to work around.

Image Credit: escher_relativity by By williamcromar on flickr

This post sponsored by the Enterprise CIO Forum and HP.