Last week, Granite Consulting kindly invited me to facilitate a (very) early morning discussion about the cyber security skills shortage. Around the table, opinions were offered about the soaring number of new security job vacancies. We questioned how many businesses have taken the time (before recruitment begins…) to understand what their security posture is, the skills the business needs and what value can be added through a security function? And from the job seekers perspective… of the available roles, how many of the candidates applying truly know what they are getting themselves into if they are successful in securing the job?
Companies often excitedly bring in permanent security staff without consideration for where the team is coming from (or going) and what outcome they require. Asking new staff to come in and ‘make it secure’ isn’t enough to entice qualified security people out from where they are currently valued.
Without knowing how the business got to where it is today and what the path ahead looks like, it is impossible to effectively recruit for security related roles. This forces some hiring managers down a path of seeking candidates who are more senior or specialist than is required with possibly a bigger price tag than is necessary. Companies with clearly articulated security goals can provide candidates with an understanding of the value they can bring by joining the business. This clarity creates great opportunities to seek candidates without traditional security backgrounds where they may offer skills that better align with the required business outcomes.
Our allocated hour came and went thanks to some welcome rigorous chatting and violent agreement. Across Granite’s board room, we discussed the employer’s responsibility to see the job vacancy as more than purely filling a role. There is nothing more frustrating than beginning a job in security only to find that before you can deliver any results, you must first justify your existence. Companies define a bigger picture for marketing or product development….and security is no different – no matter whether it’s a simple strategy or detailed roadmap, clear commitment to more than just security headcount leads to a sustainable security function and less likely attrition. The detail may change overtime but if hiring managers have enough information to be honest with themselves about why they are hiring, and honest with the candidate about the near to medium term expectations, incoming security staff will have a sense of their fit with the security culture and priorities of the employer. With this in mind, why are some organisations not forward thinking about a better story to attract and retain the right security people?