It’s become apparent lately while reading through security job ads that most security people are required to be jacks of all trades. Compliance people need to also be security people. Or the fraud guy also needs to be the information security leader. Or the Head of Information Security also needs to be analysing the security event logs. Businesses are seeking one problem solver who can literally solve all the security problems.
Through experience and talking with industry peers, I’ve found that those who select a security staff member (and a team) with strengths aligned to strategy are achieving successful, realistic outcomes. So here’s 3 reasons why your security person can’t be all things to all people:
1. Human Nature. Even if you employ them to be a jack of all trades, they will play to their strengths. We all do it (across industries). This could mean that some original expectations are not met because while your board might always be up to date, if they are not a numbers person you might find your metrics are lacking. On the flip side, they may be brilliant at hands on technical delivery but they can't get out talking to the business so no one has ever met them (and lack of visibility spells death to a security function).
2. Budget. To find a candidate with enough experience to be able to keep all the plates spinning, you will need a hefty budget which most organisations can’t afford. If you have a security strategy that lays out exactly what your business can commit to from a security sense, let this guide what sort of a leader and staff you might need and what sort of outsourced support is required. This will establish what skills are negotiable when hiring.
3. Diversity. If you want diversity of thinking, chances are the person you employ will bring with them a variety of experience which still lends itself to certain outcomes and successes. Yes, leaders need to be skilled in addressing a broad spectrum of business challenges and sudden changes in direction. But in reality, finding someone who is brilliant at negotiating with vendors for example, may fail dismally at writing policy. And if writing policy is key to your strategy…you’re all out of luck.
It seems common sense to say that one person can’t fill the role of many. But with many of the jobs advertised today, it seems that is the expectation. When hiring, establish your strategy first so that you can appeal to the right candidate (or employ someone because their strength is setting strategy….remembering they may not be the one to deliver it). Could you reconsider some of the expectations detailed in your security job ad?