Andrea Danti - Fotolia

Recruiting for cyber security: What businesses need to know

When it comes to cyber security, figuring out what you need is the easy part. Figuring out who you need, can be tricky

Cyber security has gone from being a diversion for amateur hackers to a legitimate business threat. Attacks on infrastructure now represent a major concern for organisations of all sizes, meaning cyber security professionals are currently in incredibly high demand – and accordingly in limited supply.

There have been multiple very well-documented cyber attacks in recent years. The high-profile hack at Sony Pictures, for example, saw the release of a huge amount of confidential data, the contents of which forced the resignation of its chairperson. The scale and sophistication of the attack was alarming and reinforced the legitimacy of the threat landscape.

Equally, new cyber security standards imposed by both UK and EU regulatory bodies mean companies are now legally required to properly protect their information.

New pan-European data privacy laws and government programmes such as the Cyber Essentials Scheme mean companies could face heavy penalties and potential jail time for negligence. Where the latter is concerned, a company may even be prevented from bidding for new business if it falls short. 

Understanding the skills gap

However, the heightened demand for cyber security requirements can also be put down to factors well beyond the IT industry’s control. Skill shortages in science, technology, education and maths (Stem) subjects, for example, are worryingly high, but this is something the government, schools and universities will have to address rather than tech companies. 

Equally, there is no denying the effect of modern working practices. Bring your own device (BYOD) and remote working have changed the office for the better, but the more agile a business becomes, the bigger the security threat.

The demand is a consequence of how quickly technology is evolving, with very limited skills at the maturity required to satisfy the demand. Companies compete heavily for such candidates, draining the talent pool of the most obvious prospects for a new cyber security team.

Figuring out what you need is the easy part. Figuring out who you need, can be tricky.

Bridging the gap

The first thing to understand is that an “out of sight, out of mind” approach to security is likely to have poor consequences for your business. It is not something that should be thought of as an “add-on” to your IT department, or as part of a compliance tick-box exercise. This will ultimately result in disconnect and conflict; as well as leaving you exposed to outside threats.

Security is an organic process which should be aligned with the wider business objectives, which means understanding the complexities of an organisation to understand its security requirements.  

It is why CISOs are now expected to understand business strategy and the bigger corporate picture. Being strategic about your search criteria and trying to proactively align your hires with your business goals will yield better long-term results.

Creative search

The positions you need to fill may not even exist or might be in limited supply, especially where your organisation is most innovative. Taking a macroscopic view in understanding the key drivers and the objectives – as well as finding complementary technology solutions or processes – will be the key to unlocking your challenges. This will ultimately broaden your search area and enhance your possibilities.

Partnering with educational institutions seems to be an emerging theme. As research-led entities, universities can potentially have access to the best and most up-to-date information in the cyber security field. Collaborating with their academics on developing these courses can be a good way to access the information you need to formulate your recruitment strategy. HP, for example, has recently done just that with the University of East Anglia.

Whatever you do, a robust security strategy should be a top priority for your business. Where possible, it should be integrated from the very start. Retrofitting it to an unsuitable IT infrastructure is a much harder task, and even more so in this hyper-competitive market. 

It is easy to think that because cyber security is a “hot button topic” that it’s also overblown – like an IT version of swine flu. It is also easy, even if you do acknowledge its importance, to allocate resources to other more seemingly business-critical departments.

Both attitudes are mistaken. Last year, cyber crime cost companies across the world $445bn in revenue, and 150,000 employees are expected to lose their jobs due to downsizing related to these attacks. The reality is that there is nothing more business-critical than a solid cyber security strategy, because without one you may well end up unable to do business in the first place.

Simon Kouttis is technical lead at recruitment firm Stott and May.

Read more about cyber security skills

Read more on Hackers and cybercrime prevention