Maksim Kabakou - Fotolia

Security Think Tank: Focus IT security recruitment on risk management

What strategies can organisations use to ensure that they are able to hire the information security professionals they need and that good candidates are not being missed or overlooked?

When an organisation is looking to hire the information security professionals it needs, it should start by understanding what it is trying to achieve.

This will help to prevent one of the perception stumbling blocks and stop organisations from looking at purely IT security professionals.

Information may be digital, but it may be several other formats too, and the risks to it are not purely digital.

The competence is around risk management firstly and an understanding of information assets. It is also around understanding business imperatives and where risk and risk to information sits in that, as well as a comprehensive grasp of how information needs to be used to best securely serve the organisation.

Do human sesources (HR) departments and recruiters understand what an information security professional does?

Infosec professionals themselves might struggle to offer a comprehensive definition of the role.

Expecting recruiters to instinctively grasp this evolving and highly nuanced role, is clearly going to be a big challenge; if we don’t know what we want, how will we know when we see it?

Using competency-based schemes – such as those developed by SFIA, IISP and CESG – will give us a good starting point.

Apprenticeships and retention

Grass-root style apprenticeships is an option, as there are apprenticeships scheme for cyber security. Though the size of the organisation may mean this approach may vary, and how applicable it is to use this approach may flex, the bottom line is that the youth of today are the professionals of tomorrow.

Plugging into and getting involved with things such as the Cyber Security Challenge is a great way of talent spotting. Apprentices can grow and evolve with the business and understanding of the changing threat landscape over a long period; embedding that bespoke knowledge is very valuable and can only contribute to organisational resilience.

There is, however, a clear reluctance to recruit apprentices. This reluctance may be due to businesses not understanding the value proposition they offer, and it may be due to the IT focus that many recruiters still have when it comes to information security or a basic lack of understanding of modern apprenticeships.

For those organisations seeking more experienced/qualified security professionals, the military resettlement schemes continue to offer fertile fishing grounds, as the military continues to discard well-rounded security practitioners.

These individuals consistently prove to be knowledgeable and – much like myself – come from a hobbyist-practitioner background. Therefore, they are highly motivated by the craft and not just the reward.

Read more from Computer Weekly’s Security Think Tank about getting the right cyber security skills

Finally: Retention, retention, retention. These valuable assets are a scarce commodity, and businesses need to understand how to improve their psychological contract of employment to capture the nuanced needs that information security professionals have.

Business must also understand that the correct environment will form a pivotal part of the package and drive the long-term loyalty required to maintain the organisational resilience mentioned earlier.

In summary, spend time understanding the requirements; have an open mind on how to meet those requirements; build resilience in, and work towards “future-proofing” by considering apprenticeships and making sure you explore the full range of sources, such as the military.

Mike Gillespie is director of cyber research and security at The Security Institute.

Read more on Privacy and data protection