Maksim Kabakou - Fotolia

Security Think Tank: HR and IT security collaboration key to skills crisis

What strategies can organisations use to ensure they are able to hire the information security professionals they need and that good candidates are not being missed or overlooked?

The human resources (HR) function plays a key role in business strategy and is now being called upon to help build and develop the cyber security workforce of tomorrow.

The Threat Horizon 2018 report from the Information Security Forum highlights the gap between board expectations of information security – believing that increased funding has addressed information risk – and the reality of today, where improved skills and capabilities are required to more fully address information risk.

There are short- and long-term approaches to tackle this issue.

In the short term, the information security function needs to work with HR to develop a set of cyber security competencies and capabilities. In addition to the necessary in-depth technical capabilities, non-technical skills need to be included in these competencies. Examples include risk management knowledge, interpersonal skills and an ability to engage with the organisation outside of the core information security function.

Without doubt, there are very few “all-rounders” who can be deeply technical and exhibit the full range of non-technical skills. The HR and information security functions must therefore work together to develop profiles based on the developed competencies to recruit and retain individuals who can provide a good skills balance in a team.

This group of professionals must be brought together by strong leadership, and – perhaps somewhat contentiously – the “old guard” of cyber security needs to move with the times and be more open to new ideas about the composition of the team responsible for information security.

Read more from Computer Weekly's Security Think Tank about getting the right cyber security skills

There are a number of competency frameworks, such as the one from the National Initiative for Cybersecurity Education (Nice) in the US, that can help in developing a series of profiles for information security roles.

In the longer term, the framework needs to be incorporated into a strategy to address an organisation’s requirements for their cyber security workforce of tomorrow, including an all-important retention strategy.

Maxine Holt is principal analyst at the Information Security Forum (ISF).

Read more on Hackers and cybercrime prevention