Maksim Kabakou - Fotolia

Security Think Tank: Identifying, attracting and keeping the right IT security talent

What strategies can organisations use to ensure that they are able to hire the information security professionals they need and that good candidates are not being missed or overlooked?

There has been much talk of a cyber security skills gap in recent years.

There has also been talk of skills gaps in other professional services – law, finance, engineering and medicine. Even the teaching profession bemoans the lack of mathematics and science teachers.

The gap is multi-disciplinary and nationwide. Do not be fooled by the industry-specific media. As a country we are emerging from a recession. We are growing. Unemployment is falling. We are all busy.

Skilled professionals do not have a shortage of work, so why should they jump ship and help fill your own company’s cyber security gap?

We are in a candidate-driven market, which may come as some surprise to companies that think they are the best thing since sliced bread.

Companies might feel they are in a comfortable position, having been able to employ everyone else in their IT Departments at bargain bucket salaries.

Perhaps incorrectly, they are seeing cyber security resource as an IT function, whereas really these are resources you should be employing to secure every inch of your organisation – the board included.

Attracting security talent

If you want the best cyber security resource, you need to make a compelling offer. 

It is not about the money. As a seasoned consultant myself, I like a challenge. I like to work on new, emerging things and stay on top of my game.

I do not want a job governing security on legacy Windows 2003 systems and supporting a company that puts cyber security last on its list of priorities.

That is bad for two reasons: I am unchallenged and my name is in tatters when these systems get breached. 

Read more from Computer Weekly’s Security Think Tank about getting the right cyber security skills

I want the company I work for to be forward thinking. I want cyber security to be on the board’s radar. I want the resource and budget to take companies to the next level and defend them against the exponential increase in criminal talent.

If your company does not take cyber security seriously, then true cyber security professionals will never take you seriously and you will end up employing the bottom feeders of this world.

Said bottom feeders will work with you to get experience and fill their own personal skills gaps, before they leave with everything they have learnt to better pastures.

Importance of cyber security experts

Sometimes I feel seriously undervalued. To get where I have got to, it feels like I have undergone the training and experience similar to that required to become a brain surgeon.

I do not want to sound elitist, but employing the right cyber security resource is just like choosing a company solicitor, accountant or your next CEO (assuming you have just had a major data breach).

Skimping on cost undoubtedly means skimping on quality, and widening the margin for error. Employing inexperienced cyber security resource means more exposure to cyber security incidents – period.

Good, reputable professionals are out there, but they already have jobs and – in most cases – good ones.

They are not going to budge unless your company can offer them something better, and that does not just mean in financial terms.

The alternative is to bring in a less experienced resource, and invest in quality training to get them where you want them to be. Taking on less experienced resources and expecting them to “learn on the job” is not a good idea.

Measuring the skills gap

The right approach to closing the skills gap is not just to hire a security consultant for your company.

Undergo a thorough security audit across the whole company. This does not mean a skills-basedaudit, but one that identifies weaknesses in your company. Then go out and employ staff that can address said weaknesses.

Do not go off and hire just anyone who is great at authoring security policies and procedures, when you already have them in place. Do not go off and hire a top-end firewall expert, as it is extremely unlikely firewall management is ever going to be identified as a security gap.

Instead, employ someone who is going to help take your company to the next level and secure your gaps before a criminal comes along and exploits them.

Tim Holman is CEO at 2-sec security consultancy.

Read more on Hackers and cybercrime prevention