The U.S. Department of Commerce currently estimates that there are more than 350,000 cyber security jobs unfilled in the U.S. alone, and that this number will likely grow to more than 3.5 million by 2021.
Why so many unfilled IT security positions?
One factor is that many IT security shops make hiring a practical impossibility by listing complex matrices of ambitious IT-focused scholastic achievements, IT security certifications, and narrowly defined applicable skills and experiences. Many of these targeted individuals are not available in any but the most active markets, and when they are, they usually come with high premiums that the hiring company cannot support.
In this age of intelligence-led security, do all these requirements continue to be truly critical for every IT security position? Are there options? How should employers approach open IT security jobs to ensure best fit?
IT Security Roles Must Focus on Specific Outcomes
As an initial starting point, organizations should consider each open IT security role as a set of capabilities required to achieve specific security outcomes. Organizations then need to determine if all the listed capabilities and outcomes are elements they strategically want to internally source and invest in long term.
Some will be considered critical for an organization to own and operate themselves to meet internal security operations goals. Others will likely not be supportable long term because of many factors, including cost, availability and the lack of desire or ability to adequately support and maintain. Creating a role with capabilities and outcomes that cannot be supported on an ongoing basis is a risk itself. As such, these should be strongly considered as outsourcing candidates.
IT security as a function must first focus on the specific security outcomes it critically needs to be good at, before expanding beyond this core. This is often a difficult realization to admit.
At minimum, organizations need to own the decision-making process that determines if something should be done or not to address a specific applicable security risk or issue. This requires an understanding of IT security, internal IT operations and overall business impacts, but it doesn’t necessarily mean that this assessment process can only be performed by top and hard-to-acquire talent. This is where informed decision-making using intelligence-led security principles comes into play, and becomes a key enabler and force multiplier for all staff.
IT security organizations typically forget that many disciplines outside of IT security require critical thinking skills that are fully transferable to an IT security decision-making environment. Many of these disciplines also require formidable sets of IT skills to support the analyses in their own field, and that these IT skills are also directly applicable to support IT security outcomes.
Instead of locking in with blinders on a defined role or position to be filled using an IT security specific pre-assigned job description and title, organizations should consider looking for candidates that can meet the essence of the required capabilities to support the IT security outcomes planned for this role.
This is when being creative in the hiring process becomes a critical component to unlocking successful hiring.
Which Threats Are Real Threats to the Organization?
One of the most fundamental and difficult things IT security operations has do every day is simply determining what security issues are the most important to focus on today.
Not all threats are active threats. Not all active threats have security impacts. Not all security impacts are critical or applicable to a given organization. Quickly determining which threats are critical to the organization is key to optimizing the use of resources.
Many IT security shops waste resources building out internal capabilities that focus on performing this triage from a raw data stage to a refined intelligence finding. An intelligence finding is then reviewed to determine if it is applicable to their environment, what its impact is, and finally how to address it.
How much of this process is a core capability that should be owned by the organization itself?
Unless it is considered a critical and distinctively competitive differentiating function for an organization, outsourcing intelligence data gathering, analysis and generation of intelligence findings is most likely the best option. This eliminates the need to internally support one of the costliest and most difficult to find, support and keep resources in IT security: threat intelligence analysts.
If intelligence is viewed as a core capability, consider looking for someone with a liberal arts major or more specifically a journalism background. These individuals have been trained to analyze large and disperse data sets, synthesize findings and produce reports with full documentation. The technical part of the job is actually much easier to train when matched with the right candidate.
Once a threat finding has been identified as applicable, the next step is to define the scope of its applicability. This is where automation and basic coding skills come into play. By identifying the parameters encompassing the threat identified in the intelligence analysis and searching the environment for them, IT security teams can quickly lock in on potential problem areas and determine the best course of action.
For most organizations, this is the outcome they are looking to achieve out of this complex process. This capability requires good analytical and practical coding skills, but does not require an advanced IT degree or a CISSP designation to perform successfully. When reframed outside of a pure IT or IT Security context, the core skills required to perform this function become much more readily available in most markets. As with other capabilities, if it isn’t necessary for an organization to own it, they can also choose to outsource if preferred.
The remediation stage is no different. While practical experience is particularly invaluable for this role, an advanced IT related degree or other requirements typically identified in hiring requisitions often are not. And, as with other capabilities, organizations can also decide if they wish to own this capability or if they prefer to outsource it.
Lastly, another example of creative hiring would be to consider hiring a security operations center (SOC) manager from a Customer Support management background.
These individuals have experience in effectively managing broad ranges of issues with differing priorities and ensuring timely resolutions. They are also trained to track and analyze metrics and determine possible areas of concern. For example, when a high number of support tickets originate from a specific technology. They have experience working directly with teams from different disciplines to build consensus and expedite a remediation. These skills – and the ability to remain calm, cool and collected when high severity issues arise – are critical to achieving success in the role.
The Bottom Line
It is a fallacy to expect that every IT security role needs to be filled by an expert and that an organization needs to internally own every one of these roles. In fact, it can be very detrimental to fill positions with someone who is overqualified for the tasks they will actually perform.
Employees typically list the need for challenging and meaningful work, a feeling of belonging, personal development, and recognition as core to them enjoying their work-life. Without these, employees quickly feel they are underutilized, get bored and look for another more meaningful opportunity.
It is extremely rare that a prospective employee will have all the required capabilities on day one, and even if they are close, they will still have to adapt to their new environment, which will take time.
Determine which capabilities are only available through direct experience and which can be adapted from a skill set that the individual may possess from another industry or background, or that can be learned in a reasonable amount of time with the right motivation, coaching, training or mentoring.
The fundamental qualities of a successful employee in any role are their own personal will, desire, motivation and commitment to delivering the outcomes expected of that role. It is important to remember that IT Security experienced personnel do not have a monopoly in these qualities.