Strategic CIO // Team Building & Staffing
Commentary
10/9/2013
07:58 PM
Mark Aiello
Mark Aiello
Commentary
Connect Directly
RSS
E-Mail
50%
50%

Need Security Help? Hire A Picture Card

With essentially zero unemployment among cybersecurity professionals, it's difficult to find good people. CIOs must play their cards right.

Burning Glass Technologies, a labor market analytics firm, says demand for cybersecurity professionals has grown more than 3.5 times faster in the past five years compared with other IT jobs, and about 12 times faster than demand for all other jobs. The company's CEO, Matt Sigelman, questions whether there's sufficient supply to meet demand. "Over the past two years the number of jobs requiring a Certified Information Systems Security Professional certification has jumped from 19,000 to more than 29,000," Sigelman told The Wall Street Journal. "When you see 10,000 new job postings in a two-year period in a field that has just over 50,000 CISSPs, there is a question of availability."

Indeed -- and if you find these pros, paying for and retaining them is a challenge. InformationWeek's 2013 Security Salary Survey shows salaries for experienced security managers rising $20,000 since 2011, to $120,000 on average, and poaching is commonplace.

Does that mean it's impossible for an average company to hire and retain a top-notch cybersecurity specialist? Not at all, if you're willing to shuffle the deck and play the hiring game in a smart way.

First, why must every new hire be an ace? What's wrong with a king, queen or jack? The key is potential. Ask, "Will this candidate be able to do the job, maybe not immediately, but eventually? Is the candidate likely to grow into the role?"

No growth, no hire. I find that the vast majority of cybersecurity professionals (and IT pros in general) are smart people. They're usually highly educated, well-trained and certified, and they come with track records of success. Admit to yourself that your opportunity is not so unique and special that you'll have a half-dozen CISSPs fighting over it. At one time in your career, weren't you in the dark about something that you now know pretty well? The answer is yes. Remember, a queen beats every other card but two.

Now Go Fish

In the movie Weird Science, two young men build the woman of their dreams (Kelly LeBrock) using a Barbie doll and a car battery. That only happens in the movies. When scoping a position, focus on needs, not wants. Eliminate the superfluous; whittle experience requirements to what is critical -- not desired, not hoped for, not imagined. Develop probing questions to ascertain whether the candidate has the essential skills to do the job well enough, right now, and whether that person has the potential to become an ace. Stop thinking Weird Science and start thinking real science.

Group interviews, multiple callbacks, mandatory social events -- all a waste of time. We do these things to make sure everyone likes the candidate and the candidate fits our "culture." News flash: It's difficult to get four people to agree on where to go to lunch. What makes you think a difficult hiring decision can be done better by committee? The "personality" threshold for hiring should be simply "Can stakeholders work with this person every day?" Don't listen to Toby Keith's advice about drinks after work. You don't need to vacation together, become family friends or hang out on weekends. You need people to get their jobs done and treat one another respectfully.

Hurry up and make a decision. Cybersecurity professionals are in high demand; smart hiring managers know this and don't give the candidate a chance to receive another offer. If you meet someone you like, move fast. Make it contingent on a background check, sure, but make an offer. Be bold.

On the flip side, if the person isn't right for the job, cut the interview short and save both of you some valuable time. Don't commit to a lengthy meeting because you want to be "nice." It's not nice to waste someone's day when you have no intention of hiring him. Cutting it short does not mean being impolite. It's OK to let someone know that you don't think he's the right person for the job. Just make sure it's for the correct reason -- that he cannot perform the critical tasks or shows no growth potential.

When you do find the right candidate, understand that you might need to sweeten the pot. The good news is that the one thing I find that cybersecurity professionals care most about benefits you as well: training. Cybersecurity tools, technologies and policies change rapidly, and these people know that frequent and ongoing education is the best way to keep up. You might decide to pay for some training or simply allow them time off with pay. I know many cybersecurity professionals who cover the cost for their classes while their employers give them the time off. It's a win-win.

Check And Call

When a player checks or calls in a game of poker, it means he or she is passing or matching a bet. In the game of hiring cybersecurity professionals, it means background checks and reference calls must be made. According to the Ponemon Institute's 2012 Cost of Cyber Crime Study, cyber attacks by malicious insiders were the second most expensive on a per-attack basis. Full criminal background checks should be done annually and updated every 90 days. Reference checks should be done thoroughly to make sure there are no red flags in a candidate's past. In addition to the standard questions (Is she eligible for rehire?) ask questions like these:

-- Did she have any altercations or issues with any other employee?

-- Did you allow her to work remotely from home?

The answers might surprise you and make you feel better about your decision -- or stop you from making a bad bet.

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Mark Aiello
50%
50%
Mark Aiello,
User Rank: Strategist
10/15/2013 | 6:50:04 PM
re: Need Security Help? Hire A Picture Card
Hi Marcia,

The easy answer is that they are both important. I believe that obtaining a certification(s) shows that one is serious about security and wants to make it a career. This does not suggest that those without are not serious security professionals. Experience and a successful track record almost always trumps a certification. Combined they make an unbeatable combination.
MarciaNWC
50%
50%
MarciaNWC,
User Rank: Author
10/11/2013 | 9:25:31 PM
re: Need Security Help? Hire A Picture Card
How important are certifications in security hires? Security pros have told me certifications are far less important than actual experience.
Mark Aiello
50%
50%
Mark Aiello,
User Rank: Strategist
10/10/2013 | 7:53:16 PM
re: Need Security Help? Hire A Picture Card
Hi Laurianne. Rotation programs are an excellent way to grow skills. The key is accepting that not all people will come up to speed on every topic at the exact same rate. My Grandmother was fond of saying, "Good waiters, make good tips." A little patience with one's staff will pay huge dividends in the future.
Laurianne
50%
50%
Laurianne,
User Rank: Author
10/10/2013 | 7:13:23 PM
re: Need Security Help? Hire A Picture Card
"Stop thinking Weird Science and start thinking real science." Love the Kelly LeBrock analogy. I have heard first-hand from too many IT pros about hiring managers having the lack of faith that smart people will grow in new directions. Do you advocate rotation programs as a way to grow skills within the organization? These can be especially good for rising star players at risk of leaving.
MichaelC225
50%
50%
MichaelC225,
User Rank: Apprentice
10/10/2013 | 4:07:28 PM
re: Need Security Help? Hire A Picture Card
It's true, group interviews are time wasters and ensure that the candidates will no longer be available when they finally make a decision.

Trust your cybersecurity professional service team.
Mark Aiello
50%
50%
Mark Aiello,
User Rank: Strategist
10/10/2013 | 3:03:18 PM
re: Need Security Help? Hire A Picture Card
Thanks Lorna. The world is a busy place. Respecting someone's time is showing respect.
Mark Aiello
50%
50%
Mark Aiello,
User Rank: Strategist
10/10/2013 | 2:57:40 PM
re: Need Security Help? Hire A Picture Card
I agree with you. "Hiring from within" is always the best strategy, just not always feasible. Hopefully this is the next best option.
Marilyn Cohodas
50%
50%
Marilyn Cohodas,
User Rank: Author
10/10/2013 | 2:44:21 PM
re: Need Security Help? Hire A Picture Card
I really like the idea of looking for talent from within but if that's the strategy your organization takes, you have to give your IT team learning opportunities to keep up with the rapidly evolving threat landscape.. With IT in general -- and security in particular -- it's hard to carve out the time for individuals to stay up to date and keep their skills sharp. But the alternative -- not having the on site security talent you need -- is definitely not an option.
Lorna Garey
50%
50%
Lorna Garey,
User Rank: Author
10/10/2013 | 2:36:09 PM
re: Need Security Help? Hire A Picture Card
The concept of not prolonging an interview when you know the person isn't a fit and not dragging out the hiring process are just common courtesy, which seems to be lacking among HR managers, judging from the experiences of well-qualified friends who are looking for new gigs.
2014 US Salary Survey: 10 Stats
2014 US Salary Survey: 10 Stats
InformationWeek surveyed 11,662 IT pros across 30 industries about their pay, benefits, job satisfaction, outsourcing, and more. Some of the results will surprise you.
Register for InformationWeek Newsletters
White Papers
Current Issue
InformationWeek Tech Digest September 24, 2014
Start improving branch office support by tapping public and private cloud resources to boost performance, increase worker productivity, and cut costs.
Flash Poll
Video
Slideshows
Twitter Feed
InformationWeek Radio
Sponsored Live Streaming Video
Everything You've Been Told About Mobility Is Wrong
Attend this video symposium with Sean Wisdom, Global Director of Mobility Solutions, and learn about how you can harness powerful new products to mobilize your business potential.