A joint study from ISC2 and the Chartered Institute of Information Security (CIISec) offers guidance for CISOs on how to recruit and hold security talent in an age of severe skills shortage.
Without specified justification, the report suggests that, globally, the profession needs around 4 million extra people. There will be people who question this figure. Indeed, SecurityWeek recommends its readers should accept very large figures with circumspection (see Beyond the Hype: Questioning FUD in Cybersecurity Marketing). Nevertheless, few will question the difficulties in finding and keeping security talent for the security team. This report provides TTPs for gaining and retaining security talent.
The biggest single takeaway from the report (PDF) may be controversial: you do not need to seek technical qualifications or even technical experience to fill all vacancies within the security team. If there is evidence of a candidate’s aptitude to learn, technical skills can always be taught ‘on the job’.
SecurityWeek’s CISO Conversations series finds that many CISOs would doubt this – they believe evidence of technical expertise is the bedrock of team recruitment. They might not require specific technical qualifications but do require evidence of existing technical skills. The report’s authors question this attitude. “There’s a misunderstanding that you must be a techie and you must have that technical background to be able to get in and succeed. And that’s not the case… It doesn’t mean you can’t fit with this team and learn what you need to learn,” they told SecurityWeek.
The insistence on candidates having a strong existing technical background while not necessarily requiring specific technical qualifications may be the product of unconscious bias. Many existing CISOs came into cybersecurity via IT, but before cybersecurity (and therefore cybersecurity qualifications) became the issue it is today. Unconsciously, they may be seeking mini-me’s because they know from personal experience it is a proven formula for success.
This is problematic on many levels. Firstly, it shrinks the pool of availability, and secondly, a team comprising mini-me’s will be lacking in diversity. Breaking free from the mini-me approach allows the CISO to fish from a larger pool and concentrate on aptitude, diversity, and the soft skills necessary for the team to understand their users and convey the need for good security hygiene throughout the company.
Of course, in some cases, specific technical skills may be necessary straight from the get-go. The report suggests that recruiters must be ready to look in unconventional places. An example here could be the large pool of vets. Retired military personnel have admirable qualities: self-discipline, often leadership and team experience, and sometimes detailed training in computer systems and electronic communications.
Freed from the shackles of always demanding a technical background, the CISO can concentrate on building a diverse team comprising multiple skills: interpersonal communications, legal experience, analytical skills, business skills.
The report also suggests seeking people early on in their careers. It will be easier to attract them, train them, and meld them into a closely knit team.
Recruiting the team is just the first step – the CISO must then keep the individuals and the team together. Here the report has reams of advice that frankly should already be bread and butter knowledge to most CISOs – but perhaps with a few twists. The right recompense level is an obvious requirement, but while starting low is common to most jobs, the report recommends frequent pay increases to maintain lock-in.
In the same way, team members must be given interesting tasks, recognition for successes, ample training in cybersecurity and their personal skills, and a very clear career path. Personal mentoring to reinforce that concept of career path is essential.
Frequent meetings, either in person or virtually, are important to build team cohesion. Everyone must be given a voice and be encouraged to use it. Diversity of ethnicity, gender, social background and more will lead to multiple and valuable viewpoints on different subjects.
Acceptance of each other and each other’s personalities is important – for example, neurodiversity in the team can bring huge advantages, but is sometimes accompanied by social difficulties. Openness and acceptance of different personalities within the team must be encouraged.
And finally – and perhaps most importantly – the CISO must manage the mental well-being of the team and its leader. Cybersecurity is possibly the most stressful occupation outside of active military service (there are some similarities). Burnout and other mental issues are not uncommon (see The Complexity and Need to Manage Mental Well-Being in the Security Team). The single most important defense against these issues is to not simply encourage, but actively enforce, a healthy work/life balance for everyone in the team. If the CISO sees signs of stress, he or she must not hesitate to say, ‘take a few days off, be with your family, and come back refreshed.’
The elephant in the room is that both gaining and retaining an effective security team is down to one person: the CISO. The CISO’s own leadership skills are essential. Leadership can be innate (nature) or learned through experience (nurture); but it can always be improved. While ensuring each team member receives adequate training, the CISO should also consider additional training in personal leadership skills.
Overall, this report provides a valuable cheat sheet for gaining and retaining security talent. Much of the advice is already understood by CISOs, but possibly not everything. Having it all in a single document is a valuable resource.
Related: Overcoming Cybersecurity Recruiting Challenges
Related: Respect Is Key for Retaining Top Security Talent
Related: 3 Steps Security Leaders Can Take Toward Closing the Skills Gap
Related: Mismanagement Driving Cybersecurity Skills Gap: Research
