There is one skill that I, unfortunately, have perfected over the years—the ability to search for a job. I, like millions of others, have experienced being laid off, which required me to learn techniques to find new opportunities.
The objective of this article is to share my personal job-searching experiences from an Information Security (“InfoSec”) perspective. This information and my observations arefrom my experiences only and not from any study, survey or research.
The following three general categories are my personal observations as to why companies are experiencing difficulties filling out their InfoSec programs or hiring experts.
Unrealistic Expectations
The InfoSec field has not yet fully matured and is also complicated by rapid IT innovation, so it is not surprising that businesses often have trouble keeping abreast of the latest threats that accompany such innovation. For example, there have been substantial improvements to mobile devices since the iPhone’s announcement in 2007, the concept of “software-as-a-service” and cloud solutions didn’t exist twenty years ago, and artificial intelligence is also on the horizon. All of these developments introduce a new series of threats that people had never before had to consider.
Unfortunately, the expectations that some companies have about InfoSec roles are often based upon outdated expectations that often lead to mixed priorities. Companies sometimes look for candidates with the exact qualifications they think they need,and while it’s understandable for any company to want to find the perfect candidate that satisfies every requirement, no two InfoSec programs are exactly alike. While general best practices exist, each company has its own set of unique risks that require unique solutions. A “one-size-fits-all” template does not exist, so companies should instead seek candidates who are able to accurately assess industry-unique risks (including applicable laws and regulatory requirements) and implement unique solutions. It's important to remember that threats are always changing so what may have worked five years ago may not be applicable today.
This same approach applies to retaining talent, too. I’ve mentored many security engineers over the years and during discussions about their career objectives the number one reason I often hear as to why they want to look for another job is because they feel that there is no opportunity to expand their skills in their current one. First, let there be no misunderstanding that the primary goal of any engineer must be to do the work that’s expected for the organization but engineers, by their nature, are also inquisitive and love new challenges. Good engineers are never satisfied with their current skill set so it’s important to give them the opportunity to grow whether it’s by self-study, classes, conferences, professional meetings or internal cross-training. Some of these opportunities are available at no cost to the company other than time. Engineers will tend to look for and likely find new opportunities elsewhere if they feel stifled and stagnant.
Lack of Leadership
Unfortunately, some businesses still view InfoSec as an IT issue only. While that may have been true in 1995, the emergence of a “connected society” has changed that paradigm considerably. While data, especially customer data, may be a company's most valuable asset, some companies treat data as if it’s a disposable commodity. Years ago, I was conversing with the CEO of a startup and the topic of InfoSec was raised. The CEO told me that he strongly believed in computer security and employed the best and brightest to protect his company but when I I asked him, he had no idea what were the most serious risks facing his company. I believed that the CEO was truly serious about hiring good people,but without proper leadership those experts were likely trying to mitigate threats that they, alone, thought were serious regardless of whether they were actually a threat to the business.
Technical experience alone is not sufficient anymore because any good InfoSec program must encompass all areas of the organization, and leadership is needed to translate executive requirements into specific actions. HR, for example, needs to reject unscrupulous candidates, marketing must not disclose proprietary information, and employees in all departments, through security awareness training, need to be watchful for suspicious elements on web sites and in incoming emails.
Viewing Compliance as an End Goal Instead of a Risk
First, let there be no mistake that being compliant is critical for any company for obvious reasons. The mistake is not in viewing compliance as critical but in viewing it as an end goal and assuming thatif you’re compliant then all is OK. It cannot be stressed enough that compliance is NOT the same as security; it is a minimum set of security-related requirements that a company must achieve but it is not a guarantee to protect your company from a breach.
Compliance is often mistakenly viewed through problematic sort of circular reasoning: a company needs to be compliant so their entire security program is designed in order to satisfy that requirement, even though compliance requirements generally mandate that security programs should be designed to protect the business.
One critical question that must always be asked is, what will your company do when you’re breached? Companies mistakenly think that being compliant will be enough in this situation but end up finding themselves woefully unprepared when a real breach is discovered. For example, how will your company respond if a third party discovers your data elsewhere if compliance requires constant monitoring? How did the data get there? Firing a CISO in this case would not be enough because the CEO will still have to answer a lot of unsettling questions and the auditors will likely identify shortfalls that were not identified during their normal annual audit. If you ever start to believe that compliance alone is enough, remember that the Home Depot, Target and Neiman Marcus were all compliant and look what happened to them.
While it may seem a hopeless cause, the solution is actually easy. No matter what framework your company decides to implement or which compliance requirements it needs to meet, the success of any InfoSec program depends upon two key factors: Knowledge and Communication (K & C) as a two-way channel throughout the breadth and depth of the entire company. The need for two-way communication is generally accepted but the role of knowledge is often ignored. Everyone in the company needs to understand how the board’s security goals relate to their specific job function and the also CEO needs to understand the various risks facing all facets of the business in order to make informed decisions. A good CISO should beable to facilitate communication and the effective flow of knowledge between both groups.
If your company needs InfoSec talent but is unsure of the category of qualifications they should look for, then a good start would be to discuss existing security and/or continuity processes with all company department heads to identify any departments with gaps. Your inquiry may even need to reach out to the janitorial staff to ensure that sensitive documents are disposed of securely instead of just being placed in dumpsters in the company’s parking lot.
What Next?
You’ve identified the type of skill set needed, advertised the opening and interviewed several candidates without satisfaction. I recommend keeping notes of each candidate’s strengths and weaknesses to help you pinpoint the source of any gaps. If you identify that the problem is on your end, then consider these alternatives:
- Prioritize your requirements. As mentioned previously, InfoSec is fairly immature compared with other skill sets and a talent shortage also exists, so finding the perfect candidate may be difficult. The continuously morphing threat landscape further complicates the issue. Some companies require a long list of skill sets and expertise with specific tools which will limit the availability of qualified candidates. Generally speaking, InfoSec managers will understand policies, procedures, business threats and compliance requirements while technical experts will know specific hardware, software and a wider variety of tools. Too many required qualifications in your job announcement may disqualify someone who may actually have beee an excellent candidate for the position. Consider prioritizing your requirements; which qualifications are required and which ones are optional?
- Respect prior NDA’s. I’ve restricted my responses to interview questions out of concern that I may potentially violate an NDA of a prior company and have informed the interviewer of my reasons. This is a major concern for me because I understand the need for the interviewer to learn about my qualifications but I also need to respect the privacy requirements of previous companies that were expressed in their NDA’s. This business involves a lot of restricted information especially in the areas of incident response involving personal or other sensitive information, specific network architecture or other proprietary information. Good InfoSec professionals will respect the confidentiality of other company’s security programs despite their personal opinions of their effectiveness. If an InfoSec professional is willing to violate a previous NDA then what will prohibit him or her from violating your NDA? One recommendation is to Google suggested questions that will enable the candidate to provide details without compromising their prior company’s sensitive information.
- Consider compliance as a risk instead of an end goal. Remember that compliance is no guarantee of security so don’t consider “checking the boxes” as your company’s sole objective. Criminals are improving their craft at an alarming rate and regulations do not always keep up with them. For example, your incident response plan may be “just enough” to save your company from regulatory fines but that plan may be insufficient if you suffer a ransomware attack so your savings may be short-lived. Remember that compliance includes gaps too so don’t rely on it as the only requirement for your security program.
- Don’t put the cart before the horse. I was once asked in an interview if I ever managed a “HIPAA contingency plan.” I explained that I created and managed contingency plans before but the interviewer repeated the question. I explained that the prior plans under my responsibility were not specifically for HIPAA but met HIPAA requirements and provided details. The interviewer was not satisfied and the interview was over. In this instance the interviewer mistakenly focused on HIPAA itself rather than the reason for the requirement. All applicable regulations focus on protecting certain categories of data so businesses need to focus on that core objective. If you’re not familiar with a specific requirement then I recommended you gain a basic understanding of that requirement; otherwise, you may lose an excellent candidate because of a misunderstanding.
- Expand your network. If you're having trouble finding candidates, then look to professional organizations including the International Systems and Security Association, the International Information System Security Certification Consortium, the Open Web Application Security Project, InfraGard and International Systems Audit and Control Association. Many national and local organization chapters include job pages for their members. Chances are that there is an InfoSec professional organization in your area so attending chapter meetings may enable you to find qualified candidates. There are also a growing number of recruiters and job web pages that focus solely on seeking information security professionals.
I hope that these suggestions help you succeed in your search for the right expert. Good luck!
