A big part of the problem associated with the cyber skills shortage is that it threatens the security of the business. There is now a deficit of 14,000 entrants every year so businesses are going to need to adjust how they go about recruiting and need to do so in a way that protects the business and its assets, argues Jamal Elmellas.
Today some of the hardest positions to fill are in middle management and the C-suite with hirers looking for between three plus years’ experience, according to a DCMS report. This is because many organisations subscribe to the belief that they need to create a solid security team starting at the top of the hierarchy. But is this really true? According to a report from Verizon, the average time a CISO will stay in the job is just 26 months so while leadership is key it certainly doesn’t have the destabilising effect many envisage.
Roles based on risk
One idea advocated by McKinsey is not to prioritise hiring based on seniority but on risk. It suggests that rather than using a top-down approach that fills most senior roles first before filling roles further down, organisations should first identify where the riskiest roles are. Often these will be dotted throughout the business with some in the top, middle and bottom of the organisational hierarchy.
It is possible to identify and prioritise role filling by calculating what it calls a ‘Talent-to-Value’ (TtV) strategy which identifies those posts that expose the business to the most risk. The formula is not a one size fits all proposition, however, and will need to be adapted depending on how mature the business is and other factors such as business transformation which can of course create more risk.
The business can use its understanding of risk to determine what can be done to reduce it and who can make that happen. Some risk frameworks can be used to analyse knowledge and identify skills gaps such as NIST’s NICE (National Initiative for Cybersecurity Education).
It needs to decide which of those risks and by association roles are the most pressing and will lead to the greatest reduction in risk. Perhaps investing in Cloud Security Architects would counter the risks posed more effectively than, say, a Cloud Security Manager.
Specific job descriptions should be built in concert with the security team that are determined by the tasks and skills and the HR team can then explore whether there is an opportunity to upskill in-house or if they need to recruit or outsource.
The benefits of TtV
McKinsey claims adopting a TtV can result in up to 50 percent less new hires, saving the business time and money and focusing recruitment drives to create a more adaptable workforce. But there is of course the problem of covering the interim period while people get up to speed. However, recent research would seem to suggest this isn’t necessarily a problem.
Whether upskilling or recruiting, new entrants into the profession can add significant value and they do not take as long to get up to speed as you might expect. According to the ISC(2), over a third of hiring managers said it took just six months or less for entry and junior-level hires to be able to work independently and that the roles they performed took significant pressure off those higher up in the business, alleviating stress which in turn is likely to boost the retention rates of those professionals.
Fundamental to the success of such a strategy, however, is a clear outline of career progression and succession planning so that those that have been brought in to fill these roles can see they have a future in the business. Employers and their HR Teams can often underestimate how important these aspects are, with some neglecting to mention training opportunities, for example.
Forging a path
Another development that promises to make this less opaque is the Career Pathways Framework which is being devised by the UK Cyber Security Council. This sets out the certifications and experience required to progress within specialist fields but, until this is published, employers can make use of its Careers Route Map. The Chartered Institute of Information Security (CIISec) newly announced cyber-skills framework is also relevant and is geared towards helping organisations develop recruit and retain talent.
In many ways, both the TtV strategy and Career Pathways could significantly reform how we recruit in cybersecurity. Today, the TtV has at its heart the tasks and skillsets required to mitigate a particular risk which then helps determine the role that needs to be filled.
However, as more formal structures such as the Career Pathways become established, we can expect it to become easier to identify what those roles are.
What this also means is we’re less likely to see the current criticisms levied against hirers regarding job descriptions. The same DCMS report found that “job specifications were often unrealistic in their demands, tried to recruit multiple roles in one, or were not reflective of the actual requirements for the role on offer” with hirers sometimes using other adverts as templates. One recruiter got around this by speaking with the hirer and drafting the spec themselves, which shows just how much of a problem this is at present.
If job specifications are more task-based and recruiting is more risk-led we can expect to see clearer, more targeted recruiting. This will see the diminishing talent we have applied much more wisely and help to ensure more cybersecurity staff remain in the profession. Not only will this help to ensure the business is then better protected but it will also make the HR team’s job that much easier.
Jamal Elmellas is Chief Operating Officer at Focus on Security, the cyber security recruitment agency, where he is responsible for delivering an effective and efficient selection and recruitment service. He has specific expertise in and is adept at designing and delivering secure, scalable and functional ICT services.
Prior to joining Focus on Security, Jamal built a successful Security consultancy and undertook the role of CTO. He was responsible for delivering secure ICT services for both government and private sectors. He has also fulfilled the role of Lead Security Architect and Assurance practitioner within sensitive government departments and blue organisations.
Jamal has almost 20 years’ experience in the field and is an ex CLAS consultant, Cisco and Checkpoint certified practitioner.
Recent Comments on Stories