I recently took over the security team in a midsize organization. We have a staff of six, and I have a couple open spots to fill. I need people with a technical background who have experience in log management/event management. However, long term, should I aim for a security team with one or two people who specialize or try to foster a team of generalists?
Fill the positions with people who have knowledge in many areas of security. Here’s why: Security staffing is a challenging proposition. There don't seem to be enough candidates with the required skills to fill all available positions. As a result, an information security manager must develop a nontraditional staffing strategy to identify and fill key needs within the department. This may mean recruiting staff from outside the core information security disciplines or recruiting security professionals with more generalized skills. This is especially true in small to mid-sized companies where the workload or budget may not support specialists.
There are several benefits to recruiting people with general security knowledge. They tend to be more open to different ways of tackling technical issues, while specialists tend to have rigid ideas about how to deploy specific technologies. The generalist also tends to look at information security as a whole product, spanning multiple technologies, platforms and processes. Specialists may have a difficult time expanding their scope beyond a specific skill set. Generalists may also have an easier time communicating security processes and technologies to other employees by not delving into the technical details.
One potential issue that may crop up when the staffing strategy involves hiring generalists is that they will not have the in-depth knowledge to appropriately configure every technology platform in the organization. They may not be able to detect potential intrusions, either, because of their lack of specialized information security knowledge. This can be mitigated by using outside consultants to supplement staff when needed, provide training and configure technology platforms. Using outside consultants only when needed will fill any technology or security knowledge gaps while still employing generalists with a wider view of the company's information security plan.
Have questions about enterprise security? Send them via email today! (All questions are anonymous.)
Dig deeper on Information Security Jobs and Training
Related Q&A from Joseph Granneman, Security Management
An IT security governance board is a key feature in security budgeting, but who makes up this body? Expert Joseph Granneman outlines the best ...continue reading
The security data breach public response times from Target and Neiman Marcus were noticeably different. Expert Joseph Granneman explains which one ...continue reading
Security staffing can be tricky, but talent can be found in unconventional places. Expert Joseph Granneman explains the pros and cons of hiring data ...continue reading
Have a question for an expert?
Please add a title for your question
Get answers from a TechTarget expert on whatever's puzzling you.