I recently took over the security team in a midsize organization. We have a staff of six, and I have a couple open spots to fill. I need people with a technical background who have experience in log management/event management. However, long term, should I aim for a security team with one or two people who specialize or try to foster a team of generalists?
Ask the Expert
Have questions about enterprise security? Send them via email today! (All questions are anonymous.)
Fill the positions with people who have knowledge in many areas of security. Here’s why: Security staffing is a challenging proposition. There don't seem to be enough candidates with the required skills to fill all available positions. As a result, an information security manager must develop a nontraditional staffing strategy to identify and fill key needs within the department. This may mean recruiting staff from outside the core information security disciplines or recruiting security professionals with more generalized skills. This is especially true in small to mid-sized companies where the workload or budget may not support specialists.
There are several benefits to recruiting people with general security knowledge. They tend to be more open to different ways of tackling technical issues, while specialists tend to have rigid ideas about how to deploy specific technologies. The generalist also tends to look at information security as a whole product, spanning multiple technologies, platforms and processes. Specialists may have a difficult time expanding their scope beyond a specific skill set. Generalists may also have an easier time communicating security processes and technologies to other employees by not delving into the technical details.
One potential issue that may crop up when the staffing strategy involves hiring generalists is that they will not have the in-depth knowledge to appropriately configure every technology platform in the organization. They may not be able to detect potential intrusions, either, because of their lack of specialized information security knowledge. This can be mitigated by using outside consultants to supplement staff when needed, provide training and configure technology platforms. Using outside consultants only when needed will fill any technology or security knowledge gaps while still employing generalists with a wider view of the company's information security plan.
Dig deeper on Information Security Jobs and Training
Related Q&A from Joseph Granneman, Security Management
Expert Joseph Granneman offers advice to enterprise security teams on using open source intelligence tools to learn about potential threats.continue reading
(ISC)2's HCISPP certification has many potential benefits for health information privacy and security. Expert Joseph Granneman examines them.continue reading
Expert Joseph Granneman explains important business skills information security pros need -- and how to acquire them -- as the discipline matures.continue reading
Have a question for an expert?
Please add a title for your question
Get answers from a TechTarget expert on whatever's puzzling you.