This article can also be found in the Premium Editorial Download "Information Security magazine: New security strategies for the bring-your-own-device era."
Download it now to read this article plus other related content.
While the national unemployment rate has been steadying between eight and nine percent, information security professionals have been enjoying newfound prosperity. Until recently, the information security function primarily held importance to industries whose success and market perception were tied directly to their customers’ trust, like financial services, and the federal government. Today, though, a unique combination of technological innovation, increased regulatory scrutiny, external threats, and social activism is forcing a shift. Corporations in industries that have traditionally ignored information security, are realizing that the development of a competent information security function is a worthwhile and necessary investment.
When companies recognize they are going to make this type of organizational commitment, their first order of business is to find competent information security talent to bridge their talent gap. However, finding and attracting competent information security professionals to a new position is a lot more difficult than it appears. Companies quickly learn that the same strategies and processes they apply to filling more generic business and technology roles do not necessarily translate to the recruitment of information security professionals. It’s important for organizations and information security leaders to understand why
A major impediment to filling information security positions is geography. In many cases, the talent and skills alone would be difficult to find, however, the need for an employee to be based in a certain location significantly impacts the depth of the candidate pool. In the past, companies were much more amenable to relocating candidates to fill positions, but economic events and the housing bubble have greatly reduced the ability for people to relocate and of companies willing to subsidize these costs. In general, companies’ relocation packages have become less encompassing, saddling the candidate with additional expenses if he or she decides to accept an opportunity. In some cases, the candidate simply cannot afford to accept the position, even though it aligns with his or her career plan and professional development.
The next major roadblock in the recruitment process is in the area of compensation. When corporations are determining compensation, they traditionally consult specialized market research firms. This compensation information generally equates to what the candidate with the skills already in the position should be paid. While this should serve as a good baseline, it doesn’t take into consideration the recruitment premium an information security professional currently performing a similar role at a similar organization would need in order to leave the comfort of his or her existing environment.
For example, if a senior information security architect is earning “X” in his or her current role, the market data may be correct and instruct you to price the position at “X.” However, in order to be successful in attracting that person to your team, you will need to price that position at “X + 10- 20 percent.” In addition, many compensation packages neglect to address existing financial and non-financial benefits associated with tenure at a current employer. Information security professionals can place greater value on vacation time, flexible work hours, and telecommuting, and may be unwilling to relinquish these benefits. Corporate human resource policies may not allow you the flexibility to provide alternatives for these privileges.
An additional compensation-based reason information security positions go unfilled is due to internal equity: The belief that any new employee’s compensation cannot be significantly more than his or her functional or organizational peers. It is the information security leaders’ responsibility to both address this within their teams and to educate their human resources staff about the uniqueness of the skill combinations they are attempting to recruit.
Before any major recruitment initiative, information security leaders must partner with human resources and perform a market-based assessment of the skills and functions already performed by current information security team members. The question they should ask is, “If I had to replace that person, what would I have to pay them?” In addition, information security leaders should be aware of the value of their employee’s skills in the market place, and be proactive in their approach to aligning their compensation with both their internal contributions and external value.
It’s also commonplace for human resources teams to align information security compensation with other technical functions like network engineers, systems administrators, or software developers. Consequently, information security leadership needs to sit down with human resource team members and articulate to them why the skill combinations associated with the roles they are attempting to fill are more complex and scarce than these technical functions. The information security leader should have a great deal of incentive to win this argument, because if the compensation packages are insufficient, positions will remain open for a long period of time or will be filled with substandard talent.
3. Failure to think like a job candidate
While geography and compensation issues contribute to unsuccessful recruitment processes, the primary reason positions go unfilled is the failure of information security leaders to think like the candidate they are attempting to attract. All information security leaders at one time had to interview for a job. It can be assumed when they contemplated their last job change, they created a list of criteria that became key factors in their decision-making process. Some of these factors will include the commitment of the organization, the level of responsibility associated with the role, the career path for the position, professional development opportunities, title, and compensation. In summary, most likely they changed positions because the new opportunity represented increased opportunity and personal satisfaction. Oftentimes, information security leaders forget their own motivations, and ignore the fact that their applicant pool is driven by similar forces.
One of the biggest mistakes is hiring managers only focusing on their organizational “need,” as opposed to taking into consideration what the applicant wants. When information security leaders begin designing their job descriptions, it’s essential they understand the appeal of the opportunity and what types of candidates it will attract. When they conduct their interview process, they should take into consideration the candidate’s point of view, and determine if the position and the environment can serve as the framework for the candidate to accomplish his or her professional goals. By viewing the position from the candidate’s perspective, information security leaders will find themselves prepared to communicate the merits of the position during a recruitment process.
One of the best ways to evaluate leadership is by the caliber of the people with whom they surround themselves. Attracting top information security talent to your team can be both time consuming and frustrating. Building an effective recruitment strategy, addressing potential obstacles, building organizational partnerships and understanding the motivations of your future employees are key ingredients to efficiently filling your information security openings.
About the author:
Lee Kushner is the president of LJ Kushner and Associates an information security recruitment firm and co-founder of InfoSecLeaders.com, an information security career content website. Send comments on this column to email@example.com.
This was first published in April 2012