In today's world, chief information security officers (CISO) are often challenged with a lack of resources ranging from reduced budgets to lowered headcounts. When a major security incident or near miss occurs, the CISO may be "lucky" enough to be granted more funding for increased staffing or the opportunity to hire outside consultants. The good news is the CISOs can now look for talent to help them and their enterprises. But action must be taken right away.
CISOs may be surprised to find that many of the employees in their own IT ranks not only have security experience but also hold certifications, like the CISSP from (ISC)2.
Unfortunately, finding experienced and qualifiedtalent to fill security positions is not easy. With many companies actively recruiting information and compliance security talent, demand exceeds supply. Many of the positions available call for former CISOs or personnel with five to 10 years of experience in security. But many of these individuals are already employed or -- like some of us -- are more than 60 years old and thinking about retirement (or at least not interested in reading logs for a living).
One of my CISO friends just lost his key forensics manager to another company. Finding a replacement with the same level of experience is not easy and puts my CISO friend under pressure to take care of the current caseload while trying to hire a new forensics manager. This situation is aggravated by the fact that there are several trained graduates in forensics on the market who know how to use the tools but don't have the associated field experience. Qualified talent is passed over due to a relative lack of experience, and the job remains open for months, resulting in lots of pain for the CISO and frustrated, trained talent.
So what can be done? Let's look at how CISOs can fill security positions when they're facing a lack of specialized security talent.
Options for filling security roles
One option is for the CISO to hire talent away from consulting firms, which have broadly experienced and qualified security employees. However, the salary differential can be a barrier. Consultants may travel a lot, but their pay is often much higher than the average enterprise can offer. The consultants also make far more than most government and not-for-profits can afford.
Another option is to recruit military personnel with information security and compliance expertise and experience -- and a security clearance. These potential employees are almost perfect candidates. The CISO should target military personnel entering the civilian world and those recruiting firms specializing in military personnel looking for outside employment.
Don't forget, recruiters that specialize in information assurance professionals can be a strong asset in the search for talent as well.
A similar approach is to seek out candidates from federal and state government agencies, such as the National Security Agency (NSA) or Central Intelligence Agency (CIA) where employees have experience and certifications in highly disciplined information assurance environments.
A third option when hiring for security positions is to target students graduating from security programs at universities like Norwich University or University of Maryland. In the United States, there are universities across 47 states, the District of Columbia and Puerto Rico that have information assurance programs designated by the National Security Agency and the U.S. Department of Homeland Security as Centers of Academic Excellence in Information Assurance Education. The NSA-accredited programs are primarily for graduate students who may have more experience.
From the editors
See our companion article: Enterprise information security employee retention strategies
Another route is to hire from within. CISOs may be surprised to find that many of the employees in their own IT ranks not only have security experience but also hold certifications, like the CISSP from (ISC)2. When I was the CISO at the Port of Seattle I was pleased to note our highly capable Linux engineer held a CISSP, and that the server engineering manager had worked at the NSA and also held a CISSP and Certified Ethical Hacker (CEH) certification. These gentlemen were my sounding boards and go-to people at times when I needed security talent and did not have any staff on my team.
In addition, employees in IT or even on the operations technology (OT) side of the enterprise may have strong interest in running the industrial controls systems -- such as SCADA -- and expanding their knowledge and experience into the information assurance and compliance arenas.
Editor's note: After reading this article, a reader wrote to Ernie Hayden to discuss the challenges he's having in finding the right infosec job, despite certifications and experience. Hayden responded to that issue here: How to cope with infosec job search challenges.
About the author:
Ernest N."Ernie" Hayden, CISSP, CEH, is an experienced information security professional and technology executive, providing thought leadership for over 12 years in information security, cybercrime and cyberwarfare, business continuity and disaster recovery planning, leadership, management and research in conjunction with his 35-year professional career primarily in the energy and critical infrastructure protection business. Based in Seattle, Hayden holds the title of managing principal -- critical infrastructure protection and cyber security on Verizon's RISK Team, devoting much of his time to energy, utility, critical infrastructure and smart grid security on a global basis. Prior to this, Hayden held roles as an information security officer or manager at the Port of Seattle, Group Health Cooperative and Seattle City Light. Hayden's independent analysis may not always reflect positions held by Verizon. Read more of Hayden's expert advice on his contributions to the Verizon Think Forward blog. Submit questions or comments for Ernie Hayden via email at firstname.lastname@example.org.