Manage Learn to apply best practices and optimize your operations.

For IT security and compliance jobs, experience a must

The high demand for IT security and compliance is forcing companies to decide how previous job experience can offset the GRC skills shortage.

Filling open IT security and compliance jobs can be a challenge because many -- if not all -- candidates lack the exact skills needed for the job. For example, advanced or "special purpose" positions like application security engineers or pen testers will often demand experience with a specific security tool or programming language. To adapt to this talent and skills shortage, you may be relegated to hiring the "best available" candidate instead of the "perfect" one. There are, however, skills fundamental to most security and compliance jobs, as well as role-specific experience that can be a big draw when deciding which candidate to invest in.

With the number of colleges and universities offering IT security degrees increasing over the past few years, there are often many InfoSec graduates available in the market at any given time. While those degrees offer a very good knowledge base for an entry-level security or compliance professional, the graduates sometimes lack real-world experience.

Real-world experience and development potential a must

When considering candidates with IT security degrees, it is helpful to look for individuals who gained practical knowledge by participating in an internship or co-op program. The internship doesn't necessarily have to be with a security team, either. Some of the most well-prepared security graduates I have come across for security operations roles actually completed internships with other IT teams, in such areas as servers, desktops or networking. Security graduates who have interned with development or product teams can also make good entry-level risk or compliance analysts.

Identifying well trained candidates applies to more experienced security professionals as well as newly-minted graduates. Finding the perfect combination of training and experience in a security candidate will likely pose a challenge in today's market, and even if you do find that person you may not be able to afford them. In this case, hiring a person with the right "potential" for development may be your only alternative.

Hire for non-technical skills

When looking at candidates already in the workforce, it is good to put a higher value on non-technical skills and training since specific tools may evolve over time and technical training is readily available. Besides, skilled and experienced candidates with analytical abilities and who can effectively communicate tend to rank higher on my list.

Professionals with some type of training or experience with IT security project management should be a high priority when looking through candidates. It is more important for a candidate to have experience with running projects in an organized manner than it is for them to have credentials such as a Project Management Professional certification. Asking candidates to give a detailed explanation of a project they have led, the types of documentation and reporting they provided and how they handled both technical and organizational issues is a good way to judge how detail-oriented they are, how well they can enforce procedure while responding to changes in plans and their ability to lead groups of people to a solution.

Fill compliance jobs with pro communicators

In addition to project management, another high priority is a candidate's communication experience; whether that was through presentations, written documentation or even simply explaining high level compliance or security concepts in "plain English." While there have been occasions in my career where I have required pure technical expertise without the need to communicate, those situations are extremely rare. The candidates don't necessarily need to like to talk a lot; they just need to be engaged when discussing IT security and compliance topics, while getting their point across effectively. Those who have participated in Toastmasters or served in roles that regularly present to management-level individuals are certainly a plus.

A key indicator to both judge a candidate's communication abilities and generally assess their capabilities involves listening skills. In situations where my team may be pushing another to fix a vulnerability, deny a policy exception request or accept a new architectural design, it is critical that my team be able to listen and communicate effectively. Failure to do both may increase the amount of time we spend trying to resolve a matter, which ultimately translates into more dollars spent.

Finding IT security and compliance talent can be challenging in this economy, so you may find you have to be more creative when identifying and developing talent. Compliance and security technology training certainly has its place; but seeking people with the right "soft skills," such as strong communication, project management and leadership qualities, may enable you to hire what initially might appear a less-than-perfect candidate you can ultimately mold to fit your organization's needs.

About the author:
Jeff Jenkins is a regulatory compliance, information security and risk management expert. He is currently the director of cybersecurity at Travelport LTD. Prior to his role with Travelport, Jeff served in security executive/leadership roles for a number of private- and public-sector organizations including Cbeyond, Equifax, The First American Corporation, S1, the state of Georgia's Department of Human Resources, and Cobb County Public Schools. Jeff currently holds CISSP, CISA, CISM and CGEIT certifications.

Next Steps

Learn more about the information security skills shortage, and why cybersecurity training is essential to offset the problem.

Dig Deeper on Managing governance and compliance

Join the conversation


Send me notifications when other members comment.

Please create a username to comment.

What employee training and development techniques is your organization using to offset the IT security and compliance skills shortage?
Given how different many of the modern technologies and techniques are vs. in the past (open source, public cloud, automation, SD-everything), IT organizations need to find more ways to get engineers time to learn. Just going to a 2-3 day class isn't enough if it doesn't become a daily routine and frequently used skill. Look for ways to get them larger blocks of time to learn. Look for new ways to motivate them to spend extra time learning (after hours, nights, weekends). 
I find that most IT and security professionals get zero budget to attend conferences, classes, and related continuing education to help improve their knowledge and skills.

Part of it is because these people aren't asking for the training and education (what else is there to learn in IT, anyway?) and they're not making the time for it (gotta keep the joint running). Still, part of it is because management fails to see the value in IT and security - that is, until their business stops functioning because of an oversight, failure, or related gaffe.

Regardless, the issue needs to be addressed and the training/education needs to be obtained. Otherwise, we're perpetually stuck in this rut:
Absolutely, education/training for IT security and compliance specialists is essential, especially because security threats and regs change so rapidly. Security and compliance pros must be able to adapt IT processes to these changes, and quickly. But because threats/compliance regulations do change so rapidly, it could make scheduling effective education sessions difficult: As soon as companies develop new processes to protect against a data threat, a new one pops up that requires new GRC strategies.
The good news is that most things required to fix the essential challenges we face in security don't change much. It's still good to keep up with what's going on, if anything, with the latest tools and techniques for finding vulnerabilities and responding to incidents.