Filling open IT security and compliance jobs can be a challenge because many -- if not all -- candidates lack the exact skills needed for the job. For example, advanced or "special purpose" positions like application security engineers or pen testers will often demand experience with a specific security tool or programming language. To adapt to this talent and skills shortage, you may be relegated to hiring the "best available" candidate instead of the "perfect" one. There are, however, skills fundamental to most security and compliance jobs, as well as role-specific experience that can be a big draw when deciding which candidate to invest in.
With the number of colleges and universities offering IT security degrees increasing over the past few years, there are often many InfoSec graduates available in the market at any given time. While those degrees offer a very good knowledge base for an entry-level security or compliance professional, the graduates sometimes lack real-world experience.
Real-world experience and development potential a must
When considering candidates with IT security degrees, it is helpful to look for individuals who gained practical knowledge by participating in an internship or co-op program. The internship doesn't necessarily have to be with a security team, either. Some of the most well-prepared security graduates I have come across for security operations roles actually completed internships with other IT teams, in such areas as servers, desktops or networking. Security graduates who have interned with development or product teams can also make good entry-level risk or compliance analysts.
Identifying well trained candidates applies to more experienced security professionals as well as newly-minted graduates. Finding the perfect combination of training and experience in a security candidate will likely pose a challenge in today's market, and even if you do find that person you may not be able to afford them. In this case, hiring a person with the right "potential" for development may be your only alternative.
Hire for non-technical skills
When looking at candidates already in the workforce, it is good to put a higher value on non-technical skills and training since specific tools may evolve over time and technical training is readily available. Besides, skilled and experienced candidates with analytical abilities and who can effectively communicate tend to rank higher on my list.
Professionals with some type of training or experience with IT security project management should be a high priority when looking through candidates. It is more important for a candidate to have experience with running projects in an organized manner than it is for them to have credentials such as a Project Management Professional certification. Asking candidates to give a detailed explanation of a project they have led, the types of documentation and reporting they provided and how they handled both technical and organizational issues is a good way to judge how detail-oriented they are, how well they can enforce procedure while responding to changes in plans and their ability to lead groups of people to a solution.
Fill compliance jobs with pro communicators
In addition to project management, another high priority is a candidate's communication experience; whether that was through presentations, written documentation or even simply explaining high level compliance or security concepts in "plain English." While there have been occasions in my career where I have required pure technical expertise without the need to communicate, those situations are extremely rare. The candidates don't necessarily need to like to talk a lot; they just need to be engaged when discussing IT security and compliance topics, while getting their point across effectively. Those who have participated in Toastmasters or served in roles that regularly present to management-level individuals are certainly a plus.
A key indicator to both judge a candidate's communication abilities and generally assess their capabilities involves listening skills. In situations where my team may be pushing another to fix a vulnerability, deny a policy exception request or accept a new architectural design, it is critical that my team be able to listen and communicate effectively. Failure to do both may increase the amount of time we spend trying to resolve a matter, which ultimately translates into more dollars spent.
Finding IT security and compliance talent can be challenging in this economy, so you may find you have to be more creative when identifying and developing talent. Compliance and security technology training certainly has its place; but seeking people with the right "soft skills," such as strong communication, project management and leadership qualities, may enable you to hire what initially might appear a less-than-perfect candidate you can ultimately mold to fit your organization's needs.
About the author:
Jeff Jenkins is a regulatory compliance, information security and risk management expert. He is currently the director of cybersecurity at Travelport LTD. Prior to his role with Travelport, Jeff served in security executive/leadership roles for a number of private- and public-sector organizations including Cbeyond, Equifax, The First American Corporation, S1, the state of Georgia's Department of Human Resources, and Cobb County Public Schools. Jeff currently holds CISSP, CISA, CISM and CGEIT certifications.