In this short subsection of our interview, Haris stresses the importance of ensuring that internal security knowledge doesn’t degrade over time. He also shares his views on the ‘hardest to fill’ security positions of 2023 and offers up some unique perspectives on how CISOs can manage the impact of candidate scarcity.
Skip ahead to:
- The top challenges of building high-performing security functions
- The hardest security roles to fill in 2023
- Top tips for managing candidate scarcity
- More cyber security resources
What are the top challenges associated with building a high-performing security function?
The challenge I often see that stands in the way of high-performing security functions is the ability to stay outward looking and ensure that internal skills stay up to date. You can hire the best security professionals out there with field experience, but the problem is that this knowledge can degrade over time because cyber security is evolving at such a rapid pace.
You need to be conscious that when security professionals join your team, they become purely focused on your organization. That means they miss a lot of experience and context they would otherwise gain if they were, say, working for a vendor providing services to multiple organizations. As a result, we are seeing the higher-performing security functions invest more heavily and more consistently in upskilling and reskilling. Security leaders could take a few immediate actions to tackle this challenge. Investing in an upskilling and reskilling platform would be a positive start. You could also consider hosting internal competitions based on fictional scenarios, mimicking an incident to keep your team sharp and aware.
Another obvious challenge for CISOs is the basic fact that there aren’t enough experienced professionals out there to fill internal positions. The current global cyber security shortage stands at 3.4 million. Many organizations are responding to that challenge by reskilling people. They may target talent from similar functions with adjacent skill sets. For example, you could take an IT engineer and fast-track them through cyber security training to allow you to fill tier-one SOC Analyst roles or possibly even Junior Penetration Testing roles. This is a smart move in the current climate if you can’t hire all the cyber security professionals you need.
CISOs should attempt to find a good balance between making experienced hires, where there is candidate availability, and having a plan for those IT engineers who have an appetite to upskill and evolve into cyber security roles.
In your view, what security roles will be hardest to fill this year, and why?
I think it’s important to define what we mean by ‘hardest to fill.’ Are we talking about areas where we have a real acute shortage of candidates? Or the most complex hire you will make for your security function? If you are looking at it from a candidate scarcity perspective, then Penetration Testers will be fairly high on the list of tough positions to recruit for. It’s a difficult role and requires a lot of dedication. It’s a way of living - not just your profession. You don’t finish your job at 5 pm; you continue to think about your work and study more. Those types of individuals are hard to find. It’s also not always seen as an easy discipline to break into. However, this is changing as crowdsourced bug bounty platforms provide an entry point to develop experience and build credibility.
If we move away from the candidate scarcity debate and drill into the importance of making the right hire, then the CISO position really needs to come into the spotlight. It’s arguably the most important hire you will make for a security function, which by default makes it an extremely difficult role to fill. There are more CISO candidates in the market, but they will come in different shapes and sizes, so finding the right fit for your organization is key. Ultimately, you will be ten times more careful hiring a CISO than an individual contributor.
What tips do you have for CISOs to manage the impact of candidate scarcity?
First of all, we have to rethink the way we hire. We should move away from a traditional hiring model that focuses solely on university degrees and specific certifications. I know many very skilled individuals and professionals who don’t have any of the above, but they are very good at what they do. So we really need to look at how we assess candidates in this industry. For example, you could send them through assessment tests, have them do a demo, or have them prove their skills through a practical exercise. I don’t mind how it’s done, but relying solely on a university degree will actually sabotage your hiring efforts because it’s such a scarce candidate environment.
Another obvious coping mechanism we’ve already discussed is building and growing your own security talent. Hire IT Engineers and upskill them through an intensive 3-month training program. Trust me; if you do it right, you’ll get Cyber Security Engineers on the other side. Automation is obviously another option to do more with less, but I feel lots of organizations have already realized as much of the efficiencies that they are going to see in this space.
In this new world of work, there is also an opportunity to broaden the search radius for scarce skill sets. Even before the pandemic, our policy was to hire talent from wherever the talent is. It was less about location and more about candidate quality for us. If you can create a global talent pool, it is better than having a local one. The only thing to consider is depending on the location; there may be timezone constraints. This could cause collaboration challenges, for example, so individual CISOs must be mindful of that. But if we’re talking about individual contributors who can deliver their work on their own timeline, it’s excellent. Clearly, there are additional security considerations with remote work, but at the end of the day, you’ll be able to attract top cyber security talent on a global scale by hiring remotely rather than just relying on a local talent pool. Read the full feature and more in Cyber Security in Focus 2023.