Cybersecurity Expertise In Demand
Last week, I participated in the Advanced Cyber Security Center's annual conference.
Here are a couple of the highlights:
- Former Presidential Advisor, State Department Under-Secretary for Counter-Terrorism, and best-selling author, Richard Clarke, provided insights into the building for long-term success in the business of cybersecurity.
- Richard observed that there are continuing education requirements for professionals in other fields but none so far in cybersecurity.
- He also observed that successful firms now spend about 10% of their IT budget on security while 3% was typical in the 1990’s.
- Finally, he observed that with 200,000+ unfilled jobs in the U.S.; the cybersecurity function is understaffed.
- A subsequent panel discussed key priorities for 2018. The panel identified that there is a continuing and growing need for cybersecurity professionals at all levels: system architecture; security and IT; and compliance.
So, if your organization has open positions and is finding them hard to fill, what can HR and Recruitment do?
It starts with recognizing the challenge and then making changes to improve your results.
I think the first thing people can do to reduce cyber security risk in any organization is to become a "human firewall" themselves. Learn how to avoid phishing (clicking on a malicious link that then downloads malware onto your computer). This is especially important in HR and Recruitment since applicants send attachments all the time.
After that, one must really consider the qualification requirements for the open positions.
- System architecture professionals will need the highest level of qualification - many will have a computer science degree and top ones will have a Master's with a concentration in security. After a successsful background check, HR should consider hiring people with a B.S. and then using graduate education in cyber security as a retention tool. It can take 3+ years to earn a Master's and, since the hackers are getting better, your organization is well served having life long learners in these positions.
- Information Technology (IT) departments typically have a subset of people assigned to security. Since these people have higher level computer network access privileges, they are another target for hackers. Consequently, HR should consider more extensive background checks for IT professionals, especially the ones assigned to security. HR should also provide some sort of continuing education program, aimed at improving security skills.
- To assure capable candidates, IT organizations often ask HR and Recruitment to hire people with certifications like Computer Information Systems Security Professional (CISSP). The challenge with this type of qualification requirement is that it can make the position very hard to fill. For example, 4 to 5 years of professional experience is a pre-requisite to taking an exam to earn a CISSP certification. HR might work with IT to see if some of the hires can instead be people who are working toward earning a certification. For existing IT employees, HR might propose a retention stipend for people who earn the desired certifications.
- Cyber security compliance positions are also growing. More and more industries are subject to regulatory oversight and enforcement (e.g. Financial Services and Critical Infrastructure like the Power Grid). Organizations respond by hiring compliance professionals - a type of in-house auditor. Here again, background checks might protect an organization from an insider threat and a continuing training program could help maintain skills while improving retention.
Finally, I recommend a partnering with a STEM University. My University created a graduate Cyber Security Program in answer to a direct request from the Power Industry. We have also provided customized continuing training courses to quickly build expertise. I know other universities are doing similar work but there are still those 200,000+ open positions!
Quick Quiz . . .
Q: What's can be done to help fill open cyber security positions and reduce your organization's cyber security risk?
A: All of the above!
No discussions yet. Start a discussion below.