Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Cloud

12/4/2017
10:20 AM
Connect Directly
Twitter
LinkedIn
Google+
RSS
E-Mail
100%
0%

Tips for Writing Better Infosec Job Descriptions

Security leaders frustrated with their talent search may be searching for the wrong skills and qualifications.

INSECURITY CONFERENCE 2017 - Washington, DC - Advanced security tools can't reach their full potential without qualified employees to operate them, said Dawn-Marie Hutchinson, executive director at Optiv, at Dark Reading's INsecurity conference here last week.

In her presentation entitled "Finding and Hiring the Best IT Security People," Hutchinson described her own challenges in finding the right talent. As the former CISO of Urban Outfitters, her challenge wasn't in securing the budget for security tools, but finding people to run them.

Some businesses have both tools and talent but struggle when the two don't align, she explained. You might be well-staffed with employees who lack skills to be helpful. To find the right employees, Hutchinson suggested reevaluating job requirements and approaching the hiring process similar to how you would build a security program.

The key is becoming more involved in the hiring process and being more specific when looking for candidates. Security leaders looking for talent often tell their human resources department they're seeking candidates with certain skill sets. HR then compiles a job description cobbled from descriptions they find online, which may include certifications or number of years of experience.

As a result, many companies use similar job descriptions for open positions, and applicants tailor their resumes to suit them. Many talented people who could be successful are weeded out because they lack specific credentials and experience they may not necessarily need for a specific role.

"When you go looking for people, be mindful," said Hutchinson. "The number of years isn't as good as the quality of years and most recent experience … let's not [cross off] candidates because they don't have experience in systems that don't exist anymore."

Compliance requirements also block potential candidates. Many qualifications added for compliance; for example, familiarity with HIPAA, are things a smart individual could figure out and learn. However, because HIPAA isn't on their resume, they don't make it to the interview. Similarly, certifications like the CISSP are "easy hits" and make it easy to narrow down the candidate pool but could prevent security teams from gaining valuable talent.

"We need to find people where they are and develop them into what we need them to be," she noted.

Think about what you want your employees to do, and how you want them to operate, and build your staffing strategy around it. "What's your desired outcome?" Hutchinson asked. Shaping a job description based on outcomes will result in a completely different posting.

So where do you look for job candidates? Hutchinson recommended networking with peer groups and looking to your internal tech staff to find talent. Former military members are also potential candidates; check with veterans organizations or the Wounded Warrior project to find people looking for work.

It's also worth your while to hunt for candidates in new, unexplored pools. Business school graduates could be particularly valuable at a time when security pros need to explain risks and technology issues with board members. Security teams need people who can speak to the business, write, and communicate well.

But hiring is just one piece of the equation. Retention of loyal employees is another.

"What we really need to do is start figuring out how to keep them," said Hutchinson. Most people who leave are swayed by higher salaries. Fair compensation is an obvious must-have; if you don't pay your employees fairly, you will lose them. No perk will change their mind.

That said, it takes more than money to keep talent. You need to understand what motivates your employees. Many people swap jobs because they want more challenging or exciting work. They also highly value mobility and work flexibility, which the most preferred employee benefit from 2014 to 2016, she pointed out.

"Make them excited about being at work, excited about being in security," she emphasized. "It will make them loyal to you … give them something they can get behind."

If you can't retain talent, it will ultimately cost your business. Not only will you have to invest time and resources into vetting new candidates, you'll have to show them the ropes. It costs about nine months of someone's salary to get them on-boarded, Hutchinson said.

Related Content:

Kelly Sheridan is the Staff Editor at Dark Reading, where she focuses on cybersecurity news and analysis. She is a business technology journalist who previously reported for InformationWeek, where she covered Microsoft, and Insurance & Technology, where she covered financial ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
PJS880
50%
50%
PJS880,
User Rank: Ninja
12/5/2017 | 10:18:49 AM
Risk
To me this is a risk. One of the first places I hit when doing reconnaissance work is the help wanted ads and Linked profiles of targets. Looking for system information as well as software information that the business utilizes. Having too much information about your systems open to the public makes you more vulnerable. You have the opprotunity to evaluate the potential employee during the interview without putting systems at risk.
10 Ways to Keep a Rogue RasPi From Wrecking Your Network
Curtis Franklin Jr., Senior Editor at Dark Reading,  7/10/2019
The Security of Cloud Applications
Hillel Solow, CTO and Co-founder, Protego,  7/11/2019
Where Businesses Waste Endpoint Security Budgets
Kelly Sheridan, Staff Editor, Dark Reading,  7/15/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: "Jim, stop pretending you're drowning in tickets."
Current Issue
Building and Managing an IT Security Operations Program
As cyber threats grow, many organizations are building security operations centers (SOCs) to improve their defenses. In this Tech Digest you will learn tips on how to get the most out of a SOC in your organization - and what to do if you can't afford to build one.
Flash Poll
The State of IT Operations and Cybersecurity Operations
The State of IT Operations and Cybersecurity Operations
Your enterprise's cyber risk may depend upon the relationship between the IT team and the security team. Heres some insight on what's working and what isn't in the data center.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-3571
PUBLISHED: 2019-07-16
An input validation issue affected WhatsApp Desktop versions prior to 0.3.3793 which allows malicious clients to send files to users that would be displayed with a wrong extension.
CVE-2019-6160
PUBLISHED: 2019-07-16
A vulnerability in various versions of Iomega and LenovoEMC NAS products could allow an unauthenticated user to access files on NAS shares via the API.
CVE-2019-9700
PUBLISHED: 2019-07-16
Norton Password Manager, prior to 6.3.0.2082, may be susceptible to an address spoofing issue. This type of issue may allow an attacker to disguise their origin IP address in order to obfuscate the source of network traffic.
CVE-2019-12990
PUBLISHED: 2019-07-16
Citrix SD-WAN 10.2.x before 10.2.3 and NetScaler SD-WAN 10.0.x before 10.0.8 allow Directory Traversal.
CVE-2019-12991
PUBLISHED: 2019-07-16
Citrix SD-WAN 10.2.x before 10.2.3 and NetScaler SD-WAN 10.0.x before 10.0.8 have Improper Input Validation (issue 5 of 6).