The greatest virtual threat today is not state-sponsored terrorism; newfangled clandestine malware; or a hacker culture run amok. The most dangerous looming crisis in information security is instead a severe cyber-security labor shortage, expected to reach 1.5 million job openings by 2019.
Academia has unfortunately failed to keep up with industry trends and is not producing enough data cyber-security specialists to handle surging demand. According to one recent study, only a handful of the 50 top university computer science programs in the United States require that students take even one cyber-security course. There exist world-renowned schools and academic programs of law (despite an extraordinary glut of attorneys and 200+ accredited law schools); business (despite the decreasing value of an M.B.A. and almost 400 U.S. business schools); and journalism and politics (as if we need more pundits). Yet there remains a dearth of campuses dedicated to computer science, cyber-security, and data breach response.
The challenges are complex. Cyber-security is an ambiguous and wide-ranging field—involving network engineering, encryption, firewalls, logging tools, analytic tools, forensic tools, and more—the list goes on. Moreover, cyber-security threats are constantly evolving, so that by the time students’ graduate, some lessons are already obsolete. Meanwhile, the nature of the legion of cyber-attackers has similarly progressed, from “black hat” hackers and profiteers to organized cyber-gangs and rogue nation states. The cyber-security response field is a lot like the medical field; building a skillset takes experience as an intern, resident, and attending.
The only solution for companies facing the challenge of cyber-security is to adopt a much more aggressive, thoughtful and meaningful approach to cyber-recruitment, strategically focusing on four discreet and essential missions: identification; hiring; retention; and management.
Phase One: Identification. Identifying talented technologists worthy to join a cyber-security or data breach response team is the first phase of cyber-security staffing and requires fanning out in multiple directions.
For starters, the best source for cyber-security professionals are current employees. Companies should offer hefty financial incentives and encouragement for employees to help identify friends, former colleagues, and others who might make strong candidates.
By executing upon the four phases of identification; hiring; retention; and management, a company can succeed in assembling a strong cyber-security and data breach response team.
Social media is an inexpensive and infinite source of identification, and companies should scour social media sites for candidates. LinkedIn in particular provides a variety of ways to identify candidates, allowing searches for skillsets, geography, and even unhappy employees at competitors.
The next resource is failing competitors. Companies should pore over quarterly and annual filings of competitors, press reports, social media, and elsewhere looking for signs of trouble or unrest. Mergers, acquisitions, and other corporate transactions can also create environments where employees may suddenly consider a change. (It should go without saying not to poach from companies who are clients, partners, vendors, or other cohorts. It is not only borderline unethical—it is also bad business. Along those lines, it also makes sense to consult with counsel to make sure identification methods are consistent with contracts and local statutes concerning labor relations.)
The classroom also creates excellent candidate identification opportunities. Companies should encourage in-house cyber-security staff to teach seminars, professional development conferences, university courses and the like. The classroom can prove to be an excellent place to scout and test potential talent; to build bonds of respect and admiration; and to gain a sense of a candidate’s temperament, commitment, and qualifications.
Ultimately, the phase of identification requires thinking outside of the box. For instance, organizations should look for skilled computer professionals who, despite having no experience in security, could adapt to security positions. Actual IT experience can prove more meaningful than certifications, degrees, or even specific cyber-security experience. A company can “invent” a security professional by identifying someone with strong IT skills—for instance, a computer professional with several years of experience as an application developer or systems administrator—and then cultivate cyber-security expertise with training and mentoring.
Phase Two: Hiring. The first contact with a candidate, sometimes the first contact ever (such as a cold call to a competitor or to a random LinkedIn profile) is critical and requires preparation.
Companies should conduct as much research about candidates before contacting them. There exists a treasure trove of information online about candidates, which can be learned before the first call. For instance, LinkedIn profiles can provide common connections with a candidate, a healthy source of intelligence.
Most importantly, the first contact should come from the C-suite, outside of the HR department. Cyber-security professionals receive so many calls from random recruitment firms and placement agencies—who often lack credibility—and have grown accustomed to ignoring them. In the cyber-security recruitment realm, a call from a senior executive, rather than a headhunter with his or her own agenda, is far more meaningful and effectual.
As for the interview process, every company has their own style for interviewing candidates. What is unique to cyber-security is the technical and bourgeoning aspect of the credential, so every interview process should include plenty of interaction with cyber-security colleagues. Companies should also provide candidates with transparent and candid guidance on expectations, promotions, and meaningful interaction with senior management. In fact, if possible, a CEO or COO should become the main recruiter, especially during the sometimes-awkward time period between when a company has extended an offer but before a candidate has accepted.
Phase Three: Retention. Talent acquisition does not end once the hiring process ends; it is actually just beginning. What good is a phenomenal hire if he or she opts to leave after a year or two? Too often companies are shortsighted and do not view talent acquisition as an enduring obligation that lingers beyond a first paycheck.
Given their scarcity, all cyber-security professionals will receive daily solicitations promising future compensation and benefits that can tempt even the most loyal employee. Thus, a uniquely calculated and executed rigorous HR and talent management program remains crucial in order to combat the many competing companies that will try to lure away cyber-security employees.
For cyber-security employees, there are no general notions about their wants and aspirations, except that motivations can vary dramatically. Critical factors include compensation, location, working from home, being part of a cutting-edge environment, autonomy, and the list goes on. Managers can never know for certain what carrots can entice a cyber-security employee to remain on the job—unless they ask. The key to retaining cyber-security employees is to explore and understand their goals and aspirations—and devote time and resources towards meeting them.
Phase Four: Management. The goal for every employee should be a lifetime of company service, especially for cyber-security employees, where training can take years.
Cyber-security managers in particular should take an active role in HR programs designed to cultivate top talent and foster employee growth. This means conducting frequent reviews, offering steady and dependable coaching, and engaging in constant dialogues with employees about their professional development.
Winning HR programs learn from their employees by using both: (1) annual employee surveys that ask the right questions and dig deep into a company’s infrastructure to uncover problems of personnel or mission; and (2) independent exit interviews that flesh out any lessons learned from departures. The art and the benefit of the exit interview is lost on so many companies today—too often because departing employees are dismissed as resentful and unreliable. In the case of a resigning cyber-security employee, a proper exit interview can reveal critical management weaknesses.
Loyalty to cyber-security employees is sacrosanct—and that means remembering to offer support during tough times, even if it is just stopping by to talk, sending a note, or arranging for the delivery of a meal. The silence of an unconcerned and blasé management can become deafening not only for employees struggling with a personal hardship, but also for their observant colleagues
Above all else, focusing on the professional development of cyber-security employees means making recognition a priority, and making a job richly rewarding both financially and personally. Good managing means being effusive—offering frequent compliments does not dilute their impact. The best managers communicate with their staff frequently and proactively, while the worst consider employee contact a burden and afterthought.
One last note on promotions: When not handled properly, a cyber-security promotion creates a half-dozen malcontents and one ingrate. Senior executives must constantly re-evaluate how a company is promoting its key people and must spend extra time with “passed over” employees they wish to retain, taking steps to cultivate their professional development and explain the process that led to their rebuff.
Conclusion. By executing upon the four phases of identification; hiring; retention; and management, a company can succeed in assembling a strong cyber-security and data breach response team. The cyber-labor shortage means that when it comes to cyber-security experts, a special set of employment practices apply. Bend the rules for them (though not the ethical ones, of course). Bypass the bureaucracy for them. Make exceptions for them. Like modern-day fighter pilots, cyber-security professionals are not merely a company’s elite corps of talented professionals with special skills, the company also cannot win the (cyber-) war without them.