I recently attended a meeting of likeminded Chief Information Security Officers who were discussing the challenges of their role.  Conversation bounced between the need for better reporting metrics to the lack of value in threat intelligence, but one topic seemed to come up continuously – the difficulty in finding qualified security talent.  Makes sense given a recent report by Forbes described a shortage of over one million cybersecurity experts in the United States.  In Atlanta alone there are 115 cybersecurity companies, all fighting for the same talent, and that does not include the more traditional companies requiring talent for their security departments. This shortage seems to be getting worse as demands on the average information security officer increase daily.  What options exist to mitigate this never-ending problem?

Good security candidates today have expectations about positions and have the leverage to demand that their expectations be met. The right compensation is only the basic ante for access to the talent. For this reason, this post is focused on non-compensation related strategies.  Frankly, without the right compensation and benefits packages, none of the below matters.

Our experience is that modern candidates expect:

  • Personalized technology (e.g. the endpoint of their choice or the latest IDE)
  • The use of latest methodologies (e.g. Agile Software Development)
  • Influence over the technology roadmap, regardless of rank
  • Flexibility to innovate when required (e.g. new approaches are encouraged)
  • The ability to work in collaborative, technically-challenging environments

Many companies that I meet with are working hard to create personnel pipelines but pay no attention to the internal environment that is attractive to top-end talent. Not every company can be like Google or Facebook, but without the right environment they shouldn’t be surprised when it is hard to find talent. Companies might consider including a technology package in the offer letter or job description to entice candidates.

Companies should also not overlook the small benefits when recruiting.  For many candidates I have recently interviewed, all things being equal, access to standing desks, MacBook Pros, and free coffee have been important differentiators between positions.  All too often, I speak with CISOs who believe that the honor alone of working for their company should be enough.  Short of being one of the big names (e.g. Uber, Facebook, Google, Twitter, Netflix, etc), honor alone is tough to sell.  Not to mention, creating the right culture is of paramount importance to those big names.

Where can talent be found?

In my experience, companies are leveraging three general techniques to fill their pipelines: universities, industry technical groups, and internal skill transition.

Local universities present a great option for finding new talent. Many universities will carefully modify their curriculum to meet local company needs and are hungry for outside ideas and funding for capstone projects.  While creating these university pipelines at multiple universities leads to more hires, it is a long bet for primarily junior talent.  Furthermore, simply financially supporting these programs is not enough.  It requires a time commitment from leadership within the company and active involvement in the program from career fairs, co-operative programs, internships, capstone projects, and active partnership with student organizations. The primary advantage of university-trained talent is access to classically trained engineers and scientists.

I often ask CISOs if a college degree is an important attribute for their company when looking for new employees. Almost universally, unequivocally, I hear no. For many of them, a requirement for a college degree eliminates too many technically qualified candidates. While there is certainly a role for university-trained talent, many positions simply don’t require the classic computer science or engineering background. It is hard to compare an engineer with five years of Red Hat experience to a newly graduated candidate who understands the Linux scheduler but has never managed Linux in a product environment. Local technology meetups and industry groups such as ISACA and ISSA are great places to identify hard to find talent. If an engineer is invested in their field enough to join an industry group, there is a good chance they are good at their profession. At Kudelski Security, we actively participate in Open Stack related meet-ups to stay abreast of local, qualified talent.

Short of finding qualified talent, many CISOs are looking to transition IT talent. As one CISO told me, “if you can’t find them, make them.” This approach requires the development of information security programs and technologies that do not require years of security experience. For example, I recently met with a company re-purposing Perl developers to build security automation systems – they partnered each few development team with a security architect to mitigate any experience gaps.  Another approach is to build a farm system of security talent or a minor league team.  Through internships and other temporary positions, companies may be able to train talent internally.  The challenge with this approach is that you are paying for talent that is not contributing in the short term.

It is worth noting that employees that like their job are more likely to stay and will also try and attract top level talent to join them. The security community is not that large and both good and bad information on employers travels quickly. Six degrees of Kevin Bacon is alive and well within the community – even the candidate doesn’t know someone who worked at a company, they likely know someone, who knows someone, who did.

Overall, finding qualified talent is difficult and outside the box thinking is often required. I have seen more progressive companies take serious outside-the-box approaches to finding and re-training existing talent. While somewhat self-serving as a Managed Security Service Provider (MSSP), it is important to note that careful outsourcing of capabilities can help reduce the impact of this problem. By outsourcing tasks that a company cannot possibly hope to staff, this enables them to focus on staffing qualified talent they can find. My experience is that CISOs that first focus on building an environment that is attractive to top talent do not struggle as much with talen shortfalls. Correlation or causation?


Andrew Howard