ISACA Now Blog

Knowledge & Insights > ISACA Now > Posts > The Demand for Talent: Hidden Risks to Security Professionals

The Demand for Talent: Hidden Risks to Security Professionals


Jeff Combs, Vice President of Talent Management, ISE Talent
| Posted at 3:27 PM by ISACA News | Category: Security | Permalink | Email this Post | Comments (12)

During the 16 years that I have been recruiting for information security, IT audit and technology risk professionals, I have had the privilege of interviewing hundreds of companies and thousands of practitioners. This has given me a rare perspective on their motivations, successes, failures and the evolution of our industry from a career development standpoint. As a close observer of the industry’s ebbs and flows, I understand the security talent market and how it impacts both clients and candidates.

Not a day goes by when I am not either reading or asked about the current challenges around security talent supply and demand. Questions primarily focus on "How do we solve it?” "How do we get more people into the field?" and "How can companies be more effective in their recruiting?"

These are all valid questions, and they certainly reinforce the perception that security pros have unlimited options. However, they do not acknowledge the risks and downsides associated with increased talent demand.

High demand comes with a few downsides. While we are aware of the talent shortage for security professionals, there is another side to the story that is not being addressed. As new companies strive to build security programs, their lack of experience can create career pitfalls for practitioners.

Every week I talk to at least one security professional who feels they were bait and switched. By this I mean they took a job that on surface looked like a great opportunity, only to find they lacked real authority or had been set up to fail.

In many cases, the company may have had good intentions but lacked the critical components for a successful security program, such as executive sponsorship, clear objectives, long-term vision, a commitment to change, budgetary support, and headcount. In other cases they had no intention of actually building a sustainable program. Some simply needed a stopgap measure to meet an audit requirement. Some reacted to the media and customer fears by doing some window dressing. Others were so broken that they acted out of desperation.

This means that it is more important than ever for security professionals to be objective when making a career move. As paranoid and skeptical as security professionals are reputed to be, most are optimists at heart with a strong idealistic streak; two qualities required to do such a difficult and sometimes thankless job. So as hard as it may be, security professionals need to contain their enthusiasm when interviewing for that dream job and look at the position realistically.

Often, challenges are directly related to a company's lack of understanding around security roles, qualifications, and compensation. This is exacerbated by broken or inefficient recruiting practices, something I learned as an internal talent acquisition team member for a Fortune 50 technology company.

An overwhelming majority of organizations do not appreciate the competitive nature of the security job market, and even if they do, internal processes hold them back. Most internal recruiters are generalists who rarely have the knowledge to accurately assess skills or fit. And just as often, corporate compensation guidelines are behind the market. This can lead to an inability to land talent, or at best, delay the offer process while exceptions are granted.

Now that you are aware of some of the pitfalls, the question is "What do I do about it?" The short answer is that security professionals need to take a hard look at the opportunities they are considering. That means assessing the overall opportunity with the same rigor used to identify critical security threats. It starts with asking the right questions, interpreting the answers and managing expectations.

In my next blog post I will outline strategies on how to ask the right questions, better assess opportunities and recognize the red flags that could spell disaster.

Comments

An Excellent Post

This article was really accurate and insightful. I look forward to the follow-up.
Raef at 3/12/2016 3:05 AM

Appropriate

Must-read article. Eager to read the next blog-post. Thanks for sharing.
Purna Pragna at 3/12/2016 7:43 PM

Excellent insights

Unfortunately, Information security is still considered as BRAKES inside a car (to stop the car when required) in many organizations(to my limited knowledge), those organizations that are matured enough to understand that the same BRAKES will also give confidence for the driver to accelerate the car (business) faster approach it in a more disciplined and Strategic manner in all directions. Thank you for sharing the useful insights. Looking forward to read your next blog.
Venkata Gadde at 3/14/2016 4:34 AM

Excellent insights

Unfortunately, Information security is still considered as BRAKES inside a car (to stop the car when required) in many organizations(to my limited knowledge), those organizations that are matured enough to understand that the same BRAKES will also give confidence for the driver to accelerate the car (business) faster approach it in a more disciplined and Strategic manner in all directions. Thank you for sharing the useful insights. Looking forward to read your next blog.
Venkata Gadde at 3/14/2016 4:34 AM

Excellent article

Thanks for sharing.
Enriketa Jolldashi at 3/15/2016 5:27 AM

Re: The Demand for Talent: Hidden Risks to Security Professionals

Great Article. Waiting for the next blog post
mugart at 3/15/2016 7:16 AM

Just a perfect Read for an Evening Take Home

Kudos for these insighful truths. Look forward to the follow up.
ELVIS505 at 3/15/2016 2:52 PM

Just a perfect Read for an Evening Take Home

Kudos for these insighful truths. Look forward to the follow up.
ELVIS505 at 3/15/2016 2:52 PM

Spot On

Bait and switch was exactly the right term. I have to work in a matrix organization, where I have no explicit authority to get the things done that need doing. It's frustrating beyond belief, and I have no one but myself to blame for accepting the position. Lots of expectations and demands, but more often, no effective tools to make people want to take action with me.

The problem, and it is one that I take personally, is that my employer deserves the efforts expended to improve their overall enterprise security posture, but pressures from the business cause my fellow IT colleagues to disregard the security component/aspect time and time again, in favor for weak workarounds.
Edwin at 3/17/2016 12:36 PM

Great article

Must-read article. Can't wait to read the next blog post.
Marc Francois653 at 3/21/2016 3:50 AM

Great article

Must-read article. Can't wait to read the next blog post.
Marc Francois653 at 3/21/2016 3:51 AM

Excellent post

"A job that on surface looked like a great opportunity, only to find they lacked real authority"
Unfortunately this seems to be the case to many IS practitioneers, probably the fear to decline a job offer in the fiercy job market and be tagged as a complicated person.
Mourad840 at 3/31/2016 8:45 AM
You must be logged in and a member to post a comment to this blog.
Email